Data Management

Question 1

what are the GDPR consumer rights

Answer 1

I - Inform

A - Access
C – Consent
C - Correction
E – Erasure
P – Data Portability
ACCEP
(Accep your rights)
~~~

Question 2

what regulation governs laws on data protection and privacy

Answer 2

UK General data protection regulation 2020

Question 3

Article 5 of GDPR requires that personal data should be what? Name at least 3

Answer 3

• Processed lawfully, fairly in a transparent manner (PLT)
• Adequate, relevant, and limited to what is necessary
• Collected for specified explicit and legitimate purposes
• Kept in a form that permits identification of data for no longer than is necessary
• Accurate and kept up to date, where necessary
• Processed in a manner that ensures appropriate security of personal data.

PACKAP

Question 4

What is the maximum GDPR fine set by UK GDPR and DPA 2018

Answer 4

17.5 Million or 4% of annual global turnover (whichever is highest).

Question 5

Data offences can be punished by what? Name two (excluding fines).

Answer 5

• Warnings
• Temporary or permanent ban on data processing
• Restriction or erasure of data
• Suspend data transfers to third party countries.

Question 6

what is DPA 2018?

Answer 6

Data Protection Act 2018

• UK’s implementation of GDPR
• Replaced the DPA 1998

Question 7

Are you aware of the Freedom of Information Act 2000?

Answer 7

Yes it provides the public access to information held by public authorities.

Question 8

how do FOI Act 2000 requests work?

Answer 8

• Must be in writing

- Information must not be exempt e.g. personal data or national security

Question 9

What security measures can you use to protect data? Name at least 3

Answer 9

• Password protection
• Security markings
• Physically locking storage units
• Encryption firewalls
• Two factor authentication

Question 10

what best practices would you encourage in terms of managing data? Give at least 3

Answer 10

• Cross reference computer with hard copy
• Back up IT systems
• Write once, read many times
• Keep an audit trail
• Ensure electronic signature cannot be altered. (send PDF’s not word)

Question 11

you refer to a valuation of Part 1 claims in Aylesford, how did you use the data collected to advise the senior management of your view?

Answer 11

After combinign evidence from multiple sources, I made a spreasheet to illustrated changes in value using colour coding and indexing this allowed me to advise my senior colleague of what data was most useful, I further advised of how the data should be used and stored.

Question 12

tell me what you know about GDPR

Answer 12

General Data Protection Regulation

Following Brexit there is now a UK version called UK GDPR 2020
Set out the main responsibilities for organisations using, storing and handling personal data.

Article 5 sets out the consumer rights which includes the right to be informed, right to access, right to erase, right to correct and right to withdraw consent.

Applies to the VOA – right to correct is something we actively do in the Check stage of CCA and in Form of return where personal data is explicitly collected.

Question 13

How does Freedom of information work and how can it be used?

Answer 13

Individual can request information held by public bodies such as minutes from a board meeting

Request must be made in writing

Public body must supply in 20 working days and can charge for this service
Information must not be exempt e.g. personal data or national security.

Question 14

what is the latest change in data protection regulation?

Answer 14

DPA act
2020 GDPR
The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023

Question 15

How does GDPR affect your firm?

Answer 15

right to collect is something we actively do in the Check stage of CCA and in Form of return where personal data is explicitly collected.

FOR data not disclosed outside of agency

Question 16

what is the definition of personal data?

Answer 16

Personal data are any information which are related to an identified or identifiable person.

Question 17

what is encryption/firewalls/blockchain?

Answer 17

Encryption is a means of securing data by encoding it mathematically such that it can only be read, or decrypted, by those with the correct key or cipher.

A firewall is a network security device that monitors traffic to or from your network. It allows or blocks traffic based on a defined set of security rules.

A blockchain is a digitally distributed, decentralized, public ledger that exists across a network.

Question 18

describe a time you have used and managed data to communicate some complex, reasoned advice?

Answer 18

part 1s - range of sources in spreadsheet, used indexing and colour coding to indicate each sales usefulness, advised that due to data being based on two specific dates it need not be stored for any longer than necessary

Question 19

give me an example of how you process and handle confidential information

Answer 19

IHT case:

• Don’t print what I don’t need to
• Ensure appropriate saving with correct name conventions
• Don’t leave computer unlocked and unattended

Question 20

tell me about how you extract data from a source regularly used in your role

Answer 20

Internal database – CDB for rental information
Set parameters for data to refine prior to download
Use filters on excel to refine the data to what I need

Question 21

what is an electronic document management system (EDMS)?

Answer 21

software package designed to manage electronic information and records within an organisation’s workflow.

Using various technologies, an EDMS allows a user to manage the creation, storage, and control of records while allowing other to access and edit documents.

Question 22

What type of documents can electronic signatures be used for?

Answer 22

Electronic signatures can be used to replace handwritten signatures in virtually every personal or business process. Examples include contracts, application forms and nondisclosure agreements

Question 23

Give me an example of how you ensure that data is kept securely.

Answer 23

