Data Management

Question 1

What is data protection?

Answer 1

How personal data is collected, used + stored by companies, governments, authorities + services

Question 2

What is personal data?

Answer 2

Information relating to an identified or identifiable person

Includes name, address, DOB, phone number, email address, location data

Question 3

What is special category data?

Answer 3

Includes personal data about someone’s ethnic origin, political opinions, religious beliefs, health, sexual orientation

Question 4

What is non-personal data?

Answer 4

Includes surveys, company registration numbers, generic email addresses + anonymised data

Question 5

Why is data protection important?

Answer 5

To comply with legal obligations + avoid fines

To protect customers + employees from identity theft

To uphold company’s reputation

Question 6

What key legislation relates to data protection in the UK?

Answer 6

Data Protection Act 2018

Question 7

What is the Data Protection Act 2018?

Answer 7

UK law that governs how personal information is used by organisations, businesses + governments

UK’s implementation of GDPR + replaces DPA 1998

Question 8

What is the purpose of the Data Protection Act 2018?

Answer 8

Controls how personal information can be used + right to ask for information about yourself

Question 9

Who does the DPA apply to?

Answer 9

Data controllers + processors

Question 10

What is the definition of a data subject?

Answer 10

Person whose data it is

Question 11

What is the definition of a data controller?

Answer 11

Company or person who decides on data’s use

Question 12

What is the definition of a data processor?

Answer 12

Whoever uses the data

Question 13

What does is UK GDPR and what does it stand for?

Answer 13

UK General Data Protection Regulation

Law designed to protect people’s personal data + privacy

Sets out how governments, companies + organisations can collect, store + use personal information

Question 14

What is the purpose of UK GDPR?

Answer 14

Law that relates to processing of personal data

Sits alongside DPA 2018

Question 15

When did the UK GDPR come into effect + who regulates it?

Answer 15

2021 (post Brexit)

Information Commissioners Office

Question 16

What Act implemented GDPR in the UK?

Answer 16

DPA 2018

Question 17

Who regulates GDPR in the UK?

Answer 17

ICO (Information Commissioners Office)

Question 18

How have consent conditions been strengthened under UK GDPR?

Answer 18

Consent must be given in plain + clear language (best practice to give this in writing)

Ability to withdraw consent at anytime

Question 19

What is a Data Protection Officer?

Answer 19

Responsible for monitoring internal compliance + obligations for data protection

Only required for entities involved in large scale processing of personal data

Question 20

What data is affected by UK GDPR + the DPA 2018?

Answer 20

Personal data
Sensitive personal data (including genetic + biometric data)
Electronic data
Manual data, e.g. business cards + written reports

Question 21

Could you provide examples of data held by surveying practices

Answer 21

Data relating to background checks by HR

Tenant information - personal details, lease agreement, payment history

Market data - information on property values + market trends

Client data - names, contact details, bank details

Maintenance records - records of maintenance requests, completed repairs

Question 22

Who are the key persons outlined in the UK GDPR / DPA 2018?

Answer 22

Controller - decides how + why personal data is used

Processor - handles personal data on behalf of controller

Data officer - oversees data protection + ensure compliance with rules

Question 23

What does the UK GDPR say about consent?

Answer 23

Sets high standard for consent
Consent must not be assumed
Pre-ticked are banned
Consent requires clear action - needs to be documented
Customers are allowed to withdraw at any time

Question 24

RICS best practice points for complying with GDPR?

Answer 24

Conduct a data review
Anonymise + encrypt data where possible
Understand data processing

Question 25

Do you need to comply with UK GDPR + the DPA as a surveyor?

Answer 25

Yes – most UK property firms process personal client data

Question 26

What are the main requirements under the Data Protection Act 2018?

Answer 26

An obligation to conduct data protection impact assessments for high risk holding of data

Data security breaches must be reported to ICO within 72hrs where there is a loss of personal data or harm to individuals

Data controller decides how + why personal data is processed + is directly responsible for GDPR

Question 27

How long do you have to report a data breach to the ICO?

