Data Management Flashcards
What are the GDPR consumer rights?
A - Access
C – Consent
C - Correction
E – Erasure
P – Data Portability
ACCEP
(Accep your rights)
What regulation governs laws on data protection and privacy?
UK General Data Protection Regulation 202
Article 5 of GDPR requires that personal data should be what? Name at least 3.
Processed lawfully, fairly in a transparent manner (PLT)
Adequate, relevant, and limited to what is necessary
Collected for specified explicit and legitimate purposes
Kept in a form that permits identification of data for no longer than is necessary
Accurate and kept up to date, where necessary
Processed in a manner that ensures appropriate security of personal data.
PACKAP
What is the maximum GDPR fine set by UK GDPR and DPA 2018?
17.5 Million or 4% of annual global turnover (whichever is highest).
Data offences can be punished by what? Name two (excluding fines).
Warnings
Temporary or permanent ban on data processing
What is DPA 2018?
Data Protection Act 2018
UK’s implementation of GDPR
Are you aware of the Freedom of Information Act 2000?
Yes, it provides the public access to information held by public authorities.
How do FOI Act 2000 requests work?
Must be in writing
What security measures can you use to protect data?
Password protection
Security markings
Physically locking storage units
Encryption firewalls
Two factor authentication
What best practices would you encourage in terms of managing data?
Cross reference computer with hard copy
Back up IT systems
Write once, read many times
Keep an audit trail
Ensure electronic signature cannot be altered. (send PDFs not word)
Tell me what you know about GDPR.
General Data Protection Regulation
Article 5 sets out the consumer rights which includes the right to be informed, right to access, right to erase, right to correct and right to withdraw consent.
What is the definition of personal data?
Personal data are any information which are related to an identified or identifiable person.
What is encryption/firewalls/blockchain?
Encryption is a means of securing data by encoding it mathematically such that it can only be read, or decrypted, by those with the correct key or cipher.
A firewall is a network security device that monitors traffic to or from your network. It allows or blocks traffic based on a defined set of security rules.
A blockchain is a digitally distributed, decentralized, public ledger that exists across a network.
Tell me about how you extract data from a source regularly used in your role.
Internal database – CDB for rental information
Set parameters for data to refine prior to download
Use filters on excel to refine the data to what I need
What is an electronic document management system (EDMS)?
Software package designed to manage electronic information and records within an organisation’s workflow.
Give me an example of how you ensure that data is kept securely.
Permission levels, back up systems, sensitive tag
How do you validate information?
Cross check with another source
Call to get further information / confirm details
Adopt a common sense approach
What are pros/cons of primary data sources?
Pros
Greater control (type of data, design, method)
May be more accurate
Cons
Expensive (may make it more difficult)
Time consuming
What are pros/cons of secondary data sources?
Pros
Easily accessible
Affordable
Cons
May lack reliability
May be outdated
You shared rental evidence with an agent for rating purposes, did you have permission to share that information?
Yes - The Valuation Office Agency (VOA), as an executive agency of HMRC, is subject to the Commissioners for Revenue and Customs Act 2005 (CRCA)
Can other colleagues access information you are working on?
No, if they are in a different team e.g. DVS then they will not be able to access information stored for rating purposes.
Freedom of Information Act 2000 exemptions?
Personal data
National security
Tell me more about the Data Protection Act 2018.
The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.
What regulation covers sharing data?
Commissioners for Revenue and Customs Act 2005
CRCA ACT
Benefits of cloud-based systems?
Information is backed up by encrypted servers
Accessibility can be managed via online settings
Cheaper than physically storing and managing files
More convenient to send and share files online instead of mailing physical copies
Meaning of a non-disclosure agreement?
Used to protect against the disclosure or sharing of any confidential data.
Who are the key persons outlined within GDPR?
Controller – person that determines the purpose and means of processing personal data e.g. the employer.
Processor – person that processes personal data on behalf of the controller e.g., call centres acting on behalf of its client.
Data Protection Officer – leadership role required by EU GDPR. Responsible for overseeing the data protection approach strategy and implementation.
What should companies put into place to ensure GDPR compliance?
Raise awareness across the business
Audit personal data
Review procedures supporting individual rights
Identify and document the legal basis for processing personal data under GDPR
Train staff and give them the information
What personal and confidential information does the VO hold?
Personal data relating to VOA employees
Emails containing sensitive or confidential information
Customer correspondence received in confidence
Customer records
Property information
Contractual information
Define what disclosure means?
