Data Management

Question 1

What data security technologies are there?

Answer 1

1. Disk encryption
2. Regular backups off site
3. Password protection and use of anti-virus software protection
4. Firewalls and disaster recovery procedures

Question 1

What are the acts associated with Data Management?

Answer 1

UK General Data Protection Regulation 2016 and the Data Protection Act 2018

Question 2

What is the purpose of the UK General Data Protection Regulation and the Data Protection Act

Answer 2

Aims to create a single data protection regime affecting businesses, and empower individuals to take control of how their data is used by third parties
Gives people rights to be informed about how their personal information is used.

Question 3

When should data security breaches be reported to ICO

Answer 3

Within 72 hours and when there is a loss of personal data and a risk of harm to individuals

Question 4

What fines can occur if security is breached?

Answer 4

Fines up to 4% of global turnover of the company. OR £17.5 million (whichever greater)

Question 5

Who polices when a security is breached

Answer 5

ICO (Information Commissioner’s Office)

Question 6

What are the principles of the UK GDPR

Answer 6

Article 5(1) Principles relating to the storage of persona data states that data must be:
1. Processed lawfully, fairly and transparent manner
2. Collected for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary for the purposes for which they are processed.
4. Accurate and kept up to date
5. Processed in a manner that ensures appropriate security of personal data

Question 7

What does Article 5(2) require?

Answer 7

The controller be responsible for, and able to demonstrate, compliance with the principles.

Question 8

What are the 8 Individual Rights Under UK GDPR

Answer 8

Right:
1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erasure
5. Right to restrict processing
6. Right to data portability
7. Right to object
8. Rights to automated decision making and profiling

Question 9

What does the Freedom of Information Act 2000 give?

Answer 9

Gives individuals right of access to information held by public bodies

Question 10

Under the Freedom of Information Act 2000, what must be done?

Answer 10

A public body must tell any individual requesting sight of information whether it holds it
Normally public body is required to supply it in 20 working days in format requested
It can charge for the provision of the information

Question 11

What exemptions are allowed under Freedom of Information Act 2000

Answer 11

If contrary to GDPR requirements
It would prejudice a criminal matter under investigation, or a persons commercial interest

Question 12

How can security of data be improved

Answer 12

By using firewalls, encryption and passwords
Also by understanding how non-disclosure agreement works

Question 13

What does GDPR stand for?

Answer 13

General Data Protection Regulation

Question 14

Any other documenatation you are aware of on Data Handling?

Answer 14

Proposed RICS Professional Statement on Data Handling and the Prevention of Cyber Crime – addresses how surveyors collect, store, and use data.

Question 15

What methods are there for securing data?

Answer 15

Digital:
* Disk encryption
* Off-site backups
* Password protection
* Anti-virus software
* Firewalls
* 2-point authentication system (phones and emails)
* Do not use US or personal email with anyone
Physical:
* Locked in filing cabinet
* Clear desk policy

Question 16

What is copyright?

Answer 16

• A set of exclusive rights granted to the author or creator of any original work, including right to copy
• Exclusive rights granted to creator of any work
• A form of intellectual property
• Can be licensed, assigned, or transferred
• Crown Copyright – all materials prepared by Government

Question 17

What is an NDA?

Answer 17

Legal agreement between 2 parties not to share confidential material – can be sued for damages inflicted after sharing information

Question 17

When and where do data security breaches need to be reported to?

Answer 17

To Information Commissioner’s Office within 72 hours

Question 18

What is UK GDPR 2016?

Answer 18

UK’s implementation of GDPR. Complete data protection system, governs personal data as well as all other data previously covered within the 1998 act. Amended 1st Jan 21 to reflect Brexit.

Question 19

What are the max fines of GDPR?

Answer 19

£17.5 million or 4% of total annual worldwide turnover in preceding financial year, whichever is higher

Question 19

When did UK GDPR come into effect?

Answer 19

May 2018. New rules relating to how we collect, and process personal data came in 31 Dec 2020

Question 20

What legislation covers data protection in UK?

Answer 20

Data Protection Act 2018 and UK GDPR 2020

Question 21

Tell me what you know about GDPR?

Answer 21

• Represents the largest change in data protection law across the EU
• Designed to ‘harmonise’ data privacy laws across all of its members countries as well as providing greater protection and rights to individuals

Question 21

What does the Data Protection Act 2018 involve?