Answer 27

Within 72 hours of awareness

Question 28

What are the principles of the DPA (6) + UK GDPR (7)? (SAIDPAL)

Answer 28

Storage limitation
Accuracy
Integrity + confidentiality (security)
Data minimisation
Purpose limitation
Accountability (UK GDPR)
Lawfulness, fairness + transparency

Question 29

How do you comply with UK GDPR / DPA in your role?

Answer 29

Don’t share confidential information

Ensure I have written consent from individuals before processing their personal data, e.g. get written permission from tenants before passing details onto contractors

Ensure all consent is documented + uploaded to shared files

I report any suspected breaches

Question 30

What does Principle 1: Storage limitation mean?

Answer 30

Must not keep personal data for longer than we need it

Amount of time for which data is kept depends on intended purpose

Must check how long we can keep personal data + delete when no longer required

Can find information in Company’s Information + Document Retention policies

Question 31

What does Principle 2: Accuracy mean?

Answer 31

Must take all reasonable steps to ensure personal data is correct, not misleading + kept up to date

Must accurately record any personal data, document any sources + ensure errors rare rectified as soon as possible

Question 32

What does Principle 3: Security, integrity + confidentiality mean?

Answer 32

Must have appropriate measures in place to keep any personal data we store or process secure

This includes technical + organisational measures

Measures are not limited to digital data but also cover paper records

Includes protection against unauthorised or unlawful processing + accidental damage, destruction or damage

Question 33

What does Principle 4: Data minimisation mean?

Answer 33

Personal data must be limited to what is adequate, relevant + necessary to meet stated purpose

Must not collect more data than we need – makes it harder to keep everything up to date

Question 34

What does Principle 5: Purpose limitation mean?

Answer 34

We must only use personal data for specified, explicit + legitimate purposes

Need to be clear about why we are collecting personal data + document this

Question 35

What does Principle 6: Accountability mean (UK GDPR)?

Answer 35

Companies must take responsibility for what they do with personal data, comply with the principles + be able to demonstrate compliance

Do this by having data protection policies, having contracts when sharing personal data with third parties + carrying out risk assessments for high-risk processing

Question 36

What does Principle 6 (DPA) + 7 (UK GDPR): Lawfulness, fairness + transparency mean?

Answer 36

Must have valid grounds for collecting + using personal data + document this

Nothing should be done with data that breaches other laws

We must treat people fairly + only use personal data in a way they would reasonably expect

We need to tell people, via privacy notices, who we are + how + why we will use their data

Question 37

What individual rights exist under the DPA 2018 / UK GDPR? (RADIOERA)

Answer 37

Right to rectification
Right of access
Right to data portability
Right to be informed
Right to object
Right to erasure
Right to restrict processing
Rights in relation to automated decision making + profiling

Question 38

What is the purpose of the 8 rights under DPA 2018 / UK GDPR?

Answer 38

Rights give people greater control over how their personal data is used

Question 39

Talk me through the individual right to be informed under the DPA 2018 / UK GDPR?

Answer 39

Must tell people purpose for processing, how long we will keep data for + who else we will share it with

This should be done at the time when we collect their personal data

Question 40

Talk me through the individual right of access under the DPA 2018 / UK GDPR?

Answer 40

Individuals have the right to access + get copy of personal data

This allows individuals to check how + why you are using personal data

This is done by submitting a Data Subject Access Request (DSAR)

Question 41

Talk me through the individual right to rectification under the DPA 2018 / UK GDPR?

Answer 41

Individuals have the right to ask to correct any errors in personal data or make records complete if data is missing

Sometimes, can refuse to do this but only in certain circumstances

Question 42

Talk me through the individual right to erasure under the DPA 2018 / UK GDPR?

Answer 42

Individuals have the right to ask to delete their personal data

This right is not absolute + only applies in certain circumstances

Question 43

Talk me through the individual right to restrict processing under the DPA 2018 / UK GDPR?

