Data Management Flashcards

1
Q

What is data protection?

A

How personal data is collected, used + stored by companies, governments, authorities + services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is personal data?

A

Information relating to an identified or identifiable person

Includes name, address, DOB, phone number, email address, location data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is special category data?

A

Includes personal data about someone’s ethnic origin, political opinions, religious beliefs, health, sexual orientation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is non-personal data?

A

Includes surveys, company registration numbers, generic email addresses + anonymised data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Why is data protection important?

A

To comply with legal obligations + avoid fines

To protect customers + employees from identity theft

To uphold company’s reputation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What key legislation relates to data protection in the UK?

A

Data Protection Act 2018

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the Data Protection Act 2018?

A

UK law that governs how personal information is used by organisations, businesses + governments

UK’s implementation of GDPR + replaces DPA 1998

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the purpose of the Data Protection Act 2018?

A

Controls how personal information can be used + right to ask for information about yourself

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Who does the DPA apply to?

A

Data controllers + processors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the definition of a data subject?

A

Person whose data it is

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the definition of a data controller?

A

Company or person who decides on data’s use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the definition of a data processor?

A

Whoever uses the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does is UK GDPR and what does it stand for?

A

UK General Data Protection Regulation

Law designed to protect people’s personal data + privacy

Sets out how governments, companies + organisations can collect, store + use personal information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the purpose of UK GDPR?

A

Law that relates to processing of personal data

Sits alongside DPA 2018

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When did the UK GDPR come into effect + who regulates it?

A

2021 (post Brexit)

Information Commissioners Office

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What Act implemented GDPR in the UK?

A

DPA 2018

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Who regulates GDPR in the UK?

A

ICO (Information Commissioners Office)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How have consent conditions been strengthened under UK GDPR?

A

Consent must be given in plain + clear language (best practice to give this in writing)

Ability to withdraw consent at anytime

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a Data Protection Officer?

A

Responsible for monitoring internal compliance + obligations for data protection

Only required for entities involved in large scale processing of personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What data is affected by UK GDPR + the DPA 2018?

A

Personal data
Sensitive personal data (including genetic + biometric data)
Electronic data
Manual data, e.g. business cards + written reports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Could you provide examples of data held by surveying practices

A

Data relating to background checks by HR

Tenant information - personal details, lease agreement, payment history

Market data - information on property values + market trends

Client data - names, contact details, bank details

Maintenance records - records of maintenance requests, completed repairs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Who are the key persons outlined in the UK GDPR / DPA 2018?

A

Controller - decides how + why personal data is used

Processor - handles personal data on behalf of controller

Data officer - oversees data protection + ensure compliance with rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What does the UK GDPR say about consent?

A

Sets high standard for consent
Consent must not be assumed
Pre-ticked are banned
Consent requires clear action - needs to be documented
Customers are allowed to withdraw at any time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

RICS best practice points for complying with GDPR?

