Data Management (Level 3) - General Flashcards
What key UK law are you aware of in relation to Data Management?
Data Protection Act (2018)
What does the Data Protection Act (2018) apply to?
The UK.
What is the purpose of the Data Protection Act (2018)?
- It is the UK’s implementation of the General Data Protection Regulation (GDP) and includes provisions specific to the UK.
- It governs how personal data should be processed in order to protect the privacy rights of individuals.
How does the DPA 2018 align to regulation or GDPR?
- The DPA 2018 incorporates the GDPR into UK Law, ensuring data protection rules align with the EU-wide regulation.
- It provides a framework for processing personal data in the UK, consistent with GDPR standards.
What types of data is covered within the DPA 2018?
- Personal data = Information that can identify an individual directly or indirectly
- Sensitive Personal Data (Special Category Data) = Includes data about racial or ethnic origin, political opinions, religious beliefs, health, sexual orientation, genetic data, and biometric data.
What principles of Data Processing are you aware of that are outlined within DPA 2018?
- Lawfulness, Fairness and transparency
- Purpose Limitation
- Data Minimization
- Accuracy
- Storage Limitation
- Integrity and Confidentiality
What rights do data subjects have under the DPA 2018?
- Right to be informed
- Right of Access
- Right to Rectification
- Right to Erasure (“Right to be Forgotten”)
- Right to Restrict Processing
- Right to Data Portability
- Right to Object
- ## Rights Related to Automated Decision Making and Profiling
What is a Data Controller and a Data Processor?
- Data Controller = Determines the purposes and means of processing personal data
- Data Processor = Processes data on behalf of the data controller
NOTE - Both must implement appropriate technical and organizational measures to ensure data protection
How are organizations governed or held accountable?
- Data controllers must demonstrate compliance with the data protection principles
- Organizations may need to appoint a Data Protection Office (DPO) if they process large amounts of sensitive data or perform regular systematic monitoring of data subjects
What security requirements should organizations have in place or generally abide by?
Organizations must implement measures to ensure data security, including encryption, anonymization, and regular security assessments.
What would you do if a data breach occured?
- Data breaches must be reported to the Information Commissioners Office (ICO) within 72 hours of discovery if they pose a risk to the individuals rights and freedoms.
- Affected individuals must be notified without undue delay if the breach is likely to result in high risk to their rights and freedoms.
What exemptions apply?
- Certain exemptions apply, such as for national security, law enforcement, journalism, academic research, and public health.
Who enforces data protection matters and what penalties can occur if not abided by?
- The Information Commissioner’s Office (ICO) is the UK’s independent authority responsible for upholding information rights.
- The ICO has the power to issue fines for non-compliance, which can be significant reaching up to £17.5 million or 4% of annual global turnover, whichever is higher.
What types of data have special provisions?
- Children’s Data = Specific protections for the personal data of children, particularly in the context of online services
- International Transfers = Rules for transferring personal data outside of the European Economic Area (EEA) to ensure adequate protection levels.
What is the importance and impact of the DPA 2018?
- The DPA 2018 is crucial for safeguarding individuals’ privacy rights and ensuring that personal data is handled responsibly and securely.
- It impacts all organizations that process personal data in the UK, requiring them to review and update their data protection practices regularly to ensure compliance.
What is the basis of the General Data Protection Regulations?
- The General Data Protection Regulations (GDPR) is a comprehensive data protection law that came into effect on May 25th 2018.
- It applies to all European Union (EU) member states and aims to give individuals greater control over their personal data while imposing strict rules on organizations that process data.
What are the Key Principles of GDPR?
- Lawfulness, Fairness, and Transparency
- Purpose Limitation
- Data Minimization
- Accuracy
- Storage Limitation
- Integrity and Confidentiality
- Accountability
What regulations did the GDPR replace?
The 1995 Data Protection Directive and also harmonized data protection laws across the EU.
What key rights do Data Subjects have under GDP?
- Right to be informed
- Right of Access
- Right to Rectification
- Right to Erasure (“Right to be Forgotten”)
- Right to Restrict Processing
- Right to Data Portability
- Right to Object
- Rights related to Automated Decision Making and Profiling
What is GDPR’s policy on International Transfers of data?
The GDPR restricts the transfer of personal data outside the European Economic Area (EEA) unless specific conditions are met to ensure adequate protection levels.
What key obligations do organizations have under GDPR?
- Have a data controller and Data Processor
- Ensure data protection by Design and by Default
- Data Protection Impact Assessments (DPIAs)
- Data Protection Officer (DPO)
- Breach Notification
What is the impact and importance of GDPR?
- The GDPR has significantly impacted how organizations worldwide handle personal data, driving greater transparency, accountability, and respect for individual privacy rights.