Answer 43

Individuals can ask to restrict or suppress processing of personal data

This limits how data is used

If this happens, personal data will be stored but not used until decision is made

Question 44

Talk me through the individual right to data portability under the DPA 2018 / UK GDPR?

Answer 44

Individuals have the right to obtain + reuse personal data for different things

Can ask to transfer personal data to another IT system

Must be able to do this in a safe + secure way without hinderance

Question 45

Talk me through the individual right to object under the DPA 2018 / UK GDPR?

Answer 45

Individuals have the right to stop us processing their personal data in certain circumstances, e.g. for marketing purposes

Must comply unless compelling reason to do so, e.g. to process a legal claim

Question 46

Talk me through the individual rights on automated decision-making, e.g. profiling under the DPA 2018 / UK GDPR?

Answer 46

Individuals have the right to stop us from using personal data for automated decision-making (decisions made without human involvement)

Can only do this if it is necessary to enter or fulfil a contract if its legally authorised, or if have explicit consent

Question 47

What is a DSAR?

Answer 47

Data Subject Access Request

Formal request made by an individual to an organisation, asking for access to personal data that organisation holds about them

This right is granted under GDPR

Organisations have 1 month to respond to requests

Question 48

What details can you request when you make a DSAR?

Answer 48

Data being processed

Purposes of processing

Who the data is shared with

Question 49

Can an organisation refuse a DSAR?

Answer 49

Can only refuse if an exception or restriction applies, or if excessive

If refuse to comply, must explain why

Question 50

Can someone ask you to tell them what personal data you hold about them?

Answer 50

Yes

Question 51

What are the penalties under the Data Protection Act 2018 / UK GDPR?

Answer 51

Fines up to 4% global turnover of the company or £17.5 million (whichever is greater)

Question 52

How long do you have to hold data for under the Data Protection Act 2018?

Answer 52

Should only keep data for as long as you need it

No specific time limit for how long you can keep data for, but must be able to justify length of time for retention

Organisations must assess + justify their data retention periods based on specific processing activities + legal obligations

Question 53

How might a data breach occur in your office?

Answer 53

Lost or stolen devices

Phishing/whaling (CEO fraud)

Unauthorised access, i.e. someone hacking into your device

Human error, e.g. sending an email to the wrong person or accidently deleting an important file

Malware (software designed to gain access to your computer systems)

Question 54

What is phishing/whaling/CEO fraud?

Answer 54

Tricking people into giving away personal information by pretending to be a trustworthy source

Question 55

What is ransomware?

Answer 55

Type of malicious software (malware) that locks individuals’ files + demands money to unlock them

Question 56

What percentage of data breaches is it estimated that a company’s own employees may account for?

Answer 56

50%

Question 57

Could a Professional Indemnity Claim be based on lost or corrupted data?

Answer 57

Yes

Question 58

How would you ensure data security or avoid a data breach?

Answer 58

Change password every 30 days for protection
Never leave devices unattended or unlocked
Never click on any suspicious email attachments or links
Make use of two-step authentication
Receive regular training
Ensure devices are automatically updated
Back up data
Encryption

Question 59

Give me an example of how you ensure that data is kept securely

Answer 59

Always ensure to lock my computer when I am leaving my workspace in the office
Outside office – will never leave devices unattended

Question 60

Give me an example of how you process + handle confidential information

Answer 60

Don’t disclose details of client’s contact information to tenants or contractors
Also don’t disclose tenant’s details with contractors without their permission

Question 61

What is encryption?

Answer 61

Process used to protect sensitive information by converting it from a readable format (plaintext) into an unreadable format (ciphertext)

This ensures that only authorised parties can access the information

Question 62

What is a firewall?

Answer 62

Network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules

Establishes a barrier between a trusted network and an untrusted network, e.g. internet

Question 63

What is your company’s policy for data protection breaches?

