Data Management - Summary of Experience

Question 1

What are the penalties under GDPR and data protection act?

Answer 1

Fines of higher than 4% of annual turnover or 20m euros (£17.5m)

Question 2

Can you give me an example of a property information tool?

Answer 2

• Horizon

Question 3

What are your KPIs for uploading data?

Answer 3

• 7 days from receipt
• Ensure to keep client informed throughout

Question 4

What is ISO9001?

Answer 4

Sets out requirements for how firms should control data + documents relating to their business

Question 5

What would you do if there was a data breach?

Answer 5

Report to Information Commissioners office within 72 hours - Notify affected individuals without delay

If within company I would report to line manager/data protection officer

Question 6

What is the difference between a deed and a registered title?

Answer 6

Deed = physical document proving legal ownership
Registered Title = concept of giving right to own electronically

Title takes precedent (it is what the public uses)

Question 7

What is copyright?

Answer 7

Type of intellectual property that protects original works and stops others using it

Question 8

What does block chain mean?

Answer 8

Shared ledger system that facilitates process of recording transactions across a computer network

Question 9

What is SAR?

Answer 9

subject access request
- Individual demands for info a company holds on them

Question 10

What are the obligations under GDPR?

Answer 10

• Need to have knowledge of data held and processed
• Have the ability to delete every instance of data on subject
• Demonstrate data management compliance
• Prove how data is used
• Prove data portability (allow subject to reuse personal data for own purpose)

Question 11

How can you protect electronic data from viruses?

Answer 11

Antivirus software / firewall / update systems against bugs / strong password

Question 12

What are the differences between manual and electronic records?

Answer 12

• Electronic = stored online on file system and can read multiple at once
• Manual = Physical storage and harder to locate

Question 13

What is the purpose of GDPR and data protection act?

Answer 13

Governs how personal data should be processed + protects rights of individuals

Question 14

Explain the growing use of AVMs in the industry

Answer 14

Automated valuation models
- Speed, cost and removal of human errors
- Issue is that prop isnt inspected and lack of comparable data

Question 15

How can a data breach be discovered?

Answer 15

• Unusual network activity
• Unauthorised data access attempts
• Lost equipment
• Reported thefts

Question 16

Are there any disadvantages of the data management systems that you use?

Answer 16

• Updates to ensure strong encryption and firewall - Downtime
• Always security risk
• Dependent on internet connections (tech) - If not there data can’t be accessed

Question 17

Can you confirm how data from your examples are stored under the regulations?

Answer 17

In line with GDPR principles

Question 18

Can you give me some examples of reports that you run?

Answer 18

• Arrears report
• Tenancy schedules
• Service charge analysis

Question 19

What is the right to be forgotten?

Answer 19

The right for individuals to have their personal data erased if no longer required or if data processed unlawfully

Question 20

What is a data controller?

Answer 20

Determines purposes and means of processing personal data (must comply with principles)

Question 21

How did you ensure the data stored for the Ilford High Road sale was safe?

Answer 21

• Disk encryption
• Firewall and disaster recovery procedures
• Password protected

Question 22

What is a firewall?

Answer 22

Computer network security system that restricts internet traffic

Question 23

Which records are manually kept in your office and why?

Answer 23

Financial records e.g. invoices and receipts - Low risk of data loss and provide an audit trail

Question 24

Who is exempt from GDPR?

Answer 24

• National security
• Journalism
• Law enforcement
• Academic research
• Public health
• Organisations with fewer than 250 people

Question 25

Can you tell me how CCTV relates to GDPR and the principles that underpin it?

Answer 25

• Data transparency - Lawful/fair
• Purpose limitation - requires personal data to be collected
• Storage limitation - Only retained for time period
• Secured against unauthorised access - data controller etc

Question 26

Can you tell me about how you extract data from a source regularly used in your role?

Answer 26

Horizon
1) Encrypted login
2) Search up property on system - go to data source needed e.g. invoice
3)

Question 27

What is an electronic document management system?

Answer 27

Software that centrally stores and organises documentation. E.g. Workman EFS

Question 28

How do you validate information used/received?

Answer 28

• Avoid duplications
• Cross check against historic data - Tenant/Landlord info
• Make sure date is complete
• DI form dates correct - correct charges and sent to correct recipients

Question 29

What is the land registry act 2002?

