Data Management Flashcards
1
Q
What is data protection?
A
How personal data is collected, used + stored by companies, governments, authorities + services
2
Q
What is personal data?
A
Information relating to an identified or identifiable person
Includes name, address, DOB, phone number, email address, location data
3
Q
What is special category data?
A
Includes personal data about someone’s ethnic origin, political opinions, religious beliefs, health, sexual orientation
4
Q
What is non-personal data?
A
Includes surveys, company registration numbers, generic email addresses + anonymised data
5
Q
Why is data protection important?
A
To comply with legal obligations + avoid fines
To protect customers + employees from identity theft
To uphold company’s reputation
6
Q
What key legislation relates to data protection in the UK?
A
Data Protection Act 2018
7
Q
What is the Data Protection Act 2018?
A
UK law that governs how personal information is used by organisations, businesses + governments
UK’s implementation of GDPR + replaces DPA 1998
8
Q
What is the purpose of the Data Protection Act 2018?
A
Controls how personal information can be used + right to ask for information about yourself
9
Q
Who does the DPA apply to?
A
Data controllers + processors
10
Q
What is the definition of a data subject?
A
Person whose data it is
11
Q
What is the definition of a data controller?
A
Company or person who decides on data’s use
12
Q
What is the definition of a data processor?
A
Whoever uses the data
13
Q
What does is UK GDPR and what does it stand for?
A
UK General Data Protection Regulation
Law designed to protect people’s personal data + privacy
Sets out how governments, companies + organisations can collect, store + use personal information
14
Q
What is the purpose of UK GDPR?
A
Law that relates to processing of personal data
Sits alongside DPA 2018
15
Q
When did the UK GDPR come into effect + who regulates it?
A
2021 (post Brexit)
Information Commissioners Office
16
Q
What Act implemented GDPR in the UK?
A
DPA 2018
17
Q
Who regulates GDPR in the UK?
A
ICO (Information Commissioners Office)
18
Q
How have consent conditions been strengthened under UK GDPR?
A
Consent must be given in plain + clear language (best practice to give this in writing)
Ability to withdraw consent at anytime
19
Q
What is a Data Protection Officer?
A
Responsible for monitoring internal compliance + obligations for data protection
Only required for entities involved in large scale processing of personal data
20
Q
What data is affected by UK GDPR + the DPA 2018?
A
Personal data
Sensitive personal data (including genetic + biometric data)
Electronic data
Manual data, e.g. business cards + written reports
21
Q
Could you provide examples of data held by surveying practices
A
Data relating to background checks by HR
Tenant information - personal details, lease agreement, payment history
Market data - information on property values + market trends
Client data - names, contact details, bank details
Maintenance records - records of maintenance requests, completed repairs
22
Q
Who are the key persons outlined in the UK GDPR / DPA 2018?
A
Controller - decides how + why personal data is used
Processor - handles personal data on behalf of controller
Data officer - oversees data protection + ensure compliance with rules
23
Q
What does the UK GDPR say about consent?
A
Sets high standard for consent
Consent must not be assumed
Pre-ticked are banned
Consent requires clear action - needs to be documented
Customers are allowed to withdraw at any time
24
Q
RICS best practice points for complying with GDPR?
A
Conduct a data review
Anonymise + encrypt data where possible
Understand data processing
25
Do you need to comply with UK GDPR + the DPA as a surveyor?
Yes – most UK property firms process personal client data
26
What are the main requirements under the Data Protection Act 2018?
An obligation to conduct data protection impact assessments for high risk holding of data
Data security breaches must be reported to ICO within 72hrs where there is a loss of personal data or harm to individuals
Data controller decides how + why personal data is processed + is directly responsible for GDPR
27
How long do you have to report a data breach to the ICO?
Within 72 hours of awareness
28
What are the principles of the DPA (6) + UK GDPR (7)? (SAIDPAL)
Storage limitation
Accuracy
Integrity + confidentiality (security)
Data minimisation
Purpose limitation
Accountability (UK GDPR)
Lawfulness, fairness + transparency
29
How do you comply with UK GDPR / DPA in your role?
Don’t share confidential information
Ensure I have written consent from individuals before processing their personal data, e.g. get written permission from tenants before passing details onto contractors
Ensure all consent is documented + uploaded to shared files
I report any suspected breaches
30
What does Principle 1: Storage limitation mean?