- It has seta high standard for data protection and influenced data protection laws in other regions, including the California Consumer Privacy ACt (CCPA) in the United States.
- Compliance with GDPR is essential for any organizations processing personal data of EU citizens, regardless of its location.
Outline the basis of the Freedom of Information Act 2000?
- The Freedom of Information Act 2000 (FOIA 2000) in the UK provides public access to information helf by public authorities.
- It aims to promote transparency and accountability by allowing the public to request information about the activities of government and other public bodies.
What are the key aspects or provisions of the Freedom of Information Act 2000?
- Right to Access
- Scope
- Exemptions;
–> Absolute Exemptions
–> Qualified Exemptions - Public Interest Test
- Time Limits
- Fees
- Appeals and Complaints
- Publication Schemes
Under FOIA 2000, who has the right to request information?
- Any person has the right to request information held by public bodies.
- Public Authorities are required to disclose the information unless it falls under one of the specified exemptions.
What are the time limits associated with the FOIA 2000?
- Public authorities are required to respond to FOIA requests promptly and within 20 working days.
- They must confirm or deny whether they hold the requested information and provide the information if it is not exempt.
What are Absolute Exemptions and Qualified Exemptions under the FOIA 2000 and what are some examples of each?
- Absolute Exemptions = Information that does not need to be disclosed under any circumstances.
–> E.g. Information relating to public security, court records and personal data protected under the DPA 2018. - Qualified Exemptions = Information that may be withheld if the public interest in maintaining the exemption outweighs the public interest in disclosure.
–> E.g. Information related to law enforcement, commercial interests and health and safety.
What is the scope of the FOIA 2000?
The Act applies to a wide range of public bodies, including government departments, local authorities, NHS bodies, schools, and police forces.
What is a Public Interest Test in relation to the FOIA 2000?
- For Qualified Exemptions, public authorities must apply a public interest test to determine whether the information should be disclosed.
- The test balances the public interest in transparency against the public interest in maintaining the exemption.
What fees apply to the FOIA 2000?
Authorities can charge fees for providing information, but these fees are regulated.
- If the cost of compliance exceeds a set limit (currently £450 for most public authorities and £600 for central governments), the authority can refuse the request or charge additional fees.
How can a requester appeal or complain under the FOIA 2000?
- If a request is refused or not satisfactorily answered, the requester can ask the authority to conduct an internal review.
- If unsatisfied with the internal review, the requester can complain to the Information Commissioner’s Office (ICO), the independent regulatory body responsible for overseeing FOIA compliance.
- Further appeals can be made to the First-tier Tribunal (Information Rights) and subsequently to higher courts.
What does the FOIA 2000 outline about publication schemes?
- Public Authorities are required to proactively publish certain information routinely through a publication scheme.
- These schemes must be approved by the ICO and are intended to make more information available to the public without the need for specific requests.
What is the impact and importance of the FOIA 2000?
- Transparency and Accountability
- Public Participation
- Press and Research
Can you tell me three principles of the UK GDPR and the Data Protection Act 2018?
- Lawfulness, Fairness and Transparency
- Purpose Limitation
- Accuracy
How do you comply with UK GDPR and the Data Protection Act 2018 in your role?
- I report suspected breaches
- I do not give out confidential or personal information
- I keep records of consent for processing, storing and retaining data
- I understand the information we hold that is protected by GDPR
Give me an example of how you process and handle confidential information?
- I use document systems to add, amend and remove information - Data input forms
- When sending information to solicitors, i ensure files are uploaded to a secure data room
- Anonymised employee liability information for TUPE
- Password and account to enter management systems
Give me an example of how you ensure data is kept securely?
- Access is restricted to users by password
- Firewalls in place by IT team to protect against hacking
- Appropriate training undertaken to understand processes
What do the Privacy and Electronic Communications Regulations 2003 apply to?
The Privacy and Electronic Communications Regulations (PECR) 2003 apply to:
- Marketing calls, emails, texts, and faxes
- The use of cookies and similar technologies on websites
- The security of public electronic communications services
- Customer privacy in relation to traffic and location data
What is copyright?
The exclusive and assignable legal right given to the originator for a fixed number of years, to print, perform, film or record literacy, artistic or musical material.
Simply = Copyright is the legal right to control how your original work (like writing, music, or images) is used by others. Copyright protects creative work from being copied or used without permission.
Can Intellectual Property be transferred?
Yes, Intellectual Property (IP) can be transferred through various means, including:
- Assignment – Permanent transfer of ownership to another party, often through a contract.
- Licensing – Granting permission to use the IP while retaining ownership (e.g., a company licenses its brand to a manufacturer).