Answer 29

Framework to ensure possibility of transferring and creating registered land interests electronically
- Aims to get all freehold land in England and Wales registered by 2030

Question 30

What are the key principles of GDPR?

Answer 30

1) Lawfulness, fairness and transparency
2) Purpose limitation - specified and explicit
3) Data minimization
4) Accuracy - up to date
5) Storage limitation - should only be kept as long as necessary
6) Integrity and confidentiality
7) Accountability

Question 31

What is a data processor?

Answer 31

Processes data on behalf of the controller

Question 32

What is GDPR?

Answer 32

General data protection regulation
- Became EU law in 2016 and UK set up directive in 2018 under Data Protection Act

Question 33

What does encryption mean?

Answer 33

Converting data into a code to prevent unauthorised access

Question 34

When did GDPR come into effect?

Answer 34

EU - 25 May 2018

Question 35

What are the limitations of secondary data sources?

Answer 35

• No control on what is contained in data
• Lack of confidence could be wrong and inaccurate - validity
• above link to GDPR

Question 36

How do you comply with GDPR in your role?

Answer 36

• Report breaches
• Do not give out personal info
• Keep records of data consent
• Ensure info held is in line with GDPR

Question 37

Can you tell me about the retention of files and limitations act 1980?

Answer 37

Sets out how long business should keep documents for. States legal action must be brought within 6 years of issue arising

Question 38

What would you do if someone wanted to review the CCTV footage at Merton Road?

Answer 38

1) Request received
2) Check with data protection officer
3) Notify police (if required)
4) Ask subject to complete SAR whilst awaiting advice from data protection officer

Question 39

What is a data room such as the one you used at 144-146 Ilford High Road?

Answer 39

Secure online repository
- Shares sensitive documents
- Controlled access
- Leaves audit trail - When and where users are accessing
- Stored in line with GDPR
- Password protected and encrypted

Question 40

Can you give me some examples of data held by surveying practices covered under GDPR?

Answer 40

• Emails/correspondence
• Customer data held for marketing
• Data to help service a client (accounting info)

Question 41

What is BIM and how can it be used?

Answer 41

Building information modelling
- Generate and manage digital representations of elements of a building e.g. project planning and historic preservation

Question 42

Was the data you mention as part of the data forms held under GDPR regulations?

Answer 42

Yes I can confirm

Question 43

Explain how the H&S updates you make ensure you can monitor compliance on Meridian and Quooda?

Answer 43

• Time stamped record of actions completed and comments made
• See when risk assessments run out - Instruct
• Green, amber, red - Action tracking system

Question 44

Why was GDPR introduced?

Answer 44

To consolidate EU data laws and provide greater protection/rights to individuals

Question 45

What is data management?

Answer 45

Practice of collecting, storing and using data securely, efficiently and cost effectively

Question 46

What is the freedom of information act and when did it come into force?

Answer 46

Right for anyone to request access to info held by a public body. Public body required to provide within 20 working days (fee can be charged)

• 30 Nov 2000

Question 47

When was GDPR first introduced?

Answer 47

EU in 2016, UK in 2018 under data protection act - UK released own updates in 2021

Question 48

What are the rights of access under GDPR?

Answer 48

Individuals have right to access their personal data and supplementary information - can request copy of data free of charge

Question 49

Who regulates GDPR in the UK?

Answer 49

Information Commissioners Office

Question 50

How did GDPR tighten up the former data protection act 1998?

Answer 50

• Brought in regulation to cover the development of modern data and technology
• Stronger consent requirements and also withdrawal of consent

Question 51

Can intellectual property be transferred?

Answer 51

Yes - Written agreement e.g. contract/assignment

Question 52

How do you source title information?

Answer 52

on gov land registration search

Question 53

What is a data protection officer?

Answer 53

Appointed by company if they process large volumes of sensitive data or monitor data subjects (e.g. Workman)

Question 54

What are the limitations of primary data sources?

Answer 54

• Time consuming
• High cost - e.g. hiring inspectors
• Human error

Question 55

What are CPSES?

Answer 55

Commercial Property Standard Enquiries

Question 56

What is intellectual property?