Permission levels on edrm, restricts who can access the data, preventing conflict of interest in terms of accessing information. E.g someone in rating accessing plans and data collected for a different purpose.

Back up work / systems where necessary

When saving data within Electronic data recording system I ensure it is appropriately labelled as Official-sensitive information. To show others that care must be taken.

Question 24

how do you validate information

Answer 24

Cross check with another source
Call to get further information / confirm details
Adopt a common sense approach

Question 25

what are the strengths and limitations of primary/secondary data sources

Answer 25

Primary

Pro’s:
Specific to the needs
Greater control (type of data, design, method)
More up to date
May be more accurate

Cons:
Expensive (may make it more difficult)
Time consuming

Secondary

Pro’s:
Easily accessible
Affordable
Less time consuming

Cons:
May lack reliability
May be outdated
May have to deal with irrelevant data before finding suitable data

Question 26

Have you shared rental evidence with an agent for rating purposes, do you have permission to share that information?

Answer 26

Yes - The Valuation Office Agency (VOA), as an executive agency of HMRC, is subject to the Commissioners for Revenue and Customs Act 2005 (CRCA) which covers: the confidentiality of information held by the VOA and when it is lawful to disclose that information.

The VOA is not permitted to disclose information except in certain limited circumstances, including, for the purposes of its functions, where there is a legislative gateway or with customer consent.

Sections 18 (2) and (3) of the Commissioners for Revenue and Customs Act (CRCA) 2005 allows sharing of data / information as long as it is reasonable and proportionate to do so.

The Billing Authority will treat all information supplied by the VOA as confidential even if the Information sharing agreement is terminated.

Question 27

How did you store the data collected for the SDLT’s?

Answer 27

Like rental data, the data can be imputted within our CDB, this includes values, comments, links and indicators. This is password protected with further restrictions on access based on your log-in.

Question 28

How do you ensure data is kept secure?

Answer 28

Main two points:
Keep it safe from corruption
Control access to data

I do this by:
Password protection
Not leaving computer or files unattended
Access restriction on EDRM
Computer system with regular back ups, encryption and anti-virus software

Question 29

Can other colleagues access information you are working on?

Answer 29

No if they are in a different team e.g. DVS then they will not be able to access information stored for rating purposes.

Question 30

Could conflicts arise from colleagues having access to certain information?

Answer 30

Yes it could occur if doing a DVS asset valuation and a rating colleague has access to this information. Could disadvantage the client as a result of accessing this data which was not requested for that purpose. Could go against GDPR, however CRCA act may justify it?

Question 31

Freedom of information act 2000 exemptions

Answer 31

Personal data
National security

Information held by the VOA for its functions that either directly identifies a person or enables their identity to be deduced from it, is exempt from disclosure under s44 of the
FoIA as it is prohibited by s23 of CRCA

Question 32

Tell me more about the data protection act 2018

Answer 32

The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
used fairly, lawfully and transparently
used for specified, explicit purposes
used in a way that is adequate, relevant and limited to only what is necessary accurate and, where necessary, kept up to date
kept for no longer than is necessary
handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:

be informed about how your data is being used
access personal data
have incorrect data updated
have data erased
stop or restrict the processing of your data
data portability (allowing you to get and reuse your data for different services)
object to how your data is processed in certain circumstances

Question 33

What regulation covers sharing data?

Answer 33

Commissioners for Revenue and Customs Act 2005

CRCA ACT

Question 34

benefits of cloud based systems

Answer 34

• information is backed up by encrypted servers
• accessibility can be manged via online settings
• cheaper than physically storing and managing files
• more convenient to send and share files online instead of mailing physical copies
• cloud systems are environmentally friendly
• multiple users can access the same document and work on it at the same time.

Question 35

meaning of a non disclosure agreement

Answer 35

Used to protect against the disclosure or sharing of any confidential data.

Prior to the information being shared, clients will typically request that the recipient signs up to an NDA.

Often used to prevent confidential or sensitive property information being used or talked about by competitors.

Question 36

if two departments within your firm were working for two rival companies how would you ensure client sensitive data was managed?

Answer 36

Make client aware of risks
Conflict of interest protocol
Informed consent
Keep staff exclusively in one team
NDA’s
Separate working locations
Use secure document systems with access restrictions

Question 37

who are the key persons outlined within GDPR?

Answer 37

Controller – person that determines the purpose and means of processing personal data e.g. the employer.

Processor – person that processes personal data on behalf of the controller e.g., call centres acting on behalf of its client.

Data Protection Officer – leadership role required by EU GDPR. Responsible for overseeing the data protection approach strategy and implementation.

Question 38

what should companies put into place to ensure GDPR compliance?

Answer 38

• Raise awareness across the business
• Audit personal data
• Review procedures supporting individual rights
