Data Management Flashcards
What are the GDPR consumer rights?
A - Access
C – Consent
C - Correction
E – Erasure
P – Data Portability
ACCEP
(Accep your rights)
What regulation governs laws on data protection and privacy?
UK General Data Protection Regulation 202
What is the maximum GDPR fine set by UK GDPR and DPA 2018?
20 million euros (£17.5 Million) or 4% of annual global turnover (whichever is highest).
Data offences can be punished by what? Name two (excluding fines).
Warnings
Temporary or permanent ban on data processing
What is DPA 2018?
Data Protection Act 2018
UK’s implementation of GDPR
Are you aware of the Freedom of Information Act 2000?
Yes, it provides the public access to information held by public authorities.
How do FOI Act 2000 requests work?
Must be in writing
What security measures can you use to protect data?
Password protection
Security markings
Physically locking storage units
Encryption firewalls
Two factor authentication
What best practices would you encourage in terms of managing data?
Cross reference computer with hard copy
Back up IT systems
Write once, read many times
Keep an audit trail
Ensure electronic signature cannot be altered. (send PDFs not word)
Tell me what you know about GDPR.
General Data Protection Regulation
Article 5 sets out the consumer rights which includes the right to be informed, right to access, right to erase, right to correct and right to withdraw consent.
What is the definition of personal data?
Personal data are any information which are related to an identified or identifiable person.
What is encryption/firewalls/blockchain?
Encryption is a means of securing data by encoding it mathematically such that it can only be read, or decrypted, by those with the correct key or cipher.
A firewall is a network security device that monitors traffic to or from your network. It allows or blocks traffic based on a defined set of security rules.
A blockchain is a digitally distributed, decentralized, public ledger that exists across a network.
Tell me about how you extract data from a source regularly used in your role.
Internal database – CDB for rental information
Set parameters for data to refine prior to download
Use filters on excel to refine the data to what I need
What is an electronic document management system (EDMS)?
Software package designed to manage electronic information and records within an organisation’s workflow.
Give me an example of how you ensure that data is kept securely.
Permission levels, back up systems, sensitive tag
How do you validate information?
Cross check with another source
Call to get further information / confirm details
Adopt a common sense approach
What are pros/cons of primary data sources?
Pros
Greater control (type of data, design, method)
May be more accurate
Cons
Expensive (may make it more difficult)
Time consuming
What are pros/cons of secondary data sources?
Pros
Easily accessible
Affordable
Cons
May lack reliability
May be outdated
You shared rental evidence with an agent for rating purposes, did you have permission to share that information?
Yes - The Valuation Office Agency (VOA), as an executive agency of HMRC, is subject to the Commissioners for Revenue and Customs Act 2005 (CRCA)
Can other colleagues access information you are working on?
No, if they are in a different team e.g. DVS then they will not be able to access information stored for rating purposes.
Freedom of Information Act 2000 exemptions?
Personal data
National security
Tell me more about the Data Protection Act 2018.
The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.
What regulation covers sharing data?
Commissioners for Revenue and Customs Act 2005
CRCA ACT
Benefits of cloud-based systems?
Information is backed up by encrypted servers
Accessibility can be managed via online settings
Cheaper than physically storing and managing files
More convenient to send and share files online instead of mailing physical copies
Meaning of a non-disclosure agreement?
Used to protect against the disclosure or sharing of any confidential data.
Who are the key persons outlined within GDPR?
Controller – person that determines the purpose and means of processing personal data e.g. the employer.
Processor – person that processes personal data on behalf of the controller e.g., call centres acting on behalf of its client.
Data Protection Officer – leadership role required by EU GDPR. Responsible for overseeing the data protection approach strategy and implementation.
What should companies put into place to ensure GDPR compliance?
Raise awareness across the business
Audit personal data
Review procedures supporting individual rights
Identify and document the legal basis for processing personal data under GDPR
Train staff and give them the information
What personal and confidential information does the VO hold?
Personal data relating to VOA employees
Emails containing sensitive or confidential information
Customer correspondence received in confidence
Customer records
Property information
Contractual information
Define what disclosure means?
The sharing of information with others
What does CRCA set the VO’s functions as?
Producing rating lists
Council tax valuation lists
Valuation of property
What two ways does the Freedom of Information Act provide the public with access to information held by public authorities?
Public authorities are obliged to publish certain information about their activities.
Members of the public are entitled to request information from public authorities.
When would you disclose information about taxpayers (or their properties) or our customers to third parties?
In line with CRCA Act 2005:
If essential for one of our functions
In line with legislation or statutory gateway under LGFA
With consent of the taxpayer, customer or client
For civil proceedings such as valuation tribunal hearings
How would you deal with someone requesting to access their own personal information?
There is a deadline of one month to respond to a request. I would forward any request where a requester asks for their own information to the SAR inbox immediately by emailing.
How would you deal with a Freedom of Information request?
