Data Management Q's Flashcards
What is GDPR?
- law designed to protect peoples personal data and privacy
- Sets out rules on how governments, companies and organisations can collect, store and use personal information
When did GDPR come into effect?
25th May 2018 - same day is data Protection Act
(Incorporated as part of new EU GDPR legislation)
Who regulates GDPR in the UK?
Information Commissioners Office (ICO)
Key persons outlined in GDPR?
Controller - decides how and why personal data is used
Processor - Handles personal data on behalf of controller
Data officer - Oversees data protection and ensures compliance with rules
What is the purpose of GDPR?
Protect citizens information
What constitutes personal data?
Information that is used to identify a person or data subject e.g photos, names, email address
Examples of personal data under GDPR that could apply to property companies?
Data relating;
- Background checks by HR
- Investors
- Fund managers
- Valuations
- Compliance
What Act implemented GDPR in the UK?
- Data protection Act 2018 - implemented GDPR
- Replaced 1998 Data Protection Act 1998
What are the 7 principles of Data Protection Act 2018? (AKA 7 principles of GDPR) LAAPSID
- Lawfulness, transparency & fairness
- Accountability
- Accuracy
- Purpose Limitation
- Storage Limitation
- Integrity & Confidentiality
- Data minimisation
8 individual rights under GDPR? (IARERDOA)
- Right to be informed
- Right of Access
- Right to Rectfication
- Right to Forgotten
- Right to Restriction Processing
- Right to Data Portability
- Right to Object
- Rights related to Automated Decision making and Profiling
To what organisations does GDPR apply?
Any and all businesses and organisations responsible for holding data in the EU
What are penalties for GDPR breaches?
- Fines of up to 17.5m
- 4% of worldwide turnover
What is the ‘right to access’ under GDPR?
- Right obtain whether their personal data is being processed
- Access to their own personal data that is being held
What is a breach notification under GDPR?
- Formal requirement for organisations (and their data controllers) to notify inform authorities and in some cases individuals if teh breach is likely to risk their rights and freedom
- Need to report 72 hours after becoming aware
How are data breaches typically discovered?
- Automated security systems
- Internal audits
- Lost equipment
How have consent conditions been strengthened under GDPR?
- Consent must given in plain and clear language (best practice to get thsi in writing)
- Ability to withdraw consent at any time
What is ‘right to be forgotten’ under GDPR?
- Under article 17 individuals have right to have personal data erased in certain circumstances
- I.e. if they no longer are employed by a firm
What is data portability?
Right to obtain and reuse personal data across different services or distributed to a new controller
What is privacy by design?
- Legal requirement of GDPR
- data protection from onset in designing systems rather than as addition later on
What is data protection officer?
- They are responsible for monitoring internal compliance and obligations for data protection
- Only required by entities involved in large-scale processing of personal data
Examples of data held by surveying practices?
- Data to serve clients (accounting info, compliance)
- Lease documents
- Emails and other correspondence
What are obligations imposed by GDPR?
- Must be knowledgeable about the data you store (location, security)
- Must be able to be deleted at any time
- Individuals can request to see all their personal data held
- Must demonstrate compliance in data handling
- Must offer data portability
- Must be able to prove how information is being used
RICS best practice points for complying with GDPR?
- Conduct data review
- Anonymise and encrypt data where possible
- Understand data processing
- Treat commercial data in the same as you would treat personal data although it is not covered by GDPR
What are your company’s policies for data protection breaches?
- Report to line manager or data protection officer in firm
- Email GDPR group at Workman
RICS recommendations for using confidential information?
- Keep secure record of consent for data processing
- Maintain confidentiality of information without explicit permission from party
- Check if you have appropriate contractual clauses to use information
What information should be included in firms privacy notice?
- What information you hold
- How will it be used
- How long it will be held for
- Which third parties it will be shared with
- Legal rights
What is SAR?
- Subject Access Request
- Demand that an individual be given all information a company holds under GDPR
What was the Freedom of Information Act 2000?
- Allows individual to request all personal information held by public body
- Must be done in 20 days
- Can charge for this
What are the provisions of the Land Registry Act (2002)?
- Provides complete and accurate reflection on state of title of land at any given time
- Aim for all land in England and Wales to have a title before 2030
What is required for a Land Registry Compliant Plan? (think of plan in case study)
- Demised Red Line
- North arrow
- Scale
- Drawn to scale of 1:100 or 1:200
- Location of property drawn to scale of 1:1250
- Measurement bar
What is the difference between a deed and a registered title?
- Deed - physical record of ownership declaring person’s legal ownership
- Registered Title - ownership recorded in land registry
- Land Registry Act 2002 states registered title is conclusive
Are electronic signatures accepted by the Land Registry?
Yes, witnessed electronic signatures are accepted from July 2020
Disadvantages of the systems you use?
- Rely on others for data input - human error
- External system - firm not in control of security
How did it tighten up the former DPA 1998?