A

Conduct a data review
Anonymise + encrypt data where possible
Understand data processing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Do you need to comply with UK GDPR + the DPA as a surveyor?
Yes – most UK property firms process personal client data
26
What are the main requirements under the Data Protection Act 2018?
An obligation to conduct data protection impact assessments for high risk holding of data Data security breaches must be reported to ICO within 72hrs where there is a loss of personal data or harm to individuals Data controller decides how + why personal data is processed + is directly responsible for GDPR
27
How long do you have to report a data breach to the ICO?
Within 72 hours of awareness
28
What are the principles of the DPA (6) + UK GDPR (7)? (SAIDPAL)
Storage limitation Accuracy Integrity + confidentiality (security) Data minimisation Purpose limitation Accountability (UK GDPR) Lawfulness, fairness + transparency
29
How do you comply with UK GDPR / DPA in your role?
Don’t share confidential information Ensure I have written consent from individuals before processing their personal data, e.g. get written permission from tenants before passing details onto contractors Ensure all consent is documented + uploaded to shared files I report any suspected breaches
30
What does Principle 1: Storage limitation mean?
Must not keep personal data for longer than we need it Amount of time for which data is kept depends on intended purpose Must check how long we can keep personal data + delete when no longer required Can find information in Company’s Information + Document Retention policies
31
What does Principle 2: Accuracy mean?
Must take all reasonable steps to ensure personal data is correct, not misleading + kept up to date Must accurately record any personal data, document any sources + ensure errors rare rectified as soon as possible
32
What does Principle 3: Security, integrity + confidentiality mean?
Must have appropriate measures in place to keep any personal data we store or process secure This includes technical + organisational measures Measures are not limited to digital data but also cover paper records Includes protection against unauthorised or unlawful processing + accidental damage, destruction or damage
33
What does Principle 4: Data minimisation mean?
Personal data must be limited to what is adequate, relevant + necessary to meet stated purpose Must not collect more data than we need – makes it harder to keep everything up to date
34
What does Principle 5: Purpose limitation mean?
We must only use personal data for specified, explicit + legitimate purposes Need to be clear about why we are collecting personal data + document this
35
What does Principle 6: Accountability mean (UK GDPR)?
Companies must take responsibility for what they do with personal data, comply with the principles + be able to demonstrate compliance Do this by having data protection policies, having contracts when sharing personal data with third parties + carrying out risk assessments for high-risk processing
36
What does Principle 6 (DPA) + 7 (UK GDPR): Lawfulness, fairness + transparency mean?
Must have valid grounds for collecting + using personal data + document this Nothing should be done with data that breaches other laws We must treat people fairly + only use personal data in a way they would reasonably expect We need to tell people, via privacy notices, who we are + how + why we will use their data
37
What individual rights exist under the DPA 2018 / UK GDPR? (RADIOERA)
Right to rectification Right of access Right to data portability Right to be informed Right to object Right to erasure Right to restrict processing Rights in relation to automated decision making + profiling
38
What is the purpose of the 8 rights under DPA 2018 / UK GDPR?
Rights give people greater control over how their personal data is used
39
Talk me through the individual right to be informed under the DPA 2018 / UK GDPR?
Must tell people purpose for processing, how long we will keep data for + who else we will share it with This should be done at the time when we collect their personal data
40
Talk me through the individual right of access under the DPA 2018 / UK GDPR?
Individuals have the right to access + get copy of personal data This allows individuals to check how + why you are using personal data This is done by submitting a Data Subject Access Request (DSAR)
41
Talk me through the individual right to rectification under the DPA 2018 / UK GDPR?
Individuals have the right to ask to correct any errors in personal data or make records complete if data is missing Sometimes, can refuse to do this but only in certain circumstances
42
Talk me through the individual right to erasure under the DPA 2018 / UK GDPR?
Individuals have the right to ask to delete their personal data This right is not absolute + only applies in certain circumstances
43
Talk me through the individual right to restrict processing under the DPA 2018 / UK GDPR?
Individuals can ask to restrict or suppress processing of personal data This limits how data is used If this happens, personal data will be stored but not used until decision is made
44
Talk me through the individual right to data portability under the DPA 2018 / UK GDPR?
Individuals have the right to obtain + reuse personal data for different things Can ask to transfer personal data to another IT system Must be able to do this in a safe + secure way without hinderance
45
Talk me through the individual right to object under the DPA 2018 / UK GDPR?
Individuals have the right to stop us processing their personal data in certain circumstances, e.g. for marketing purposes Must comply unless compelling reason to do so, e.g. to process a legal claim
46
Talk me through the individual rights on automated decision-making, e.g. profiling under the DPA 2018 / UK GDPR?
Individuals have the right to stop us from using personal data for automated decision-making (decisions made without human involvement) Can only do this if it is necessary to enter or fulfil a contract if its legally authorised, or if have explicit consent