- Franchising – Allowing a third party to use a business model, including trademarks and branding.
- Will or Inheritance – IP can be passed down through an estate after the owner’s death.
Transfers must be documented properly to ensure legal protection and compliance.
What is the Freedom of Information Act 2000?
- Came into effect in 2000
- Allows an individual to request access to information held by a public body
- Public body is required to provide that information (within 20 working days) in requested format
- They can charge a fee for this
What is intellectual Property?
Intellectual Property (IP) refers to creations of the mind that are legally protected from unauthorized use. It includes:
- Trademarks – brand names, logos, slogans
Patents – inventions, new processes, or products - Copyright – literary, artistic, musical, and software works
- Design Rights – protection of the appearance or shape of a product
- Trade Secrets – confidential business information (e.g., formulas, processes)
IP rights allow creators or businesses to control and benefit from their work.
Can you tell me about the retention of files and the Limitation Act 1980?
- Section 5 of Limitations Act 1980 says legal action must be brought within 6 years of issue arising
- Business then have a responsibility to keep documents for at least 6 years after they expire
Tell me about how you extract data from a source regularly used in your role?
I extract data from leases and enter into a new lease input form.
This is securely sent to Data Input who then upload the information to TRAMPS/Yardi where the data is held securely for those with password access.
Give me an example of a property information tool?
Example of a Property Information Tool:
- EIG (Estates Gazette Interactive) – A widely used platform providing commercial property market data, including lease comparables, sales transactions, ownership records, and planning applications. It helps property professionals make informed decisions based on real-time market intelligence.
What are the limitations of primary/secondary data sources?
Limitations of Primary & Secondary Data Sources:
Primary Data Limitations:
- Time-consuming and costly to collect.
- Potential for bias in responses or sample selection.
- Limited scope—data is specific to the research purpose and may not be generalizable.
Secondary Data Limitations:
- May be outdated or not entirely relevant to the specific research question.
- Accuracy and reliability depend on the original source.
- Limited control over the methodology and data collection process.
How do you source title information?
Government Land Registry Website.
What is the difference between a deed and a registered title?
- Deed is a physical document declaring a person’s legal ownership
- Registered title is ownership recorded with Land Registry electronically
What are the differences between manual and electronic records?
Differences Between Manual and Electronic Records:
- Storage & Accessibility: Manual records require physical storage, such as filing cabinets, making them harder to access and share. Electronic records are stored digitally, allowing for easier access and remote sharing.
- Security & Protection: Manual records are more prone to loss, theft, or damage (e.g., fire, water). Electronic records can be encrypted, password-protected, and backed up for better security.
- Efficiency & Searchability: Searching through manual records is time-consuming, whereas electronic records can be quickly retrieved using search functions.
- Updating & Accuracy: Manual records require physical amendments, increasing the risk of errors. Electronic records can be updated instantly, often with version control to track changes.
- Cost & Maintenance: Maintaining manual records involves printing, storage, and labor costs, while electronic records reduce paper usage but require IT infrastructure.
- Compliance & Audit Trails: Electronic records are easier to track and comply with regulations (e.g., GDPR), whereas manual records require meticulous record-keeping for compliance.
What is an index map?
An index map is a reference tool used to identify and locate registered land and property boundaries.
In the UK, the Land Registry Index Map is used to determine whether a piece of land is registered and, if so, under which title number. It provides an overview of land ownership, registered leases, and other legal interests affecting the land.
What does encryption mean?
Mathematical function that encodes data in such a way that only authorized users can access it.
What is a firewall?
Network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules
How can you protect electronic data from viruses?
Use antivirus software, enable firewalls, update software, avoid suspicious links, use strong passwords, and back up data regularly.
What does block chain mean?
Blockchain is a decentralized, secure digital ledger that records transactions across multiple computers.
Which records are manually kept in your office and why?
Manually kept records in my office include signed hard copies of leases, licenses, and original legal documents for compliance, reference, and audit purposes.
What is BIM and how can it be used?
Building Information Modelling (BIM) is a digital representation of a building’s physical and functional characteristics, used for design, construction, and management to improve efficiency, collaboration, and decision-making.
What is an AVM?
Automated Valuation Model:
- Mathematical / Statistical modelling with databases of existing properties and transactions to calculate real estate values
Explain the growing use of AVMs in the industry?
Use of computer modelling in the science of valuation has merit in a world with increased availability and use of data –> may reduce expensive litigation
What is your understanding of the term Meta Data and why is this
important?
Meta Data is information about a specific piece of data.
* For example when sharing a cost planning document, the Meta Data associated with this could consist
of information about the author, the file size, the date the document was created and keywords to
describe the document.