• Identify and document the legal basis for processing personal data under GDPR
• Train staff and give them the information

Question 39

What personal and confidential information does the VO hold?

Answer 39

Personal data relating to VOA employees
Emails containing sensitive or confidential information
Customer correspondence received in confidence
Customer records
Property information
Contractual information relating to past, present or potential future companies

Question 40

define what disclosure means?

Answer 40

The sharing of information with others
Before sharing information you must be sure you have the right to disclose it and the person requestion it has the right to receive it.

Question 41

what does CRCA set the VO’s functions as?

Answer 41

Producing rating lists
Council tax valuation lists
Valuation of property

Question 42

what two ways does the freedom of information act provide the public with access to information held by public authorities?

Answer 42

Public authorities are obliged to publish certain information about their activities.

Members of the public are entitled to request information from public authorities.

Question 43

when would you disclose information about taxpayers (or their properties) or our customers to third parties?

Answer 43

In line with CRCA Act 2005:

• If essential for one of our functions
• In line with legislation or statutory gateway under LGFA
• With consent of the taxpayer, customer or client
• For civil proceedings such as valuation tribunal hearings

For example, the law allows us to disclose rental information when dealing with a rating challenge. The law also then allows an appellant to request additional rental information proportionate to the rental information we disclose.

Question 44

How would you deal with someone requesting to access their own personal information?

Answer 44

There is a deadline of one month to respond to a request. I would forward any request where a requester asks for their own information to the SAR inbox immediately by emailing.

if the request is part of an outstanding case, I would consider if it can be dealt with more appropriately as business as usual under CRCA.

This is known as a Subject Access Request.

A verbal request for property information cannot always be answered verbally. We may require verification of the person’s link to the property before deciding whether we can disclose information.

Question 45

How would you deal with a freedom of information request?

Answer 45

Check the request is made in writing (email/letter)
Check it includes the requester’s name and address and clearly describe the information wanted.
Forward request to FOI inbox team

Question 46

Is there any legislation thats specific to your work?

Answer 46

The VOA is subject to the Commissioners for Revenue and Customs Act 2005 (CRCA) which covers: the confidentiality of information held by the VOA and when it is lawful to disclose that information.

Question 46

Key difference between GDPR and DPA 2018?

Answer 46

GDPR looks to regulate personal data whereas DPA 2018 goes further and regulates non-personal data

Question 47

What can you do to protect against a Data Breach?

Answer 47

• VPN
• password updating
• 2 factor auth
• antivirus software

Question 48

What is your firms data management strategy?

Answer 48

we have 4 pillars
1. Data Foundations
2. Data Skills
3. Data Availability
4. Data Responsibility

FRAS

Question 49

How to deal with a data breach?

Answer 49

Flag within 48 hours to line manager will then go to ICO
if high risk contact subject of Data breach

then later i would review my involvment, ensure i adhered to data protection policys and RICS ROC

Question 50

What advice did you give in relation to the Rental Analysis conducted?

Answer 50

Once I had collated and analysed rental data i have advised senior management on the management of such data. For example in what circumstances the rental data can be disclosed in order to comply with the CRCA 2005.

Question 51

What advice did you give when analysing SDLT’s.

Answer 51

i advised on the potential use of transactions based on a verification of land type and development potential conducted using internal data along with local authority planning websites.

Question 52

Outline the advice you gave?

Answer 52

SDLT - verification and use
Part 1s - quality of data sources
Rental Analysis - disclosure

Question 53

Types of data?

Answer 53

Qualitative - things
Qauntitative - numbers

Question 54

What is the VOA Data Protection Policy?

Answer 54

It aims to follow the data protection principles
- lawfulness
- fairness
- transparency
- purpose limitation
- data limitation
- accuracy
- storage limitation
- integrity and confidentiality

DAT FLIPS

Question 55

What roles does your firm have to govern Information?

Answer 55

Accounting officer
info asset owner
info asset manager
Data support officer

Question 56

Key principles set out in the CRCA (2005)

Answer 56

reasonable
necessary
proportionate

Question 57

Which parts of the CRCA (2005) relate to your firm?

Answer 57

VOA - section 10
disclosure- section 18
Criminal Offences - section 19

Question 58

Can you name the 4 types of personal data?

Answer 58

people personal - O
property personal - O
sensitive personal - OS
special CAT - OS

Question 59

Why might a FOI request be refused?

Answer 59

• criminal matter under investigation
• too costly or timely
• to cause annoyance
• repeat request
• against GDPR

Question 60

Max fine for data breach?

Answer 60

17.5mil pounds or 4% turnover

Question 61

How would you dispose of sensitive documentation?

Answer 61

ICO advice based on DPA 2018 - shred physical documents after retention period set out in privacy policy

For digital documents
- deleted from all devices and softwares
- recycle bin
- back-ups
- sent/recieved emails

Question 62

What measures does your firm take to meet DPA and UK GDPR

Answer 62

• Data Protection Officer
• policies
• written contracts on how data will be managed
• security measures
• up to date records
• training