Data Management Flashcards
What is the Data Protection Act 2018
UK Specific law that supplements and tailors GDPR
Extends the enforcement powers of the Information Commissioners Office that are not contained within GDPR
Key features of the Data Protection Act 2018
Controls how personal information is used by organisations, businesses or government
Stipulates how data must be handled & stored
Must be used for explicit, specified purposes
Must be used fairly, lawfully & transparently
Provides for stronger protection for more sensitive info such as race/ethnicity or health conditions
What is your understanding of GDPR
General Data Protection Regulation 2016
Regulation that sets guidelines for the collection & processing if personal information
What Data does GDPR cover?
All personal data which includes any information relating to a living identified or identifiable person ie names, addresses, email, ID numbers
How long can data be maintained for?
No single rule for how long data can be maintained/stored. Legislation requires that the data controller stores the information for as long as is strictly necessary to complete the task the data was collected for
RICS generally recommends keeping client related info for a minimum of 6 years after completion of the task to cover any potential arising disputes or claims
How does Data need to be disposed of?
Data stored on computers, servers or other digital formats must be deleted in a way that they cannot be recovered
Hardcopies - personal data should be shredded or incinerated
If third-party disposal is used the organisation is responsible for ensuring the third party follows proper security practices and formalise this is an contract
What do you have to provide an individual if asked about data held on them?
Your purpose for processing their personal data
The retention periods for that data
Their own personal data
Who it will be shared with
What timescale do you have to respond to a access information request?
No later than 1 calendar month - GDPR
What do you do if they request data is removed/deleted/destroyed?
GDPR introduced the right for individuals to have their data erased.
Only applies if the information is not exempt from right to erasure
An it should be done without undue delay
What internal Data Systems do you use/How do you ensure they are accurate, up to date and compliant. how do these systems differ?
Act in line with Data Protection Act & UK GDPR
Use remote access servers & password protect all devices
Clear desk policy
Clear retention schedule and archiving procedure
All physical records are stored in locked filing cabinets in a secure room
What is the key difference between the UK GDPR &EU GDPR?
UK Enforced by the Information Commissioner’s Office (ICO)
Has some specific provisions for the UK context such as rules for data transfer between the UK & EU
How would you consider AI impact to firms?
Must adapt data management practices to leverage AI effectively. While addressing these challenges to ensure responsible & efficient use of data
What are you considered as under GDPR
Data Controller - Handling sensitive client data ie Proof of Funds
Data Processor - do not decided how data is used by abide by organisations protocol such as being subcontracted to carryout a valuation for a bank
If home or hybrid working, how would you deal with cyber security?
Firm use VPN to access our local network. If not connected to this (password protected) cannot access files
Only authorised to use work devices and not personal ones
What rights do people have under the Data Protection Act?
Right to erasure
Object to their data being used
Right to correct information
Right to ask how their data is being used
Can you name any of the 8 principals covered in the Data Protection Act 2018?
Accountability
Fair & Lawful Use
Transparency
How does GDPR affect your work activities?
Must ask permission to contact people & collect data ie for adding people to our mailing list
What kind of data do you work with?
Documents
Files
Books
Internet Sources
