Data Management - Summary of Experience Flashcards
What are the penalties under GDPR and data protection act?
Fines of higher than 4% of annual turnover or 20m euros (£17.5m)
Can you give me an example of a property information tool?
- Horizon
What are your KPIs for uploading data?
- 7 days from receipt
- Ensure to keep client informed throughout
What is ISO9001?
Sets out requirements for how firms should control data + documents relating to their business
What would you do if there was a data breach?
Report to Information Commissioners office within 72 hours - Notify affected individuals without delay
If within company I would report to line manager/data protection officer
What is the difference between a deed and a registered title?
Deed = physical document proving legal ownership
Registered Title = concept of giving right to own electronically
Title takes precedent (it is what the public uses)
What is copyright?
Type of intellectual property that protects original works and stops others using it
What does block chain mean?
Shared ledger system that facilitates process of recording transactions across a computer network
What is SAR?
subject access request
- Individual demands for info a company holds on them
What are the obligations under GDPR?
- Need to have knowledge of data held and processed
- Have the ability to delete every instance of data on subject
- Demonstrate data management compliance
- Prove how data is used
- Prove data portability (allow subject to reuse personal data for own purpose)
How can you protect electronic data from viruses?
Antivirus software / firewall / update systems against bugs / strong password
What are the differences between manual and electronic records?
- Electronic = stored online on file system and can read multiple at once
- Manual = Physical storage and harder to locate
What is the purpose of GDPR and data protection act?
Governs how personal data should be processed + protects rights of individuals
Explain the growing use of AVMs in the industry
Automated valuation models
- Speed, cost and removal of human errors
- Issue is that prop isnt inspected and lack of comparable data
How can a data breach be discovered?
- Unusual network activity
- Unauthorised data access attempts
- Lost equipment
- Reported thefts
Are there any disadvantages of the data management systems that you use?
- Updates to ensure strong encryption and firewall - Downtime
- Always security risk
- Dependent on internet connections (tech) - If not there data can’t be accessed
Can you confirm how data from your examples are stored under the regulations?
In line with GDPR principles
Can you give me some examples of reports that you run?
- Arrears report
- Tenancy schedules
- Service charge analysis
What is the right to be forgotten?
The right for individuals to have their personal data erased if no longer required or if data processed unlawfully
What is a data controller?
Determines purposes and means of processing personal data (must comply with principles)
How did you ensure the data stored for the Ilford High Road sale was safe?
- Disk encryption
- Firewall and disaster recovery procedures
- Password protected
What is a firewall?
Computer network security system that restricts internet traffic
Which records are manually kept in your office and why?
Financial records e.g. invoices and receipts - Low risk of data loss and provide an audit trail
Who is exempt from GDPR?
- National security
- Journalism
- Law enforcement
- Academic research
- Public health
- Organisations with fewer than 250 people
Can you tell me how CCTV relates to GDPR and the principles that underpin it?
- Data transparency - Lawful/fair
- Purpose limitation - requires personal data to be collected
- Storage limitation - Only retained for time period
- Secured against unauthorised access - data controller etc
Can you tell me about how you extract data from a source regularly used in your role?
Horizon
1) Encrypted login
2) Search up property on system - go to data source needed e.g. invoice
3)
What is an electronic document management system?
Software that centrally stores and organises documentation. E.g. Workman EFS
How do you validate information used/received?
- Avoid duplications
- Cross check against historic data - Tenant/Landlord info
- Make sure date is complete
- DI form dates correct - correct charges and sent to correct recipients
What is the land registry act 2002?
Framework to ensure possibility of transferring and creating registered land interests electronically
- Aims to get all freehold land in England and Wales registered by 2030
What are the key principles of GDPR?
1) Lawfulness, fairness and transparency
2) Purpose limitation - specified and explicit
3) Data minimization
4) Accuracy - up to date
5) Storage limitation - should only be kept as long as necessary
6) Integrity and confidentiality
7) Accountability
What is a data processor?
Processes data on behalf of the controller
What is GDPR?
General data protection regulation
- Became EU law in 2016 and UK set up directive in 2018 under Data Protection Act
What does encryption mean?
Converting data into a code to prevent unauthorised access
When did GDPR come into effect?
EU - 25 May 2018
What are the limitations of secondary data sources?
- No control on what is contained in data
- Lack of confidence could be wrong and inaccurate - validity
- above link to GDPR
How do you comply with GDPR in your role?
- Report breaches
- Do not give out personal info
- Keep records of data consent
- Ensure info held is in line with GDPR
Can you tell me about the retention of files and limitations act 1980?
Sets out how long business should keep documents for. States legal action must be brought within 6 years of issue arising
What would you do if someone wanted to review the CCTV footage at Merton Road?
1) Request received
2) Check with data protection officer
3) Notify police (if required)
4) Ask subject to complete SAR whilst awaiting advice from data protection officer
What is a data room such as the one you used at 144-146 Ilford High Road?
Secure online repository
- Shares sensitive documents
- Controlled access
- Leaves audit trail - When and where users are accessing
- Stored in line with GDPR
- Password protected and encrypted
Can you give me some examples of data held by surveying practices covered under GDPR?
- Emails/correspondence
- Customer data held for marketing
- Data to help service a client (accounting info)
What is BIM and how can it be used?
Building information modelling
- Generate and manage digital representations of elements of a building e.g. project planning and historic preservation
Was the data you mention as part of the data forms held under GDPR regulations?
Yes I can confirm
Explain how the H&S updates you make ensure you can monitor compliance on Meridian and Quooda?