47
What is a DSAR?
Data Subject Access Request Formal request made by an individual to an organisation, asking for access to personal data that organisation holds about them This right is granted under GDPR Organisations have 1 month to respond to requests
48
What details can you request when you make a DSAR?
Data being processed Purposes of processing Who the data is shared with
49
Can an organisation refuse a DSAR?
Can only refuse if an exception or restriction applies, or if excessive If refuse to comply, must explain why
50
Can someone ask you to tell them what personal data you hold about them?
Yes
51
What are the penalties under the Data Protection Act 2018 / UK GDPR?
Fines up to 4% global turnover of the company or £17.5 million (whichever is greater)
52
How long do you have to hold data for under the Data Protection Act 2018?
Should only keep data for as long as you need it No specific time limit for how long you can keep data for, but must be able to justify length of time for retention Organisations must assess + justify their data retention periods based on specific processing activities + legal obligations
53
How might a data breach occur in your office?
Lost or stolen devices Phishing/whaling (CEO fraud) Unauthorised access, i.e. someone hacking into your device Human error, e.g. sending an email to the wrong person or accidently deleting an important file Malware (software designed to gain access to your computer systems)
54
What is phishing/whaling/CEO fraud?
Tricking people into giving away personal information by pretending to be a trustworthy source
55
What is ransomware?
Type of malicious software (malware) that locks individuals’ files + demands money to unlock them
56
What percentage of data breaches is it estimated that a company’s own employees may account for?
50%
57
Could a Professional Indemnity Claim be based on lost or corrupted data?
Yes
58
How would you ensure data security or avoid a data breach?
Change password every 30 days for protection Never leave devices unattended or unlocked Never click on any suspicious email attachments or links Make use of two-step authentication Receive regular training Ensure devices are automatically updated Back up data Encryption
59
Give me an example of how you ensure that data is kept securely
Always ensure to lock my computer when I am leaving my workspace in the office Outside office – will never leave devices unattended
60
Give me an example of how you process + handle confidential information
Don’t disclose details of client’s contact information to tenants or contractors Also don’t disclose tenant’s details with contractors without their permission
61
What is encryption?
Process used to protect sensitive information by converting it from a readable format (plaintext) into an unreadable format (ciphertext) This ensures that only authorised parties can access the information
62
What is a firewall?
Network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules Establishes a barrier between a trusted network and an untrusted network, e.g. internet
63
What is your company’s policy for data protection breaches?
Policy is in accordance with legislation Following breach, contact IT + compliance with details of what has happened If breach is via an email, recall email as soon as possible Do not discuss breach with anyone other than line manager until cleared to do so by head of IT or DPO Wait further instructions from team
64
What would you do in the event of a data breach?
Must advise IT and compliance as soon as possible, providing details of what has occurred Other than line manager, do not discuss with anyone else until cleared to do so by Head of IT (Tim Spencer) or DPO (Joanne Dick) Compliance will update the Data Breach Log and IT will log the loss of any equipment. Police maybe advised if appropriate Client will also be advised where appropriate DPO will be responsible for advising the ICO of any significant data breach using ICO’s Data Breach Notification form
65
What does your company’s policy say about data retention?
CJ should only keep data which can be used to identify individuals for as long as is necessary for purposes of requirements Corporate policy is to store data in the archives for a maximum of 15 years
66
What does your firm’s policy on data protection say?
Policy is in accordance with relevant legislation Should make sure personal data held is not shared with anyone (unless necessary for related business activity or individual is aware + has given consent) Data must be kept securely on the system or in manual files (recommended to scan handwritten notes + keep on system as this is more secure) Data must be retained for the minimum period necessary Head of IT + DPO are responsible for managing data breaches Policy is reviewed annually by DPO
67
How do you apply your firm’s data protection policy?
Upload all data to our shared system + scan all hand-written notes Do not share any personal data unless I have obtained written consent from individual Take my laptop home after work + don’t leave it in the office
68
What does the Data Protection Bill 2017 do?
Updates UK’s data protection laws to align with EU’s GDPR
69
What do the Privacy + Electronic Communications Regulations 2003 (amended 2016) relate to?
Extra data protection rules for e-communications, e.g. consent for marketing emails + website cookies Consent from receipts for these to be received must be provided expressly (i.e. opt-in check box)
70
What legislation specifically relates to data held by public bodies?
Freedom of Information Act 2000
71
What is the Freedom of Information Act 2000?
Gives the public the right to access information held by public authorities The RICS is not a public authority, so it does not give public a right to access information held
72
How must a request be made by a member of the public under the FOI Act 2000?
In writing
73
How long does the public body have to respond under the FOI Act 2000?