Must not keep personal data for longer than we need it
Amount of time for which data is kept depends on intended purpose
Must check how long we can keep personal data + delete when no longer required
Can find information in Company’s Information + Document Retention policies
31
What does Principle 2: Accuracy mean?
Must take all reasonable steps to ensure personal data is correct, not misleading + kept up to date
Must accurately record any personal data, document any sources + ensure errors rare rectified as soon as possible
32
What does Principle 3: Security, integrity + confidentiality mean?
Must have appropriate measures in place to keep any personal data we store or process secure
This includes technical + organisational measures
Measures are not limited to digital data but also cover paper records
Includes protection against unauthorised or unlawful processing + accidental damage, destruction or damage
33
What does Principle 4: Data minimisation mean?
Personal data must be limited to what is adequate, relevant + necessary to meet stated purpose
Must not collect more data than we need – makes it harder to keep everything up to date
34
What does Principle 5: Purpose limitation mean?
We must only use personal data for specified, explicit + legitimate purposes
Need to be clear about why we are collecting personal data + document this
35
What does Principle 6: Accountability mean (UK GDPR)?
Companies must take responsibility for what they do with personal data, comply with the principles + be able to demonstrate compliance
Do this by having data protection policies, having contracts when sharing personal data with third parties + carrying out risk assessments for high-risk processing
36
What does Principle 6 (DPA) + 7 (UK GDPR): Lawfulness, fairness + transparency mean?
Must have valid grounds for collecting + using personal data + document this
Nothing should be done with data that breaches other laws
We must treat people fairly + only use personal data in a way they would reasonably expect
We need to tell people, via privacy notices, who we are + how + why we will use their data
37
What individual rights exist under the DPA 2018 / UK GDPR? (RADIOERA)
Right to rectification
Right of access
Right to data portability
Right to be informed
Right to object
Right to erasure
Right to restrict processing
Rights in relation to automated decision making + profiling
38
What is the purpose of the 8 rights under DPA 2018 / UK GDPR?
Rights give people greater control over how their personal data is used
39
Talk me through the individual right to be informed under the DPA 2018 / UK GDPR?
Must tell people purpose for processing, how long we will keep data for + who else we will share it with
This should be done at the time when we collect their personal data
40
Talk me through the individual right of access under the DPA 2018 / UK GDPR?
Individuals have the right to access + get copy of personal data
This allows individuals to check how + why you are using personal data
This is done by submitting a Data Subject Access Request (DSAR)
41
Talk me through the individual right to rectification under the DPA 2018 / UK GDPR?
Individuals have the right to ask to correct any errors in personal data or make records complete if data is missing
Sometimes, can refuse to do this but only in certain circumstances
42
Talk me through the individual right to erasure under the DPA 2018 / UK GDPR?
Individuals have the right to ask to delete their personal data
This right is not absolute + only applies in certain circumstances
43
Talk me through the individual right to restrict processing under the DPA 2018 / UK GDPR?
Individuals can ask to restrict or suppress processing of personal data
This limits how data is used
If this happens, personal data will be stored but not used until decision is made
44
Talk me through the individual right to data portability under the DPA 2018 / UK GDPR?
Individuals have the right to obtain + reuse personal data for different things
Can ask to transfer personal data to another IT system
Must be able to do this in a safe + secure way without hinderance
45
Talk me through the individual right to object under the DPA 2018 / UK GDPR?
Individuals have the right to stop us processing their personal data in certain circumstances, e.g. for marketing purposes
Must comply unless compelling reason to do so, e.g. to process a legal claim
46
Talk me through the individual rights on automated decision-making, e.g. profiling under the DPA 2018 / UK GDPR?
Individuals have the right to stop us from using personal data for automated decision-making (decisions made without human involvement)
Can only do this if it is necessary to enter or fulfil a contract if its legally authorised, or if have explicit consent
47
What is a DSAR?
Data Subject Access Request
Formal request made by an individual to an organisation, asking for access to personal data that organisation holds about them
This right is granted under GDPR
Organisations have 1 month to respond to requests
48
What details can you request when you make a DSAR?
Data being processed
Purposes of processing
Who the data is shared with
49
Can an organisation refuse a DSAR?
Can only refuse if an exception or restriction applies, or if excessive
If refuse to comply, must explain why
50
Can someone ask you to tell them what personal data you hold about them?
Yes
51
What are the penalties under the Data Protection Act 2018 / UK GDPR?
Fines up to 4% global turnover of the company or £17.5 million (whichever is greater)
52
How long do you have to hold data for under the Data Protection Act 2018?
