Data Management Flashcards
What is data protection?
How personal data is collected, used + stored by companies, governments, authorities + services
What is personal data?
Information relating to an identified or identifiable person
Includes name, address, DOB, phone number, email address, location data
What is special category data?
Includes personal data about someone’s ethnic origin, political opinions, religious beliefs, health, sexual orientation
What is non-personal data?
Includes surveys, company registration numbers, generic email addresses + anonymised data
Why is data protection important?
To comply with legal obligations + avoid fines
To protect customers + employees from identity theft
To uphold company’s reputation
What key legislation relates to data protection in the UK?
Data Protection Act 2018
What is the Data Protection Act 2018?
UK law that governs how personal information is used by organisations, businesses + governments
UK’s implementation of GDPR + replaces DPA 1998
What is the purpose of the Data Protection Act 2018?
Controls how personal information can be used + right to ask for information about yourself
Who does the DPA apply to?
Data controllers + processors
What is the definition of a data subject?
Person whose data it is
What is the definition of a data controller?
Company or person who decides on data’s use
What is the definition of a data processor?
Whoever uses the data
What does is UK GDPR and what does it stand for?
UK General Data Protection Regulation
Law designed to protect people’s personal data + privacy
Sets out how governments, companies + organisations can collect, store + use personal information
What is the purpose of UK GDPR?
Law that relates to processing of personal data
Sits alongside DPA 2018
When did the UK GDPR come into effect + who regulates it?
2021 (post Brexit)
Information Commissioners Office
What Act implemented GDPR in the UK?
DPA 2018
Who regulates GDPR in the UK?
ICO (Information Commissioners Office)
How have consent conditions been strengthened under UK GDPR?
Consent must be given in plain + clear language (best practice to give this in writing)
Ability to withdraw consent at anytime
What is a Data Protection Officer?
Responsible for monitoring internal compliance + obligations for data protection
Only required for entities involved in large scale processing of personal data
What data is affected by UK GDPR + the DPA 2018?
Personal data
Sensitive personal data (including genetic + biometric data)
Electronic data
Manual data, e.g. business cards + written reports
Could you provide examples of data held by surveying practices
Data relating to background checks by HR
Tenant information - personal details, lease agreement, payment history
Market data - information on property values + market trends
Client data - names, contact details, bank details
Maintenance records - records of maintenance requests, completed repairs
Who are the key persons outlined in the UK GDPR / DPA 2018?
Controller - decides how + why personal data is used
Processor - handles personal data on behalf of controller
Data officer - oversees data protection + ensure compliance with rules
What does the UK GDPR say about consent?
Sets high standard for consent
Consent must not be assumed
Pre-ticked are banned
Consent requires clear action - needs to be documented
Customers are allowed to withdraw at any time
RICS best practice points for complying with GDPR?
Conduct a data review
Anonymise + encrypt data where possible
Understand data processing
Do you need to comply with UK GDPR + the DPA as a surveyor?
Yes – most UK property firms process personal client data
What are the main requirements under the Data Protection Act 2018?
An obligation to conduct data protection impact assessments for high risk holding of data
Data security breaches must be reported to ICO within 72hrs where there is a loss of personal data or harm to individuals
Data controller decides how + why personal data is processed + is directly responsible for GDPR
How long do you have to report a data breach to the ICO?
Within 72 hours of awareness
What are the principles of the DPA (6) + UK GDPR (7)? (SAIDPAL)
Storage limitation
Accuracy
Integrity + confidentiality (security)
Data minimisation
Purpose limitation
Accountability (UK GDPR)
Lawfulness, fairness + transparency
How do you comply with UK GDPR / DPA in your role?
Don’t share confidential information
Ensure I have written consent from individuals before processing their personal data, e.g. get written permission from tenants before passing details onto contractors
Ensure all consent is documented + uploaded to shared files
I report any suspected breaches
What does Principle 1: Storage limitation mean?
Must not keep personal data for longer than we need it
Amount of time for which data is kept depends on intended purpose
Must check how long we can keep personal data + delete when no longer required
Can find information in Company’s Information + Document Retention policies
What does Principle 2: Accuracy mean?