Answer 63

Policy is in accordance with legislation

Following breach, contact IT + compliance with details of what has happened

If breach is via an email, recall email as soon as possible

Do not discuss breach with anyone other than line manager until cleared to do so by head of IT or DPO

Wait further instructions from team

Question 64

What would you do in the event of a data breach?

Answer 64

Must advise IT and compliance as soon as possible, providing details of what has occurred

Other than line manager, do not discuss with anyone else until cleared to do so by Head of IT (Tim Spencer) or DPO (Joanne Dick)

Compliance will update the Data Breach Log and IT will log the loss of any equipment. Police maybe advised if appropriate

Client will also be advised where appropriate

DPO will be responsible for advising the ICO of any significant data breach using ICO’s Data Breach Notification form

Question 65

What does your company’s policy say about data retention?

Answer 65

CJ should only keep data which can be used to identify individuals for as long as is necessary for purposes of requirements

Corporate policy is to store data in the archives for a maximum of 15 years

Question 66

What does your firm’s policy on data protection say?

Answer 66

Policy is in accordance with relevant legislation

Should make sure personal data held is not shared with anyone (unless necessary for related business activity or individual is aware + has given consent)

Data must be kept securely on the system or in manual files (recommended to scan handwritten notes + keep on system as this is more secure)

Data must be retained for the minimum period necessary

Head of IT + DPO are responsible for managing data breaches

Policy is reviewed annually by DPO

Question 67

How do you apply your firm’s data protection policy?

Answer 67

Upload all data to our shared system + scan all hand-written notes

Do not share any personal data unless I have obtained written consent from individual

Take my laptop home after work + don’t leave it in the office

Question 68

What does the Data Protection Bill 2017 do?

Answer 68

Updates UK’s data protection laws to align with EU’s GDPR

Question 69

What do the Privacy + Electronic Communications Regulations 2003 (amended 2016) relate to?

Answer 69

Extra data protection rules for e-communications, e.g. consent for marketing emails + website cookies

Consent from receipts for these to be received must be provided expressly (i.e. opt-in check box)

Question 70

What legislation specifically relates to data held by public bodies?

Answer 70

Freedom of Information Act 2000

Question 71

What is the Freedom of Information Act 2000?

Answer 71

Gives the public the right to access information held by public authorities

The RICS is not a public authority, so it does not give public a right to access information held

Question 72

How must a request be made by a member of the public under the FOI Act 2000?

Answer 72

In writing

Question 73

How long does the public body have to respond under the FOI Act 2000?

Answer 73

20 days

Question 74

Does a public body have to respond under the FOI Act 2000?

Answer 74

Yes – either with the information (plus a charge for processing) or refusal (with an explanation)

Question 75

Are there any exemptions under the FOI Act 2000?

Answer 75

Yes – too expensive to provide, unreasonable, not in the public interest

Question 76

What legislation relates to the disposal of old files?

Answer 76

Limitation Act 1980

Question 77

What is an AVM?

Answer 77

Automated Valuation Model

Software based tool that uses algorithms + data, such as property details + market trends, to provide property valuations

Different types of AVM that are used in the market, some wholly automated + others blended with human input, e.g. Valos

Question 78

When is an AVM viable?

Answer 78

When there is sufficient + accurate data which facilitates higher quality valuations

Question 79

List some advantages + disadvantages of using an AVM

Answer 79

Advantages – saves time, money + resources, creates level of certainty, reduces human element in relation to fraud risk

Disadvantages – requires accurate market data (not always available), data sources may not be regularly updated, property may not be physically inspected + certain characteristics may be missed

Question 80

What is EDM

Answer 80

Electronic Document Management

Question 81

What does an EDM do?

Answer 81

Collection of technologies that work together to provide a comprehensive solution for managing electronic assets

Question 82

What is copyright?

Answer 82

Author of original work has exclusive rights to control distribution of work

Question 83

Can copyright be licensed assigned or transferred?

Answer 83

Yes – it is an intellectual property right

Question 84

Who would usually own the copyright of a valuation report?