Answer 56

Something that is created using your mind e.g. patent. copyright

Question 57

What constitutes personal data?

Answer 57

Any info relating to identified person

Question 58

How do you ensure all data within these examples is kept securely?

Answer 58

• Disk encryption
• Firewall and disaster recovery procedures
• Password protected programmes

Question 59

What is your firms data protection policy?

Answer 59

That suspected breaches reported to line manager or data protection officer

Question 60

What are the key principles of data processing?

Answer 60

1) Lawfulness, fairness, transparency
2) Purpose limitation - only collected for specific purpose
3) Data minimization - only data necessary
4) Storage limitation - minimal time
5) Accuracy - up to date
6) Integrity + confidentiality

Question 61

What platforms did you gather information from?

Answer 61

• Horizon / Sharepoint
• Emails

Question 62

What is within the RICS guidance for GDPR compliance?

Answer 62

• Document purposes of holding information
• Keep record of consent for processing, storage and retention
• Check if you have contract for info

Question 63

What are the individual rights under GDPR and the data protection act?

Answer 63

1) Right to be informed
2) Right to access
3) Right to rectification
4) Right to erasure
5) Right to restrict processing
6) Right to data portability
7) Right to object
8) Rights related to automated decision making and profiling

Question 64

What is a data subject?

Answer 64

Individual who can be identified by an identifier e.g. name or ID number

Question 65

Who set up the data room at 144-146 Ilford High Road?

Answer 65

Solicitors - We get given the passwords to access the data

Question 66

Was the data held at 144-146 Ilford High Road within the same property as the rest of Ilford High Road that you mention?

Answer 66

No, my client owned these properties separately, although they were part of the same portfolio

Question 67

How is data managed on the Tramps (Horizon + Sharepoint) platform?

Answer 67

• Collaboration and sharing between different teams within businesses (and between business)
• Only authorised users can access certain files
• Audit trails document activity
• Documents held via the cloud

Question 68

How long can you hold data for?

Answer 68

No specified time period - As of GDPR principle should be kept as long as necessary for processing purposes

Question 69

What is hard and soft data?

Answer 69

Hard - quantifiable
Soft - not measurable - e.g opinions

Question 70

Explain your use of horizon/tramps and meridian and quooda?

Answer 70

Tramps
- Client reporting
- Sending tenant invoices
- Accounting figures for budget
- Legal documentation
- Password protected - change every month

Meridian
- Actioning health and safety queries / documentations
- Prop inspection reports

Question 71

What do the GDPR regulations say about CCTV?

Answer 71

• Reason for surveillance
• Consider privacy - access/detecting incidents/audit
• Policies and procedures - what to be recorded/who can view/how long to retain
• Regular reviews - updated system/cameras added/removed
• Accountability - Named person (IT team - Data Controller + data protection officer)
• Need to pay data protection fee to ICO (£2,900 in my case)
• Register with ICO as CCTV operator
• Complete a data privacy impact assesment with ICO

Question 72

How did GDPR tighten up the former DPA 1998?

Answer 72

• Customer has greater control over their data
• Harsh penalties if fail to comply - up to £17.5m or 4% of annual turnover (higher)
• GDPR is binding piece of legally enforceable regulation
• Breaches have to be reported to the ICO within 72 hours
• Companies will be accountable for data protection
• Firm over 250 people must have dedicated data protection officer

Question 73

RICS best practice points for complying with GDPR?

Answer 73

• Conduct data review
• Anonymise data where possible
• Encrypt everything where possible
• Treat commercial data same as personal data, even though not covered by GDPR

Question 74

What are the exemptions to the Freedom of Information Act?

Answer 74

Absolute Exemptions: national security, court records, parliamentary privilege, personal data protected under the data protection act.

Qualified Exemptions: Information that may be withheld if the public interest in maintaining the exemption outweighs the public interest in disclosure.

Question 75

What is the public interest test?

Answer 75

Decides under a qualified exemption if it is in the public interest to publish the data

Question 76

How much does it cost to submit a freedom of information request?

Answer 76

Can be £0
- Limit is £450 for public authorities
- Limit is £600 for central government

Question 77

How do you ensure accuracy of data?