Must take all reasonable steps to ensure personal data is correct, not misleading + kept up to date
Must accurately record any personal data, document any sources + ensure errors rare rectified as soon as possible
What does Principle 3: Security, integrity + confidentiality mean?
Must have appropriate measures in place to keep any personal data we store or process secure
This includes technical + organisational measures
Measures are not limited to digital data but also cover paper records
Includes protection against unauthorised or unlawful processing + accidental damage, destruction or damage
What does Principle 4: Data minimisation mean?
Personal data must be limited to what is adequate, relevant + necessary to meet stated purpose
Must not collect more data than we need – makes it harder to keep everything up to date
What does Principle 5: Purpose limitation mean?
We must only use personal data for specified, explicit + legitimate purposes
Need to be clear about why we are collecting personal data + document this
What does Principle 6: Accountability mean (UK GDPR)?
Companies must take responsibility for what they do with personal data, comply with the principles + be able to demonstrate compliance
Do this by having data protection policies, having contracts when sharing personal data with third parties + carrying out risk assessments for high-risk processing
What does Principle 6 (DPA) + 7 (UK GDPR): Lawfulness, fairness + transparency mean?
Must have valid grounds for collecting + using personal data + document this
Nothing should be done with data that breaches other laws
We must treat people fairly + only use personal data in a way they would reasonably expect
We need to tell people, via privacy notices, who we are + how + why we will use their data
What individual rights exist under the DPA 2018 / UK GDPR? (RADIOERA)
Right to rectification
Right of access
Right to data portability
Right to be informed
Right to object
Right to erasure
Right to restrict processing
Rights in relation to automated decision making + profiling
What is the purpose of the 8 rights under DPA 2018 / UK GDPR?
Rights give people greater control over how their personal data is used
Talk me through the individual right to be informed under the DPA 2018 / UK GDPR?
Must tell people purpose for processing, how long we will keep data for + who else we will share it with
This should be done at the time when we collect their personal data
Talk me through the individual right of access under the DPA 2018 / UK GDPR?
Individuals have the right to access + get copy of personal data
This allows individuals to check how + why you are using personal data
This is done by submitting a Data Subject Access Request (DSAR)
Talk me through the individual right to rectification under the DPA 2018 / UK GDPR?
Individuals have the right to ask to correct any errors in personal data or make records complete if data is missing
Sometimes, can refuse to do this but only in certain circumstances
Talk me through the individual right to erasure under the DPA 2018 / UK GDPR?
Individuals have the right to ask to delete their personal data
This right is not absolute + only applies in certain circumstances
Talk me through the individual right to restrict processing under the DPA 2018 / UK GDPR?
Individuals can ask to restrict or suppress processing of personal data
This limits how data is used
If this happens, personal data will be stored but not used until decision is made
Talk me through the individual right to data portability under the DPA 2018 / UK GDPR?
Individuals have the right to obtain + reuse personal data for different things
Can ask to transfer personal data to another IT system
Must be able to do this in a safe + secure way without hinderance
Talk me through the individual right to object under the DPA 2018 / UK GDPR?
Individuals have the right to stop us processing their personal data in certain circumstances, e.g. for marketing purposes
Must comply unless compelling reason to do so, e.g. to process a legal claim
Talk me through the individual rights on automated decision-making, e.g. profiling under the DPA 2018 / UK GDPR?
Individuals have the right to stop us from using personal data for automated decision-making (decisions made without human involvement)
Can only do this if it is necessary to enter or fulfil a contract if its legally authorised, or if have explicit consent
What is a DSAR?
Data Subject Access Request
Formal request made by an individual to an organisation, asking for access to personal data that organisation holds about them
This right is granted under GDPR
Organisations have 1 month to respond to requests
What details can you request when you make a DSAR?
Data being processed
Purposes of processing
Who the data is shared with
Can an organisation refuse a DSAR?
Can only refuse if an exception or restriction applies, or if excessive
If refuse to comply, must explain why
Can someone ask you to tell them what personal data you hold about them?
Yes
What are the penalties under the Data Protection Act 2018 / UK GDPR?
Fines up to 4% global turnover of the company or £17.5 million (whichever is greater)
How long do you have to hold data for under the Data Protection Act 2018?