* We must ensure that this Meta Data is afforded the same level of care as all other confidential data.
* In a scenario where we are sharing a document or removing confidential components of a document
we should ensure that any confidential meta data is not shared inadvertently
What is your understanding of the term Confidentiality?
Where information is provided but is subject to confidence and not shared without permission.
What is your understanding of Intellectual Property and Copyright?
This is the right to control the use and ownership of original works.
* Work generally created by an employee usually belongs to their employer unless copyrights are put in
place.
* It is common within construction for a client to be granted license for use and reproduction of
copyright material which should be clearly defined.
* This could be the right to use a particular design by a subcontracting specialist who retains control of
the original copyright
What is the Freedom of Information Act 2005?
- This is the primary piece of UK legislation that controls the access to official information.
- The act permits the public right of access to information held by public authorities.
- Information must also be published through the public authorities publication scheme.
- The act covers all information held and not just information since the act came into effect
What are the benefits of cloud-based storage systems?
- Information is backed up securely on encrypted servers.
- Accessibility can be managed via online settings.
- Cloud systems are often cheaper than the costs of physically storing and managing files.
- It is convenient to send and share files online instead of mailing physical copies.
- Cloud systems are environmentally friendly.
- Multiple users can access the same documents.
- Documents and folder systems can be synchronized
What is the meaning of a non-disclosure agreement?
Non-disclosure agreements are used to protect against the disclosure or sharing of any confidential
data.
* Prior to the confidential data being share with a recipient, clients will typically request that the recipient
signs up to an NDA.
* They are often used when confidential, sensitive, innovative or intellectual property information is
being shared to prevent this information being used by competitors.
If two separate departments within your firm were working for two
rival companies how would you ensure client sensitive data was
managed?
- I would make the client aware of the risks involved and check their understanding of the conflict of
interest. - I would ensure a letter of instruction to continue was obtained from the client.
- Exclusivity of staff would be arranged.
- The use of non-disclosure agreements would be considered.
- Separate working locations from each of the teams would need to be put in place.
- Secure document and data storage would be arranged to be used exclusively for the separate teams
What is the Data Protection Act 2018?
- The act replaces previous 1998 legislation and manages how personal data is processed by organisations
and the government. - It is the UK legislation for the implementation of the EU General Data Protection Regulations
(GDPR)
What are the key Principles of the Data Protection Act 2018?
- The act ensures that data is:-
o Used fairly, lawfully and transparently.
o Used in a way that is adequate, relevant and limited to only the purpose it is intended.
o Is retained for no longer than is necessary.
o Processed securely including the protection against unlawful use, loss or destruction.
What are a person’s rights under the Data Protection Act?
- People have the right to:-
o To be informed about how their data is being used.
o The right to access their data.
o The right to have incorrect information updated.
o To have their data erased.
o To stop or restrict the processing of their data.
o The right of portability.
o To object to the use of their data.
Who are the key persons outlined within GDPR?
- Controller
o The controller is the natural person or legal entity that determines the purposes and means of
the processing of personal data for example when processing an employee’s personal data, the
employer is considered to be the controller. - Processor
o A natural person or legal entity that processes personal data on behalf of the controller for
example a call centre acting on behalf of its client is considered to be a processor. - Data Protection Officer (DPO)
o The Data Protection Officer is a leadership role required by EU GDPR. This role exists within
companies that process the personal data of EU citizens. A DPO is responsible for overseeing
the data protection approach, strategy, and its implementation
What are the 8 individual rights under GDPR?
- The right to be informed.
- The right of access.
- The right of rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights of automated decision making and profiling.
- Diversity, Inclusion & Team Working
What different sources of information do you use in your day-to-day
surveying?
- RICS Guidance Notes.
- Contract Documentation.
- Previous Tenders.
- Cost Plans.
- Valuation data.
- Industry Journals.
- Specialist sub-contractor information
How do you manage sources of information to ensure
compliance with the legislation?
- If signed up to an NDA with a client I ensure complete confidentiality and am not able to talk about
these projects with colleagues who are not party to the project. - I use lockable and secure document storage for hard copy documents. The electronic information is
kept securely on encrypted servers. - I am always sure to lock my computer when away from my desk and comply with my firms IT security
policies for example attendance at Cyber security courses and regularly updating my passwords. - If I am sharing or processing information not available in the public domain from a previous project I
always obtain the clients written permission to do so.
How do companies ensure compliance with the Data Protection
legislation generally?
- They should only retain data they need to perform their day-to-day operations.
- If they are retaining someone’s data they should ensure the person is kept informed and advised on
why they have it. - They should hold the data securely.
- They should also keep the information up to date and delete information they no longer need