- Customers greater control over data
- Firms over 250 need a designated DPO
- Fines
- Introduction of breach notification
How do you comply with GDPR in your role?
- I report suspected breaches
- I dont share confidential or personal information
- I keep consent for data processing
Give me an example of how you process and handle confidential information.
- When sending information to solicitors I ensure files are uploaded to a secure data room
- Change password for management systems and computer login every month
- Anonymise employee liability for TUPE
What does encryption mean?
- Mathematical encoding of data that only authorised users can access
What is a fire wall?
- Network security system that monitors and controls network traffic based on predetermined security rules
Tell me about how you extract data from a source regularly used in your role?
- Extract data from leases, which is then put into data input forms, sent to my line manager to approve and then inputted by the data input team to appear on management systems
Can you tell me about the retention of files and the Limitations Act 1980?
- Section 5 states legal action must be brought about within six years of issues arising
- Requires businesses to keep documents on file 6 years after tehy expire
Give me an example of how you ensure that data is kept securely.
- Access is restricted to users by password
- Firewalls but in place by IT team to stop hacking
- Appropriate training undertaken to understand processes
What is copyright?
- Legal right given to the creator of original works exclusive control over use of their creations for a certain period of time.
- In property; marketing material & intellectual property
What is an AVM?
- Automated Valuation Model
- mathematical/statistical modelling with databases of existing properties and transactions to calculate real estate values
- Used by lenders and banks, developers, agents and brokers
Pro - speed & cost-effective
Con - Human expertise required to interpret AVM outputs
Does RICS provide any guidance on AVM?
- RICS Roadmap: Automated Valuation Modelling 2021
- Outlines strategic direction and implementation of AVM in valuation
- Outlines best practice for AVM -> importance of balancing information with standards and ethical practices
Explain the growing use of AVMs in the industry?
- Has merit in science of valuation with growing availability of data
- Speed, cost-effective, potential to reduce litigation
What is an Electronic Document Management System?
- Software that stores, organises and manages documents
- Sharepoint
How do you ensure GDPR compliance and security in the office?
- Clear desk policy
- Use shredder for disposal of docs with confidential information
- Lock screen
- Password protect
- External back up drive
How do you monitor compliance on QUOODA/riskwise?
- Linked to email so get a notification when essential compliance document is nearing expiry/overdue
- Quarterly audits of system to identify discrepancy
How do you apply your firms data protection policy?
- I report suspected breaches
- Anonymise data where possible
- Dont share confidential info
- Keep consent for data processing
How to ensure data accuracy?
- Double check against docs
- Checked by line manger
- Data audits
What are CPSEs?
Commercial Property Standards Enquiries
If a tenant would like to access CCTV footage, what is required?
- Subject Access Request (SAR) - only my police & insurers
- Liaise with DPO on what can be given
How do you store confidential data in your office?
- Using password protected devices which require dual authentication for access
- Anonymise all personal data (use property codes for files rather than names)
What would you do if you realised that you had received confidential data in an email, from another surveyor, which you should not have seen?
- Cannot use information
- Report to DPO & Compliance officer
- Advise client/sender of error
- Dispose securely of information
How do you ensure the data on the systems you use is accurate?
- Data is cross-checked by multiple parties
- Internal and external systems get audited
- Prelist get raised and required to be approve by PM
Benefits of cloud based storage systems?
- Access from multiple users at one time
- Info backed up on securely encrypted servers
- Environmentally friendly and cheaper
What is a Non-disclosure agreement - NDA ?
- Used to protect against or sharing any confidential data
- NDA in property sales
If two separate department within your firm were working for two rival companies how would you ensure client sensitive data was managed?
- make client aware of risks
- COI check
- Seek letter of instruction that both parties are happy for you to continue
- Implement information barrier
What things must companies put in place to ensure GDPR compliance?
- Raising awareness - through mandatory training courses
- Audit all personal data
- Update privacy policy - to explain how data is processed
- Appoint DPO if over 250
- Data breach response plan
How have you advised client on DM?
Recognised MEES coming to force old managing agents didn’t have a tracker for EPC
Horizon & Tramps limitations
- 3rd party we dont have control of the security
- Human error in data input
- Training not user friendly
What are exemptions to Data Protection Act 2018 ?
- National Security
- Law Enforcement
- Public health
What does block chain mean?
- Decentralised digital ledger
- Can facilitate data sharing, streamline collection on rental collections and payments to landlords
What is BIM and how can it be used?
- Building information modelling - creates 3D representations of buildings
- Help with design visualisation of stakeholders
- Aids cost management
- Used by our building surveyors in refurbishments of properties
What is an index map?
- Provides all information on all land that is registered or being registered on HM Land Registry
How do you source title information?
- Land registry
- Title searches
What is Intellectual Property and can it be transferred?
- IP encompasses creations like patents, copyrights, trademarks and trade secrets.
- Yes can be transferred