Check the request is made in writing (email/letter)
Check it includes the requester’s name and address and clearly describe the information wanted.
Forward request to FOI inbox team
How do you store data?
When gathering data for any reason I always ensure to place it within the VOA’s secure drives. Case documents go in restricted drives where only certain staff can reach.
Where was the data stored?
Two secured VOA drives. One so that the valuer can download the sale alongside others when needed and another database I created to describe what the land was for.
What are the seven principles of GDPR?
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
What is a data controller?
Determines the purposes and means of processing personal data.
What is a data processor?
Processes personal data only on behalf of the controller.
What is discrete data?
Discrete data is information that can only take certain values. Such as the profit of a company.
What is continuous data?
Continuous data is data that can take any value. Such as Height, weight, temperature.
How long to report a data breach?
48 hours to report internally
72 hours to report to Information Commissioners Office - legally.
What is CRCA?
The Commissioners of Revenue and Customs Act (CRCA) 2005 is the Act of Parliament that created HM Revenue and Customs (HMRC) in April 2005. The Act also puts those functions formerly undertaken by the Valuation Office Agency in respect of the valuation of property on a statutory footing specifically referring to the Valuation Office Agency (VOA) in section 10.
Where are the functions of the VOA stored?
Schedule 1 Section 7 and Section 10 of CRCA
What does section 7 refer to?
- Rating Lists and Council Tax Valuation Lists, and the valuation of property.
What does section 10 refer to?
allows VOA to provide a valuation of property;
§ For any purpose relating to the functions of HMRC, [being for Rating Lists and Council Tax Valuation lists, or HMRC functions such as Inheritance Tax];
§ At the request of a public authority [allowing for Property Services to undertake work for other public bodies];
§ At the request of any other person, if the valuation is necessary or expedient, in connection with:
· (i) the exercise of a function of a public nature; or
· (ii) the management of money or assets received from a person, exercising functions of a public nature;
§ To advise about matters connected to the valuation of property [this is the test against which VOA determines the work it can do].
What does section 17 refer to?
allows sharing of information held for one function with another function (within HMRC and VOA)
What does section 18 refer to?
sets out the circumstances when HMRC and VOA may disclose information outside HMRC and VOA [Note – it doesn’t say we must supply]
What does section 19 refer to?
it is a criminal offence for VOA officers to disclose VOA information that either identifies a legal person or enables their identity to be deduced when it is not covered by the circumstances set out in section 18
What do sections 20 and 21 refer to?
covers when information can be disclosed where it is either in the public interest or is to a prosecuting authority.
What do sections 22 and 23 refer to?
relates to the rights to information under GDPR and FOIA and set out how these requests should be treated
Which regulation within the Non-Domestic Rating (Alterations of Lists and Appeals) England allows the VO to share information such as FOR details which relate to the grounds of the proposal?
Regulation 9 (7)
Or
Section 18 of the Commissioner for Revenue and Customs Act would also allow the VO to disclose FOR information if it is for the purpose of one of our functions.
What legislation does VOA follow regarding data protection?
General Data Protection Regulation 2016 (GDPR) / Data Protection Act 2018 (the UK’s implementation of the GDPR). The GDPR gives people the right to access their own information and came into force in May 2018. This legislation modernises laws due to rapid technological changes and gives individuals more control of their information.
What must you ensure regarding section 18 to section 23 of the Commissioners for Revenue and Customs Act 2005?
You must ensure you are aware of the implications when considering disclosure about taxpayers and our clients.
How should we deal with data?
Keep only what you need, do not pass personal information, hold data securely, limit access to data, keep data up to date and delete where appropriate, and think about what data you are using in work.
What sources of data does VOA use?
VOA uses published sources of data such as CoStar (lease, sales, building information, and market knowledge reports) and the VOA Public Business Rates Portal for valuation and assessment information.
How does VOA collect data?
VOA collects data from ratepayers and representatives, forms of return (RALD), inspection, public domain, and subscription websites.
What must be done with the information collected by VOA?
All information must be securely stored, protected, and labelled for correct retrieval and manipulation.
What is essential to understand regarding the Freedom of Information Act 2000?
It is essential to understand the rights of individuals to request the information which we hold on them.
What are the 7 principles for the lawful processing of personal data?
Lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitations; integrity and confidentiality (security); accountability.
What are the 8 GDPR rights?
Right to be informed, right to access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, rights to automated decision making and profiling.
What constitutes a personal data breach?
Personal data breaches include losing personal data, accidentally sending personal data to an incorrect recipient, and altering personal data without permission.
What are the penalties for breaching GDPR rights?
Penalty for non-compliance is up to 20 million euros (£17.5 million in UK) or 4% of annual global turnover. HMRC and VOA may face investigation and sanctions from the information commissioner, and individuals could face criminal charges.
What is the Freedom of Information Act 2000?