20 days
74
Does a public body have to respond under the FOI Act 2000?
Yes – either with the information (plus a charge for processing) or refusal (with an explanation)
75
Are there any exemptions under the FOI Act 2000?
Yes – too expensive to provide, unreasonable, not in the public interest
76
What legislation relates to the disposal of old files?
Limitation Act 1980
77
What is an AVM?
Automated Valuation Model Software based tool that uses algorithms + data, such as property details + market trends, to provide property valuations Different types of AVM that are used in the market, some wholly automated + others blended with human input, e.g. Valos
78
When is an AVM viable?
When there is sufficient + accurate data which facilitates higher quality valuations
79
List some advantages + disadvantages of using an AVM
Advantages – saves time, money + resources, creates level of certainty, reduces human element in relation to fraud risk Disadvantages – requires accurate market data (not always available), data sources may not be regularly updated, property may not be physically inspected + certain characteristics may be missed
80
What is EDM
Electronic Document Management
81
What does an EDM do?
Collection of technologies that work together to provide a comprehensive solution for managing electronic assets
82
What is copyright?
Author of original work has exclusive rights to control distribution of work
83
Can copyright be licensed assigned or transferred?
Yes – it is an intellectual property right
84
Who would usually own the copyright of a valuation report?
The surveyor, the client is licensed to copy it in connection with the purpose
85
What is a DPIA?
Data Protection Impact Assessment Process to identify possible risks from the processing of personal data Important tools to minimise risk + demonstrate compliance with GDPR
86
How does your company store data?
Carter Jonas has an iManage Document Management System, known as DMS Everything is saved into DMS, including correspondence Job spaces are retained for 6 years unless otherwise specified with a client
87
What are the benefits of cloud-based storage systems?
Access from multiple users at one time Allows a large amount of data to be stored Info backed up securely on securely encrypted servers Environmentally friendly + cheaper
88
What are the RICS recommendations for using confidential information?
Keep secure record of consent for data processing Maintain confidentiality of information without explicit permission from party Check if have appropriate contractual clauses to use information
89
What types of agreements are available in relation to confidential information?
Non-disclosure Agreement (NDA) Confidentiality Agreement (CA) Confidential Disclosure Agreement (CDA)
90
What is a non-disclosure agreement (NDA)?
Legal contract where parties agree to keep shared information confidential Sets out restrictions on receiving party’s use, disclosure + return of a disclosing party’s confidential information + parties’ related rights + obligations
91
What is a confidentiality agreement (CA)?
A general term for any agreement where parties agree to keep certain information private
92
What is a confidential disclosure agreement (CDA)?
Contract where parties agree to keep shared information confidential (similar to NDA but often used in research + development)
93
Tell me about how you extract data from a source regularly used in your role?
I extract data from Rightmove when conducting valuations E.g. sold property values, sold dates + property characteristics
94
What information should be included in firm’s privacy notice?
What information you hold How it will be used How long it will be held for Which third parties it will be shared with Legal rights
95
In a property management context, what would you do if a contractor asked for a tenant’s number?
Ask permission from tenant + confirm in writing
96
How do you source title information?
HM Land Registry
97
Are electronic signatures accepted by the Land Registry?
Yes
98
What are the limitations of primary/secondary data sources?
Primary – time consuming + expensive, may be element of bias Secondary – may not be reliable (depends on original data collection methods), may be outdated
99
What are the disadvantages of the systems you use?
Rely on others for data input – potential for human error If not updated regularly, data may be incorrect
100
What is the importance of diarising trigger dates for property management?
Allows property managers to plan ahead for rent reviews + lease renewals To keep track of key dates for lease renewals, rent reviews – ensures lease obligations are met To ensure property is compliant + maintained To maintain tenant relationships
101
What is cyber security?
Includes technology, policies + procedures in place to protect data against cyber-crimes, e.g. hacking or ransom attacks
102
Is there any RICS guidance on data protection?
Useful page on ‘client relationships + handling data’ Developed in response to new Rules of Conduct Provides guidance on various areas, including data handling (to do with personal data) + data security + retention (to do with data breaches, data retention, cybercrime, etc.)
103
Which Rule of Conduct underpins data protection?
Rule 3 (members + firms must provide good-quality + diligent services)
104
How long should you hold a client’s file for?
Should be retained only for as long as necessary Specific retention period will vary depending on type of data + purpose for which it was collected My firm’s policy has a maximum retention period of 15 years
105
How do your company securely keep data?
Make use of a shared system called DMS which allows data to be electronically uploaded Provides regular training on relevant legislation + importance of security measures Provides password protection measures + two-step authentication Provides a policy on data protection – includes measures such as never leaving devices unattended or unlocked Data protection policy is reviewed annually