Should only keep data for as long as you need it
No specific time limit for how long you can keep data for, but must be able to justify length of time for retention
Organisations must assess + justify their data retention periods based on specific processing activities + legal obligations
How might a data breach occur in your office?
Lost or stolen devices
Phishing/whaling (CEO fraud)
Unauthorised access, i.e. someone hacking into your device
Human error, e.g. sending an email to the wrong person or accidently deleting an important file
Malware (software designed to gain access to your computer systems)
What is phishing/whaling/CEO fraud?
Tricking people into giving away personal information by pretending to be a trustworthy source
What is ransomware?
Type of malicious software (malware) that locks individuals’ files + demands money to unlock them
What percentage of data breaches is it estimated that a company’s own employees may account for?
50%
Could a Professional Indemnity Claim be based on lost or corrupted data?
Yes
How would you ensure data security or avoid a data breach?
Change password every 30 days for protection
Never leave devices unattended or unlocked
Never click on any suspicious email attachments or links
Make use of two-step authentication
Receive regular training
Ensure devices are automatically updated
Back up data
Encryption
Give me an example of how you ensure that data is kept securely
Always ensure to lock my computer when I am leaving my workspace in the office
Outside office – will never leave devices unattended
Give me an example of how you process + handle confidential information
Don’t disclose details of client’s contact information to tenants or contractors
Also don’t disclose tenant’s details with contractors without their permission
What is encryption?
Process used to protect sensitive information by converting it from a readable format (plaintext) into an unreadable format (ciphertext)
This ensures that only authorised parties can access the information
What is a firewall?
Network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules
Establishes a barrier between a trusted network and an untrusted network, e.g. internet
What is your company’s policy for data protection breaches?
Policy is in accordance with legislation
Following breach, contact IT + compliance with details of what has happened
If breach is via an email, recall email as soon as possible
Do not discuss breach with anyone other than line manager until cleared to do so by head of IT or DPO
Wait further instructions from team
What would you do in the event of a data breach?
Must advise IT and compliance as soon as possible, providing details of what has occurred
Other than line manager, do not discuss with anyone else until cleared to do so by Head of IT (Tim Spencer) or DPO (Joanne Dick)
Compliance will update the Data Breach Log and IT will log the loss of any equipment. Police maybe advised if appropriate
Client will also be advised where appropriate
DPO will be responsible for advising the ICO of any significant data breach using ICO’s Data Breach Notification form
What does your company’s policy say about data retention?
CJ should only keep data which can be used to identify individuals for as long as is necessary for purposes of requirements
Corporate policy is to store data in the archives for a maximum of 15 years
What does your firm’s policy on data protection say?
Policy is in accordance with relevant legislation
Should make sure personal data held is not shared with anyone (unless necessary for related business activity or individual is aware + has given consent)
Data must be kept securely on the system or in manual files (recommended to scan handwritten notes + keep on system as this is more secure)
Data must be retained for the minimum period necessary
Head of IT + DPO are responsible for managing data breaches
Policy is reviewed annually by DPO
How do you apply your firm’s data protection policy?
Upload all data to our shared system + scan all hand-written notes
Do not share any personal data unless I have obtained written consent from individual
Take my laptop home after work + don’t leave it in the office
What does the Data Protection Bill 2017 do?
Updates UK’s data protection laws to align with EU’s GDPR
What do the Privacy + Electronic Communications Regulations 2003 (amended 2016) relate to?
Extra data protection rules for e-communications, e.g. consent for marketing emails + website cookies
Consent from receipts for these to be received must be provided expressly (i.e. opt-in check box)
What legislation specifically relates to data held by public bodies?
Freedom of Information Act 2000
What is the Freedom of Information Act 2000?
Gives the public the right to access information held by public authorities
The RICS is not a public authority, so it does not give public a right to access information held
How must a request be made by a member of the public under the FOI Act 2000?
In writing
How long does the public body have to respond under the FOI Act 2000?
20 days
Does a public body have to respond under the FOI Act 2000?
Yes – either with the information (plus a charge for processing) or refusal (with an explanation)
Are there any exemptions under the FOI Act 2000?
Yes – too expensive to provide, unreasonable, not in the public interest
What legislation relates to the disposal of old files?
Limitation Act 1980
What is an AVM?