Answer 77

• Cross-checking
• Auditing
• Undertake data reviews

Question 78

Does your firm have a privacy notice? What is included?

Answer 78

Yes - It identifies the data controller
- Shows what data is held
- Outlines uses for data
- Outlines how long you hold data for

Question 79

What are the benefits of the cloud?

Answer 79

• Env friendly - less space
• Speed
• Accessibility
• Collaboration

Question 80

What is the difference between the UK Data Protection Act and the rules of GDPR?

Answer 80

UK GDPR introduced in 2021, follows similar format of Original EU GDPR

Question 81

When you downloaded the tenants account history reports, how do you ensure that these are stored safely?

Answer 81

Stored on electronic filing system (EFS), this is my firms encrypted filing system. I ensured these were saved under property specific folder

Question 82

What was the purpose of contacting the property’s insurers at Merton Road?

Answer 82

To see if the insurance for the property allowed this and the potential impact on claims and general insurance premiums

Question 83

What is in a sale checklist like the one you mention at 144-146 Ilford High Road?

Answer 83

Ensures correct information is given to buyers of property to avoid claims:
- Lease/legal information
- Property specific information – History of works, health and safety history, historic insurance claims, previous title deeds, EPCS, service charges, utility history, VAT election notice

Question 84

How did you ensure that the folder you set up on your system for the sale ensured data safety principles were met?

Answer 84

1) Picked sharepoint as the data room provider - Ensured encryption and password entry
2) Add users - Set boundaries
3) Set permissions for users
4) Add documents and files - These can be downloaded to local internet networks

Question 85

What are CPSEs used for?

Answer 85

• Selling property
• New lettings
• Assignments

CPSE 1-3 - New lease
CPSE 2 - Sale
CPSE 4 - Assignment

Question 86

How do you practice handling and managing data in line with GDPR at Workman?

Answer 86

• We have a compliance team and a compliance officer
• Training provided ie. Cyber training on how to be safe online
• IT controls on client data, opt in distribution lists etc.

Question 87

What does TRAMPS stand for?

Answer 87

Trace Microcomputer Property System

Question 88

How is SAR requested?

Answer 88

Can be done in writing/verbally etc

Question 89

What is the difference between the Data Protection Act and GDPR?

Answer 89

The Data Protection Act enacts GDRP into UK law

Question 90

Who is the data processor and data controller for the CCTV information?

Answer 90

Data processor = security contractor who views and has access to the data
Data controller = Workman as we are defining the means and purposes for holding, using and processing the data

Data is processed on behalf of controller

Question 91

Has your company got any policies regarding document handling?

Answer 91

Yes - Traffic light system relating to documents that are held and send

Green - Simple open documents such as blank forms and Workman LLP template forms

Amber - tracked and encrypted documents, usage is tracked, internal docs and emails e.g. tenant financial info, fees, meeting minutes

Red - Confidential docs only accessible for certain few people e.g. completed SAR request forms, internal and external audit findings

Question 92

Where do Workman store their data?

Answer 92

On the cloud, which is stored in data centres within the UK.

Question 93

How long does the RICS advise to hold data for?

Answer 93

15 years - The Limitations Act 1980 long stop date

Question 94

In your experience, is it better to store data on Workman or Client data systems, why?

Answer 94

Conscious some clients are larger institutional funds handling commercially sensitive data and have own requirements and systems
- If using client system - ensure firewall to connect secure locations
- If using Workman system - be aware of client requirements RE password protection, access, location

Question 95

Did you have a pay a fee for the CCTV?

Answer 95

Yes we had to pay a data protection fee of £2,900 to the ICO

Question 96

For the sale at 144-146 Ilford High Road, you mention the folder was on your firms internal system, wouldn’t this mean that external visitors could access other files?

Answer 96

No, I ensured access restrictions to this individual file, which was confirmed with the IT department, ensuring no 3rd party access to other files

Question 97

What is ISO27001?

Answer 97

Set of requirements for defining, implementing, operating, and improving an Information Security Management System (ISMS)
- Proves to customers that it safeguards their data

Question 98

What do ISO27001 users have privilege for?

Answer 98

Privileged accounts may access important data or systems or exercise administrative powers.
- It is important to secure privileged accounts to prevent unauthorized use.