Should only keep data for as long as you need it
No specific time limit for how long you can keep data for, but must be able to justify length of time for retention
Organisations must assess + justify their data retention periods based on specific processing activities + legal obligations
53
How might a data breach occur in your office?
Lost or stolen devices
Phishing/whaling (CEO fraud)
Unauthorised access, i.e. someone hacking into your device
Human error, e.g. sending an email to the wrong person or accidently deleting an important file
Malware (software designed to gain access to your computer systems)
54
What is phishing/whaling/CEO fraud?
Tricking people into giving away personal information by pretending to be a trustworthy source
55
What is ransomware?
Type of malicious software (malware) that locks individuals’ files + demands money to unlock them
56
What percentage of data breaches is it estimated that a company’s own employees may account for?
50%
57
Could a Professional Indemnity Claim be based on lost or corrupted data?
Yes
58
How would you ensure data security or avoid a data breach?
Change password every 30 days for protection
Never leave devices unattended or unlocked
Never click on any suspicious email attachments or links
Make use of two-step authentication
Receive regular training
Ensure devices are automatically updated
Back up data
Encryption
59
Give me an example of how you ensure that data is kept securely
Always ensure to lock my computer when I am leaving my workspace in the office
Outside office – will never leave devices unattended
60
Give me an example of how you process + handle confidential information
Don’t disclose details of client’s contact information to tenants or contractors
Also don’t disclose tenant’s details with contractors without their permission
61
What is encryption?
Process used to protect sensitive information by converting it from a readable format (plaintext) into an unreadable format (ciphertext)
This ensures that only authorised parties can access the information
62
What is a firewall?
Network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules
Establishes a barrier between a trusted network and an untrusted network, e.g. internet
63
What is your company’s policy for data protection breaches?
Policy is in accordance with legislation
Following breach, contact IT + compliance with details of what has happened
If breach is via an email, recall email as soon as possible
Do not discuss breach with anyone other than line manager until cleared to do so by head of IT or DPO
Wait further instructions from team
64
What would you do in the event of a data breach?
Must advise IT and compliance as soon as possible, providing details of what has occurred
Other than line manager, do not discuss with anyone else until cleared to do so by Head of IT (Tim Spencer) or DPO (Joanne Dick)
Compliance will update the Data Breach Log and IT will log the loss of any equipment. Police maybe advised if appropriate
Client will also be advised where appropriate
DPO will be responsible for advising the ICO of any significant data breach using ICO’s Data Breach Notification form
65
What does your company’s policy say about data retention?
CJ should only keep data which can be used to identify individuals for as long as is necessary for purposes of requirements
Corporate policy is to store data in the archives for a maximum of 15 years
66
What does your firm’s policy on data protection say?
Policy is in accordance with relevant legislation
Should make sure personal data held is not shared with anyone (unless necessary for related business activity or individual is aware + has given consent)
Data must be kept securely on the system or in manual files (recommended to scan handwritten notes + keep on system as this is more secure)
Data must be retained for the minimum period necessary
Head of IT + DPO are responsible for managing data breaches
Policy is reviewed annually by DPO
67
How do you apply your firm’s data protection policy?
Upload all data to our shared system + scan all hand-written notes
Do not share any personal data unless I have obtained written consent from individual
Take my laptop home after work + don’t leave it in the office
68
What does the Data Protection Bill 2017 do?
Updates UK’s data protection laws to align with EU’s GDPR
69
What do the Privacy + Electronic Communications Regulations 2003 (amended 2016) relate to?
Extra data protection rules for e-communications, e.g. consent for marketing emails + website cookies
Consent from receipts for these to be received must be provided expressly (i.e. opt-in check box)
70
What legislation specifically relates to data held by public bodies?
Freedom of Information Act 2000
71
What is the Freedom of Information Act 2000?
Gives the public the right to access information held by public authorities
The RICS is not a public authority, so it does not give public a right to access information held
72
How must a request be made by a member of the public under the FOI Act 2000?
In writing
73
How long does the public body have to respond under the FOI Act 2000?
20 days
74
Does a public body have to respond under the FOI Act 2000?
Yes – either with the information (plus a charge for processing) or refusal (with an explanation)
75
Are there any exemptions under the FOI Act 2000?
Yes – too expensive to provide, unreasonable, not in the public interest
76
What legislation relates to the disposal of old files?
Limitation Act 1980
77
What is an AVM?