Automated Valuation Model
Software based tool that uses algorithms + data, such as property details + market trends, to provide property valuations
Different types of AVM that are used in the market, some wholly automated + others blended with human input, e.g. Valos
When is an AVM viable?
When there is sufficient + accurate data which facilitates higher quality valuations
List some advantages + disadvantages of using an AVM
Advantages – saves time, money + resources, creates level of certainty, reduces human element in relation to fraud risk
Disadvantages – requires accurate market data (not always available), data sources may not be regularly updated, property may not be physically inspected + certain characteristics may be missed
What is EDM
Electronic Document Management
What does an EDM do?
Collection of technologies that work together to provide a comprehensive solution for managing electronic assets
What is copyright?
Author of original work has exclusive rights to control distribution of work
Can copyright be licensed assigned or transferred?
Yes – it is an intellectual property right
Who would usually own the copyright of a valuation report?
The surveyor, the client is licensed to copy it in connection with the purpose
What is a DPIA?
Data Protection Impact Assessment
Process to identify possible risks from the processing of personal data
Important tools to minimise risk + demonstrate compliance with GDPR
How does your company store data?
Carter Jonas has an iManage Document Management System, known as DMS
Everything is saved into DMS, including correspondence
Job spaces are retained for 6 years unless otherwise specified with a client
What are the benefits of cloud-based storage systems?
Access from multiple users at one time
Allows a large amount of data to be stored
Info backed up securely on securely encrypted servers
Environmentally friendly + cheaper
What are the RICS recommendations for using confidential information?
Keep secure record of consent for data processing
Maintain confidentiality of information without explicit permission from party
Check if have appropriate contractual clauses to use information
What types of agreements are available in relation to confidential information?
Non-disclosure Agreement (NDA)
Confidentiality Agreement (CA)
Confidential Disclosure Agreement (CDA)
What is a non-disclosure agreement (NDA)?
Legal contract where parties agree to keep shared information confidential
Sets out restrictions on receiving party’s use, disclosure + return of a disclosing party’s confidential information + parties’ related rights + obligations
What is a confidentiality agreement (CA)?
A general term for any agreement where parties agree to keep certain information private
What is a confidential disclosure agreement (CDA)?
Contract where parties agree to keep shared information confidential (similar to NDA but often used in research + development)
Tell me about how you extract data from a source regularly used in your role?
I extract data from Rightmove when conducting valuations
E.g. sold property values, sold dates + property characteristics
What information should be included in firm’s privacy notice?
What information you hold
How it will be used
How long it will be held for
Which third parties it will be shared with
Legal rights
In a property management context, what would you do if a contractor asked for a tenant’s number?
Ask permission from tenant + confirm in writing
How do you source title information?
HM Land Registry
Are electronic signatures accepted by the Land Registry?
Yes
What are the limitations of primary/secondary data sources?
Primary – time consuming + expensive, may be element of bias
Secondary – may not be reliable (depends on original data collection methods), may be outdated
What are the disadvantages of the systems you use?
Rely on others for data input – potential for human error
If not updated regularly, data may be incorrect
What is the importance of diarising trigger dates for property management?
Allows property managers to plan ahead for rent reviews + lease renewals
To keep track of key dates for lease renewals, rent reviews – ensures lease obligations are met
To ensure property is compliant + maintained
To maintain tenant relationships
What is cyber security?
Includes technology, policies + procedures in place to protect data against cyber-crimes, e.g. hacking or ransom attacks
Is there any RICS guidance on data protection?
Useful page on ‘client relationships + handling data’
Developed in response to new Rules of Conduct
Provides guidance on various areas, including data handling (to do with personal data) + data security + retention (to do with data breaches, data retention, cybercrime, etc.)
Which Rule of Conduct underpins data protection?
Rule 3 (members + firms must provide good-quality + diligent services)
How long should you hold a client’s file for?
Should be retained only for as long as necessary
Specific retention period will vary depending on type of data + purpose for which it was collected
My firm’s policy has a maximum retention period of 15 years
How do your company securely keep data?
Make use of a shared system called DMS which allows data to be electronically uploaded
Provides regular training on relevant legislation + importance of security measures
Provides password protection measures + two-step authentication
Provides a policy on data protection – includes measures such as never leaving devices unattended or unlocked
Data protection policy is reviewed annually