The sharing of information with others
What does CRCA set the VO’s functions as?
Producing rating lists
Council tax valuation lists
Valuation of property
What two ways does the Freedom of Information Act provide the public with access to information held by public authorities?
Public authorities are obliged to publish certain information about their activities.
Members of the public are entitled to request information from public authorities.
When would you disclose information about taxpayers (or their properties) or our customers to third parties?
In line with CRCA Act 2005:
If essential for one of our functions
In line with legislation or statutory gateway under LGFA
With consent of the taxpayer, customer or client
For civil proceedings such as valuation tribunal hearings
How would you deal with someone requesting to access their own personal information?
There is a deadline of one month to respond to a request. I would forward any request where a requester asks for their own information to the SAR inbox immediately by emailing.
How would you deal with a Freedom of Information request?
Check the request is made in writing (email/letter)
Check it includes the requester’s name and address and clearly describe the information wanted.
Forward request to FOI inbox team
How do you store data?
When gathering data for any reason I always ensure to place it within the VOA’s secure drives. Case documents go in restricted drives where only certain staff can reach.
Why did you use external sources for the house in Newport?
This was to verify the information held on the VOA database to ensure correct information was being used.
How did you restrict the files for the house in Newport?
I ensured the files set up had permissions set for only the people working on the project.
What advice did you provide for the land in Worcestershire?
This was an analysis of a land sale in the county. Following this I saved the data in secured files in a database showing its price per acre and what the use was for.
Where was the data stored?
Two secured VOA drives. One so that the valuer can download the sale alongside others when needed and another database I created to describe what the land was for.
What advice did you provide for the land in Herefordshire?
I advised my supervisor of the database I created for them to use in a development appraisal this included house sales, land sales.
What are the seven principles of GDPR?
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
What is a data controller?
Determines the purposes and means of processing personal data.
What is a data processor?
Processes personal data only on behalf of the controller.
What is discrete data?
Discrete data is information that can only take certain values. Such as the profit of a company.
What is continuous data?
Continuous data is data that can take any value. Such as Height, weight, temperature.
How long to report a data breach?
48 hours to report internally
72 hours to report to Information Commissioners Office - legally.
What is CRCA?
The Commissioners of Revenue and Customs Act (CRCA) 2005 is the Act of Parliament that created HM Revenue and Customs (HMRC) in April 2005. The Act also puts those functions formerly undertaken by the Valuation Office Agency in respect of the valuation of property on a statutory footing specifically referring to the Valuation Office Agency (VOA) in section 10.
Where are the functions of the VOA stored?
Schedule 1 Section 7 and Section 10 of CRCA
What does section 7 refer to?
- Rating Lists and Council Tax Valuation Lists, and the valuation of property.
What does section 10 refer to?
allows VOA to provide a valuation of property;
§ For any purpose relating to the functions of HMRC, [being for Rating Lists and Council Tax Valuation lists, or HMRC functions such as Inheritance Tax];
§ At the request of a public authority [allowing for Property Services to undertake work for other public bodies];
§ At the request of any other person, if the valuation is necessary or expedient, in connection with:
· (i) the exercise of a function of a public nature; or
· (ii) the management of money or assets received from a person, exercising functions of a public nature;
§ To advise about matters connected to the valuation of property [this is the test against which VOA determines the work it can do].
What does section 17 refer to?
allows sharing of information held for one function with another function (within HMRC and VOA)
What does section 18 refer to?
sets out the circumstances when HMRC and VOA may disclose information outside HMRC and VOA [Note – it doesn’t say we must supply]
What does section 19 refer to?
it is a criminal offence for VOA officers to disclose VOA information that either identifies a legal person or enables their identity to be deduced when it is not covered by the circumstances set out in section 18
What do sections 20 and 21 refer to?
covers when information can be disclosed where it is either in the public interest or is to a prosecuting authority.
What do sections 22 and 23 refer to?
relates to the rights to information under GDPR and FOIA and set out how these requests should be treated
Which regulation within the Non-Domestic Rating (Alterations of Lists and Appeals) England allows the VO to share information such as FOR details which relate to the grounds of the proposal?
Regulation 9 (7)
Or
Section 18 of the Commissioner for Revenue and Customs Act would also allow the VO to disclose FOR information if it is for the purpose of one of our functions.
Which regulation within the Valuation Tribunal for England (Council Tax and Rating Appeals) (Procedure) Regulations 2009