Automated Valuation Model
Software based tool that uses algorithms + data, such as property details + market trends, to provide property valuations
Different types of AVM that are used in the market, some wholly automated + others blended with human input, e.g. Valos
78
When is an AVM viable?
When there is sufficient + accurate data which facilitates higher quality valuations
79
List some advantages + disadvantages of using an AVM
Advantages – saves time, money + resources, creates level of certainty, reduces human element in relation to fraud risk
Disadvantages – requires accurate market data (not always available), data sources may not be regularly updated, property may not be physically inspected + certain characteristics may be missed
80
What is EDM
Electronic Document Management
81
What does an EDM do?
Collection of technologies that work together to provide a comprehensive solution for managing electronic assets
82
What is copyright?
Author of original work has exclusive rights to control distribution of work
83
Can copyright be licensed assigned or transferred?
Yes – it is an intellectual property right
84
Who would usually own the copyright of a valuation report?
The surveyor, the client is licensed to copy it in connection with the purpose
85
What is a DPIA?
Data Protection Impact Assessment
Process to identify possible risks from the processing of personal data
Important tools to minimise risk + demonstrate compliance with GDPR
86
How does your company store data?
Carter Jonas has an iManage Document Management System, known as DMS
Everything is saved into DMS, including correspondence
Job spaces are retained for 6 years unless otherwise specified with a client
87
What are the benefits of cloud-based storage systems?
Access from multiple users at one time
Allows a large amount of data to be stored
Info backed up securely on securely encrypted servers
Environmentally friendly + cheaper
88
What are the RICS recommendations for using confidential information?
Keep secure record of consent for data processing
Maintain confidentiality of information without explicit permission from party
Check if have appropriate contractual clauses to use information
89
What types of agreements are available in relation to confidential information?
Non-disclosure Agreement (NDA)
Confidentiality Agreement (CA)
Confidential Disclosure Agreement (CDA)
90
What is a non-disclosure agreement (NDA)?
Legal contract where parties agree to keep shared information confidential
Sets out restrictions on receiving party’s use, disclosure + return of a disclosing party’s confidential information + parties’ related rights + obligations
91
What is a confidentiality agreement (CA)?
A general term for any agreement where parties agree to keep certain information private
92
What is a confidential disclosure agreement (CDA)?
Contract where parties agree to keep shared information confidential (similar to NDA but often used in research + development)
93
Tell me about how you extract data from a source regularly used in your role?
I extract data from Rightmove when conducting valuations
E.g. sold property values, sold dates + property characteristics
94
What information should be included in firm’s privacy notice?
What information you hold
How it will be used
How long it will be held for
Which third parties it will be shared with
Legal rights
95
In a property management context, what would you do if a contractor asked for a tenant’s number?
Ask permission from tenant + confirm in writing
96
How do you source title information?
HM Land Registry
97
Are electronic signatures accepted by the Land Registry?
Yes
98
What are the limitations of primary/secondary data sources?
Primary – time consuming + expensive, may be element of bias
Secondary – may not be reliable (depends on original data collection methods), may be outdated
99
What are the disadvantages of the systems you use?
Rely on others for data input – potential for human error
If not updated regularly, data may be incorrect
100
What is the importance of diarising trigger dates for property management?
Allows property managers to plan ahead for rent reviews + lease renewals
To keep track of key dates for lease renewals, rent reviews – ensures lease obligations are met
To ensure property is compliant + maintained
To maintain tenant relationships
101
What is cyber security?
Includes technology, policies + procedures in place to protect data against cyber-crimes, e.g. hacking or ransom attacks
102
Is there any RICS guidance on data protection?
Useful page on ‘client relationships + handling data’
Developed in response to new Rules of Conduct
Provides guidance on various areas, including data handling (to do with personal data) + data security + retention (to do with data breaches, data retention, cybercrime, etc.)
103
Which Rule of Conduct underpins data protection?
Rule 3 (members + firms must provide good-quality + diligent services)
104
How long should you hold a client’s file for?
Should be retained only for as long as necessary
Specific retention period will vary depending on type of data + purpose for which it was collected
My firm’s policy has a maximum retention period of 15 years
105
How do your company securely keep data?
Make use of a shared system called DMS which allows data to be electronically uploaded
Provides regular training on relevant legislation + importance of security measures
Provides password protection measures + two-step authentication
Provides a policy on data protection – includes measures such as never leaving devices unattended or unlocked
Data protection policy is reviewed annually