Answer 21

UK’s implementation of GDPR. A complete data protection system covering all general data previously covered by 1998 Act.

Question 22

What are key requirements of Data Protection Act?

Answer 22

• An obligation to conduct data protection impact assessments for high risk holding of data
• New rights for individuals to have access to info on what personal data is held and to have it erased
• Data controller decides how and why personal data is processed and solely responsible for GDPR

Question 23

DPA 1998 vs DPA 2018?

Answer 23

• Obligations more prescriptive and penalties are greater
• Aims to create single data protection regime for business across EU and to empower individuals to take control of how data is used by third parties

Question 24

What is Article 5(1) of GDPR? What are the principles of GDPR?

Answer 24

-relates to processing of personal data
(a) – lawfulness, fairness and transparency
(b) – purpose limitation (legitimate reason for requiring data)
(c) – data minimisation
(d) – accuracy
(e) – storage limitation
(f) – integrity and confidentiality
(g) – Accountability principle

Question 25

What are the GDPR 8 individual rights?

Answer 25

I – right to be informed
A – right of access
P – right to restrict processing
P – right to portability
E – right to erase
A – right to automated decision making and profiling
R – right to rectification
O – right to object

Question 26

Who is GDPR policed by?

Answer 26

Policed by Information Commissioners Office – can also take alternative actions instead of/as well as fines including:
1. Issuing warnings
2. Imposing a temporary or permanent ban on data processing
3. Ordering the rectification, restriction, or erasure of data
4. Suspending data transfers to third countries

Question 27

What is the Privacy and Electronic Communications Regulations (PECR) 2003?

Answer 27

• Sits alongside the Data Protection Act and GDPR
• Gives specific privacy rights in relation to electronic communications
• Rules on:
  o Marketing calls, emails, texts, and faxes
  o Cookies
  o Keeping communications services secure
  o Customer privacy in regards to traffic and location data

Question 28

What is the Limitation Act 1980?

Answer 28

• Statute that provides timescales within which action may be taken (by issuing a claim form) for breaches of the law
• Contract – 6 years from date of negligent act. Section 14a provides alternative limitation period of 3 years from date of knowledge of the damage, subject to 15-year long stop
• Tort – 6 years from date claimant suffered loss

Question 29

What are automated valuation models? What are the pros and cons?

Answer 29

• Software systems that can provide valuations using mathematical modelling
• Argus Val Cap, Developer
• Cons: limited function compared to excel
• Pros: limited mistakes

Question 29

What is ISO and what does it state?

Answer 29

• ‘International Organisation for Standardisation’
• International standard-setting body composed of representatives from various national standards organisations
• Promotes worldwide proprietary, industrial, and commercial standards

Question 30

What is ISO 9001 and what should be done to comply with it?

Answer 30

• International Standard that specifies requirements for a Quality Management Service (QMS)
• Requirements:
  o Monitoring and measuring equipment calibration records
  o Records of training, skills, experience, and qualifications
  o Product/service requirements review records
  o Records about designating and development outputs review

Question 31

What is Big Data?

Answer 31

• Term that describes large volumes of data – both structured and unstructured that inundates a business on a day-to-day basis
• Can be used and analysed for insights that lead to better decisions and strategic business moves
• Emphasis on big data as we move to ‘smart cities’ which can identify need of the city etc

Question 32

What are Data Rooms?

Answer 32

• Set up for property transaction, managed by lawyers / marketing team
• Access given to relevant parties via username and password creation
• Contains relevant information for pre-bid due diligence

Question 33

What are some data management software systems?

Answer 33

• Excel – formula, sorting, email reminder
• Outlook and word
• Property and software systems – argus, RADAR, Datscha, Land Registry

Question 34

What data do you input and output?

Answer 34

Input: survey data, rental information, settlements
Output: rental information, settlements

Question 34

What are some examples of communication specific reasoned information?

Answer 34

Use of graphs, photos, evidence schedules, maps
To support arguments in tribunals, contribute to property market sentiment reports, advise on data storage/filing systems, advise on security (being young in the firm is advantage as more tech savvy than colleagues as grown up with technology), comply with client’s data security

Question 34

What is best practice in data management?

