Data Management Flashcards
what are the GDPR consumer rights
A - Access
C – Consent
C - Correction
E – Erasure
P – Data Portability
ACCEP
(Accep your rights)
what regulation governs laws on data protection and privacy
UK General data protection regulation 202
Article 5 of GDPR requires that personal data should be what? Name at least 3
Processed lawfully, fairly in a transparent manner (PLT)
Adequate, relevant, and limited to what is necessary
Collected for specified explicit and legitimate purposes
Kept in a form that permits identification of data for no longer than is necessary
Accurate and kept up to date, where necessary
Processed in a manner that ensures appropriate security of personal data.
PACKAP
What is the maximum GDPR fine set by UK GDPR and DPA 2018
17.5 Million or 4% of annual global turnover (whichever is highest).
Data offences can be punished by what? Name two (excluding fines).
Warnings
Temporary or permanent ban on data processing
Restriction or erasure of data
Suspend data transfers to third party countries.
what is DPA 2018?
Data Protection Act 2018
UK’s implementation of GDPR
Are you aware of the Freedom of Information Act 2000?
Yes it provides the public access to information held by public authorities.
how do FOI Act 2000 requests work?
Must be in writing
What security measures can you use to protect data?
Password protection
Security markings
Physically locking storage units
Encryption firewalls
Two factor authentication
what best practices would you encourage in terms of managing data?
Cross reference computer with hard copy
Back up IT systems
Write once, read many times
Keep an audit trail
Ensure electronic signature cannot be altered. (send PDF’s not word)
tell me what you know about GDPR
General Data Protection Regulation
Article 5 sets out the consumer rights which includes the right to be informed, right to access, right to erase, right to correct and right to withdraw consent.
Applies to the VOA – right to correct is something we actively do in the Check stage of CCA and in Form of return where personal data is explicitly collected.
what is the definition of personal data?
Personal data are any information which are related to an identified or identifiable person.
what is encryption/firewalls/blockchain?
Encryption is a means of securing data by encoding it mathematically such that it can only be read, or decrypted, by those with the correct key or cipher.
A firewall is a network security device that monitors traffic to or from your network. It allows or blocks traffic based on a defined set of security rules.
A blockchain is a digitally distributed, decentralized, public ledger that exists across a network.
tell me about how you extract data from a source regularly used in your role
Internal database – CDB for rental information
Set parameters for data to refine prior to download
Use filters on excel to refine the data to what I need
what is an electronic document management system (EDMS)?
software package designed to manage electronic information and records within an organisation’s workflow.
Give me an example of how you ensure that data is kept securely.
Permission levels, back up systems, sensitive tag
how do you validate information
Cross check with another source
Call to get further information / confirm details
Adopt a common sense approach
What are pros/cons of primary data sources
Pros
Greater control (type of data, design, method)
May be more accurate
Cons
Expensive (may make it more difficult)
Time consuming
What are pros/cons of secondary data sources
Pros
Easily accessible
Affordable
Cons
May lack reliability
May be outdated
You shared rental evidence with an agent for rating purposes, did you have permission to share that information?
Yes - The Valuation Office Agency (VOA), as an executive agency of HMRC, is subject to the Commissioners for Revenue and Customs Act 2005 (CRCA)
Can other colleagues access information you are working on?
No if they are in a different team e.g. DVS then they will not be able to access information stored for rating purposes.
Freedom of information act 2000 exemptions
Personal data
National security
Tell me more about the data protection act 2018
The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.
What regulation covers sharing data?
Commissioners for Revenue and Customs Act 2005
CRCA ACT
benefits of cloud based systems
information is backed up by encrypted servers
accessibility can be manged via online settings
cheaper than physically storing and managing files
more convenient to send and share files online instead of mailing physical copies
meaning of a non disclosure agreement
Used to protect against the disclosure or sharing of any confidential data.
who are the key persons outlined within GDPR?
Controller – person that determines the purpose and means of processing personal data e.g. the employer.
Processor – person that processes personal data on behalf of the controller e.g., call centres acting on behalf of its client.
Data Protection Officer – leadership role required by EU GDPR. Responsible for overseeing the data protection approach strategy and implementation.
what should companies put into place to ensure GDPR compliance?
Raise awareness across the business
Audit personal data
Review procedures supporting individual rights
Identify and document the legal basis for processing personal data under GDPR
Train staff and give them the information
What personal and confidential information does the VO hold?
Personal data relating to VOA employees
Emails containing sensitive or confidential information
Customer correspondence received in confidence
Customer records
Property information
Contractual information
define what disclosure means?
The sharing of information with others
what does CRCA set the VO’s functions as?
Producing rating lists
Council tax valuation lists
Valuation of property
what two ways does the freedom of information act provide the public with access to information held by public authorities?
Public authorities are obliged to publish certain information about their activities.
Members of the public are entitled to request information from public authorities.
when would you disclose information about taxpayers (or their properties) or our customers to third parties?
In line with CRCA Act 2005:
If essential for one of our functions
In line with legislation or statutory gateway under LGFA
With consent of the taxpayer, customer or client
For civil proceedings such as valuation tribunal hearings
How would you deal with someone requesting to access their own personal information?
There is a deadline of one month to respond to a request. I would forward any request where a requester asks for their own information to the SAR inbox immediately by emailing.
if the request is part of an outstanding case, I would consider if it can be dealt with more appropriately as business as usual under CRCA.
How would you deal with a freedom of information request?
Check the request is made in writing (email/letter)
Check it includes the requester’s name and address and clearly describe the information wanted.
Forward request to FOI inbox team
How do you store data?
When gathering data for any reason I always ensure to place it within the VOA’s secure drives. Case documents go in restricted drives where only certain staff can reach.
Why did you use external sources for the house in Newport?
This was to verify the information held on the VOA database to ensure correct information was being used.
How did you restrict the files for the house in newport?
I ensured the files set up had permissions set for only the people working on the project.
What advice did you provide for the land in Worcestershire?
This was an analysis of a land sale in the county. Following this I saved the data in secured files in a database showing its price per acre and what the use was for. I advised a senior surveyor of this so that they could use this information in the future when valuing land.
Where was the data stored?
Two secured VOA drives. One so that the valuer can download the sale alongside others when needed and another database I created to describe what the land was for.
What advice did you provide for the land in Herefordshire?
I advised my supervisor of the database i created for them to use in a development appraisal this included house sales, land sales. I input this data into a simple but effective database so they could easily see comparables and work out the GDV of the site.
What are the seven principles of GDPR
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
What is a data controller?
determines the purposes and means of processing personal data
What is a data processor?
processes personal data only on behalf of the controller
What is discrete data?
Discrete data is information that can only take certain values. Such as the profit of a company.
What is continuous data?
Continuous data is data that can take any value. Such as Height, weight, temperature
How long to report a data breach?
48 hours to report internally
72 hours to report to Information Commissioners Office - legally