It gives anyone a general right of access to recorded information held by public authorities and is enforced by the Information Commissioner. It provides two rights: to be told whether information is held and to have that information communicated, both subject to exemptions.
What are the exemptions under the Freedom of Information Act 2000?
Exemptions include contrary to GDPR requirements, prejudice to a criminal matter under investigation, and prejudice to a person’s/organisation’s commercial interest.
What is the ICO?
The ICO is the UK’s independent body set up to uphold information rights, responsible for regulating compliance with the Data Protection Act 1998, Freedom of Information Act 2000, and Environmental Information Regulations 2004.
What role does data management play in your day-to-day job?
Data management is essential for handling and organizing information effectively.
If you worked in private practice, would your considerations differ?
Yes, considerations would differ, such as no CRCA and handling client data to aid organization.
What does CRCA stand for?
CRCA stands for the Commissioners for Revenue and Customs Act.
What does Section 18 of CRCA 2005 refer to?
Section 18 refers to confidentiality and disclosure, outlining conditions under which Revenue & Customs officials may disclose information.
What is the maximum prison time for wrongful disclosure under the CRCA?
The maximum prison time is two years.
What is the ICO?
ICO stands for Information Commissioner’s Office.
What are the five principles of better regulation?
The five principles are Proportionality, Accountability, Consistency, Transparency, Targeting.
What does TARGETING mean in Principles of Better Regulation?
TARGETING means regulation should focus on the problem and minimize side effects.
What are the data protection principles under the DPA 2018?
The principles are: LAWFUL, SPECIFIED, RELEVANT, ACCURATE, TIMELY, SECURE.
Who has to comply with the data protection principles in the DPA 2018?
Everyone responsible for using personal data must comply.
What is the Freedom of Information Act 2000?
It gives individuals the right of access to information held by public bodies, which must be supplied within 20 working days.
What is an SAR?
An SAR is a Subject Access Request, giving individuals the right to obtain a copy of their personal data.
What does an individual obtain from an SAR?
An individual is entitled to confirmation of processing, a copy of their personal data, and other supplementary information.
What are the individual rights under UK GDPR?
The rights include: right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, rights related to automated decision making.
What are the principles of UK GDPR?
The principles are: Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality; Accountability.
Who are the key persons outlined within GDPR?
Key persons include Controller, Processor, and Data Protection Officer (DPO).
How would you ensure data management for two competing clients?
You would implement an information barrier/Chinese wall and ensure informed consent is gained.
Why could you provide FOR information under section 18 of the CRCA?
Disclosure is made for the purposes of a function of HMRC.
What legislation prevents an agent from taking photos of an FOR?
Regulation 17(4)(b)(ii) of The Valuation Tribunal for England (Council Tax and Rating Appeals) (Procedure) Regulations 2009.
How did you verify the evidence you provided in this case?
Verification was done through appropriate checks and documentation.
What advice did you give for your Reval inspections?
Advice focused on verifying information and ensuring it is up to date.
Why was it important to undertake the task for Reval?
It was important to verify information and increase its reliability.
Is the Electronic Document Management 1st edition current guidance?
No, it has been archived, and updates should be checked before acting on it.
How did you determine which transactions were non-useful for your sales verification task?
Determination was based on specific criteria for usefulness.
What is a Subject Access Request (SAR)
SAR is a request made by an individual to access their personal information that is held by an organisation.
SAR may ask some or all of the following:
What personal information an organisation holds about the individual
How the organisation uses it
Who the information is being shared with
Where the information came from
FOR viewing, what is regulation 17?
It is located in Valuation Tribunal for England regulations 2017
What does it set out?
Gives directions that:
Evidence should be submitted to all parties two weeks prior to the hearing
Have to wait 24 hours to request to view any information
Make a copy of the information but not a photographic copy
What information did you retract?
Any information which could identify the occupier
What does CRCA stand for?
Commissioner for Revenue and Customs Act 2005
What are the key principles of the Data Protection Regulation?
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity
What does the Data Protection Act Set out?
Tell me about how you extract data from a source regularly used in your role?
How do you validate information?
What does the freedom of Information Act (2000) set out?
What are some of the reasons why a FOIA request for information may be refused?
Reasons for refusal:
Prejudice criminal matter under investigation or a person’s commercial interest
Too costly or too much staff time
The request is vexatious (causing annoyance, frustration, or worry)
The request is a repeat of previous from same person
Contrary to GDPR
Any recent high profile fines you are aware of regarding Data breaches?
Meta – €1.2 billion (May 2023): Was fined after an irish court rulked that it ciolated GDPR laws related to data transfers between the EU and the US.
Amazon – €746 million (2021): Imposed on Amazon Europe by Luxembourg’s National Commission for Data Protection, after establishing that Amazon was not getting consent from its users before storing advertisement cookies.
Instagram – €405 million (September 2022): Irish Data Protection Commission (DPC) fined Instagram for violating children’s privacy online, including publishing kids’ phone numbers and email addresses.