Answer 34

• Cross reference with hard copy
• IT system maintenance – back up
• Protect integrity - write once, read many times
• Info management policy, system integrity
• Audit trail
• Electronic signature has legal status, as long as it cannot be altered

Question 35

What are different types of data analysis?

Answer 35

• SWOT analysis
• Traffic light (RAG) analysis
• Weighted analysis
• Ranking
• Cost benefit analysis
• Option analysis
• Software based or excel

Question 36

How can different data be displayed?

Answer 36

• Graphs
• Diagrams
• Bar charts
• Plotted on maps
• Schedules
• Tables
• Matrices
• Powerpoint presentations

Question 37

How does GDPR affect your firm? Compliance?

Answer 37

We are aware of where all personal data is kept. Undertake data protection impact assessments

Question 37

What is data analysis used for?

Answer 37

• Creating shortlists
• Creating business plans
• Creating action plans
• Making recommendations
• Giving advice
• Bringing data to life enable decisions to be made

Question 38

What is the document cycle?

Answer 38

CCRARA - C
Compose – Capture – Review – Approve – Retrieve – Archive – Compose etc

Question 39

What is the difference between a deed and a registered title?

Answer 39

• Deeds are absolute proof
• Registered land is a good indication

Question 40

How do you comply with UK GDPR when dealing with mailing lists?

Answer 40

Compliance Steps for Mailing Lists
Lawful Basis for Processing:
Ensure you have a lawful basis for processing personal data, such as obtaining explicit consent from individuals before adding them to your mailing list.
Explicit Consent:
Use clear opt-in mechanisms where individuals actively agree to receive communications. Avoid pre-ticked boxes or assumptions of consent.
Transparency:
Provide clear information about how their data will be used, including the types of communications they will receive and their rights regarding their data.
Opt-Out Options:
Always include easy-to-use opt-out options in every communication, allowing individuals to withdraw consent at any time.
Data Accuracy:
Regularly review and update your mailing list to ensure the information is accurate and up-to-date. Remove individuals who have opted out or whose data is no longer valid.
Data Security:
Implement appropriate security measures to protect personal data from unauthorized access or breaches. This includes secure storage and encryption where necessary.
Record Keeping:
Maintain detailed records of consent, including when and how it was obtained, to demonstrate compliance if required.
Training and Awareness:
Train staff on data protection principles and the importance of GDPR compliance in handling mailing lists.
Regular Audits:
Conduct regular audits of your mailing list practices to ensure ongoing compliance with GDPR and RICS standards.

Question 41

What sorts of information can a firm reasonably retain in order to comply with other laws?

Answer 41

Types of Information to Retain

Personal Data
This includes any information that can identify an individual, such as names, addresses, and contact details. Firms must ensure they have a lawful basis for processing this data, such as consent or contractual necessity.

Client Information
Data related to clients, including contracts, correspondence, and transaction records, should be retained as necessary for fulfilling contractual obligations and for legal compliance.

Financial Records
Retaining financial data, such as invoices and payment records, is essential for tax compliance and auditing purposes. The retention period may vary based on local laws.

Health and Safety Records
If applicable, firms may need to keep records related to health and safety compliance, especially if they involve sensitive personal data.

Legal and Regulatory Compliance
Information required to comply with legal obligations, such as records of communications with regulatory bodies or documentation related to audits, should be retained.

Risk Management Data
This includes records that help in assessing and managing risks, such as insurance documents and incident reports.

Question 42

What systems does your firm have in place to ensure data security

Question 43

What are your disaster recovery procedures?

Answer 43

1. Immediately report to IT and Data Protection Officer
2. Assess nature of disaster / leak of information.
3. Prevent any further leak
4. Notify those whose data has been leaked
5. Report to ICO within 72 hours
6. Perform an investigation
7. Record what happened any provide training to stop it happening again
8. Inform insurers incase of a complaint.

Question 44

DSAR (Data Subject Access Request)

Answer 44

A Data Subject Access Request (DSAR) is a formal request made by an individual (referred to as the data subject) to an organization that processes their personal data. The purpose of a DSAR is for the data subject to obtain access to the personal data that the organization holds about them. Under various data protection laws, individuals have the right to know how their data is being collected, stored, and used, and to request copies of that data.

Comes under the 8 RIGHTS!