Answer 84

The surveyor, the client is licensed to copy it in connection with the purpose

Question 85

What is a DPIA?

Answer 85

Data Protection Impact Assessment

Process to identify possible risks from the processing of personal data

Important tools to minimise risk + demonstrate compliance with GDPR

Question 86

How does your company store data?

Answer 86

Carter Jonas has an iManage Document Management System, known as DMS

Everything is saved into DMS, including correspondence

Job spaces are retained for 6 years unless otherwise specified with a client

Question 87

What are the benefits of cloud-based storage systems?

Answer 87

Access from multiple users at one time

Allows a large amount of data to be stored

Info backed up securely on securely encrypted servers

Environmentally friendly + cheaper

Question 88

What are the RICS recommendations for using confidential information?

Answer 88

Keep secure record of consent for data processing

Maintain confidentiality of information without explicit permission from party

Check if have appropriate contractual clauses to use information

Question 89

What types of agreements are available in relation to confidential information?

Answer 89

Non-disclosure Agreement (NDA)
Confidentiality Agreement (CA)
Confidential Disclosure Agreement (CDA)

Question 90

What is a non-disclosure agreement (NDA)?

Answer 90

Legal contract where parties agree to keep shared information confidential

Sets out restrictions on receiving party’s use, disclosure + return of a disclosing party’s confidential information + parties’ related rights + obligations

Question 91

What is a confidentiality agreement (CA)?

Answer 91

A general term for any agreement where parties agree to keep certain information private

Question 92

What is a confidential disclosure agreement (CDA)?

Answer 92

Contract where parties agree to keep shared information confidential (similar to NDA but often used in research + development)

Question 93

Tell me about how you extract data from a source regularly used in your role?

Answer 93

I extract data from Rightmove when conducting valuations
E.g. sold property values, sold dates + property characteristics

Question 94

What information should be included in firm’s privacy notice?

Answer 94

What information you hold
How it will be used
How long it will be held for
Which third parties it will be shared with
Legal rights

Question 95

In a property management context, what would you do if a contractor asked for a tenant’s number?

Answer 95

Ask permission from tenant + confirm in writing

Question 96

How do you source title information?

Answer 96

HM Land Registry

Question 97

Are electronic signatures accepted by the Land Registry?

Answer 97

Yes

Question 98

What are the limitations of primary/secondary data sources?

Answer 98

Primary – time consuming + expensive, may be element of bias

Secondary – may not be reliable (depends on original data collection methods), may be outdated

Question 99

What are the disadvantages of the systems you use?

Answer 99

Rely on others for data input – potential for human error

If not updated regularly, data may be incorrect

Question 100

What is the importance of diarising trigger dates for property management?

Answer 100

Allows property managers to plan ahead for rent reviews + lease renewals

To keep track of key dates for lease renewals, rent reviews – ensures lease obligations are met

To ensure property is compliant + maintained

To maintain tenant relationships

Question 101

What is cyber security?

Answer 101

Includes technology, policies + procedures in place to protect data against cyber-crimes, e.g. hacking or ransom attacks

Question 102

Is there any RICS guidance on data protection?

Answer 102

Useful page on ‘client relationships + handling data’

Developed in response to new Rules of Conduct

Provides guidance on various areas, including data handling (to do with personal data) + data security + retention (to do with data breaches, data retention, cybercrime, etc.)

Question 103

Which Rule of Conduct underpins data protection?

Answer 103

Rule 3 (members + firms must provide good-quality + diligent services)

Question 104

How long should you hold a client’s file for?

Answer 104

Should be retained only for as long as necessary

Specific retention period will vary depending on type of data + purpose for which it was collected

My firm’s policy has a maximum retention period of 15 years

Question 105

How do your company securely keep data?

Answer 105

Make use of a shared system called DMS which allows data to be electronically uploaded

Provides regular training on relevant legislation + importance of security measures

Provides password protection measures + two-step authentication
Provides a policy on data protection – includes measures such as never leaving devices unattended or unlocked

Data protection policy is reviewed annually