- Time stamped record of actions completed and comments made
- See when risk assessments run out - Instruct
- Green, amber, red - Action tracking system
Why was GDPR introduced?
To consolidate EU data laws and provide greater protection/rights to individuals
What is data management?
Practice of collecting, storing and using data securely, efficiently and cost effectively
What is the freedom of information act and when did it come into force?
Right for anyone to request access to info held by a public body. Public body required to provide within 20 working days (fee can be charged)
- 30 Nov 2000
When was GDPR first introduced?
EU in 2016, UK in 2018 under data protection act - UK released own updates in 2021
What are the rights of access under GDPR?
Individuals have right to access their personal data and supplementary information - can request copy of data free of charge
Who regulates GDPR in the UK?
Information Commissioners Office
How did GDPR tighten up the former data protection act 1998?
- Brought in regulation to cover the development of modern data and technology
- Stronger consent requirements and also withdrawal of consent
Can intellectual property be transferred?
Yes - Written agreement e.g. contract/assignment
How do you source title information?
on gov land registration search
What is a data protection officer?
Appointed by company if they process large volumes of sensitive data or monitor data subjects (e.g. Workman)
What are the limitations of primary data sources?
- Time consuming
- High cost - e.g. hiring inspectors
- Human error
What are CPSES?
Commercial Property Standard Enquiries
What is intellectual property?
Something that is created using your mind e.g. patent. copyright
What constitutes personal data?
Any info relating to identified person
How do you ensure all data within these examples is kept securely?
- Disk encryption
- Firewall and disaster recovery procedures
- Password protected programmes
What is your firms data protection policy?
That suspected breaches reported to line manager or data protection officer
What are the key principles of data processing?
1) Lawfulness, fairness, transparency
2) Purpose limitation - only collected for specific purpose
3) Data minimization - only data necessary
4) Storage limitation - minimal time
5) Accuracy - up to date
6) Integrity + confidentiality
What platforms did you gather information from?
- Horizon / Sharepoint
- Emails
What is within the RICS guidance for GDPR compliance?
- Document purposes of holding information
- Keep record of consent for processing, storage and retention
- Check if you have contract for info
What are the individual rights under GDPR and the data protection act?
1) Right to be informed
2) Right to access
3) Right to rectification
4) Right to erasure
5) Right to restrict processing
6) Right to data portability
7) Right to object
8) Rights related to automated decision making and profiling
What is a data subject?
Individual who can be identified by an identifier e.g. name or ID number
Who set up the data room at 144-146 Ilford High Road?
Solicitors - We get given the passwords to access the data
Was the data held at 144-146 Ilford High Road within the same property as the rest of Ilford High Road that you mention?
No, my client owned these properties separately, although they were part of the same portfolio
How is data managed on the Tramps (Horizon + Sharepoint) platform?
- Collaboration and sharing between different teams within businesses (and between business)
- Only authorised users can access certain files
- Audit trails document activity
- Documents held via the cloud
How long can you hold data for?
No specified time period - As of GDPR principle should be kept as long as necessary for processing purposes
What is hard and soft data?
Hard - quantifiable
Soft - not measurable - e.g opinions
Explain your use of horizon/tramps and meridian and quooda?
Tramps
- Client reporting
- Sending tenant invoices
- Accounting figures for budget
- Legal documentation
- Password protected - change every month
Meridian
- Actioning health and safety queries / documentations
- Prop inspection reports
What do the GDPR regulations say about CCTV?
- Reason for surveillance
- Consider privacy - access/detecting incidents/audit
- Policies and procedures - what to be recorded/who can view/how long to retain
- Regular reviews - updated system/cameras added/removed
- Accountability - Named person (IT team - Data Controller + data protection officer)
- Need to pay data protection fee to ICO (£2,900 in my case)
- Register with ICO as CCTV operator
- Complete a data privacy impact assesment with ICO
How did GDPR tighten up the former DPA 1998?
- Customer has greater control over their data
- Harsh penalties if fail to comply - up to £17.5m or 4% of annual turnover (higher)
- GDPR is binding piece of legally enforceable regulation
- Breaches have to be reported to the ICO within 72 hours
- Companies will be accountable for data protection
- Firm over 250 people must have dedicated data protection officer
RICS best practice points for complying with GDPR?
- Conduct data review
- Anonymise data where possible
- Encrypt everything where possible
- Treat commercial data same as personal data, even though not covered by GDPR
What are the exemptions to the Freedom of Information Act?
Absolute Exemptions: national security, court records, parliamentary privilege, personal data protected under the data protection act.
Qualified Exemptions: Information that may be withheld if the public interest in maintaining the exemption outweighs the public interest in disclosure.
What is the public interest test?
Decides under a qualified exemption if it is in the public interest to publish the data
How much does it cost to submit a freedom of information request?
Can be £0
- Limit is £450 for public authorities
- Limit is £600 for central government
How do you ensure accuracy of data?
- Cross-checking
- Auditing
- Undertake data reviews
Does your firm have a privacy notice? What is included?
Yes - It identifies the data controller
- Shows what data is held
- Outlines uses for data
- Outlines how long you hold data for
What are the benefits of the cloud?
- Env friendly - less space
- Speed
- Accessibility
- Collaboration
What is the difference between the UK Data Protection Act and the rules of GDPR?
UK GDPR introduced in 2021, follows similar format of Original EU GDPR
When you downloaded the tenants account history reports, how do you ensure that these are stored safely?
Stored on electronic filing system (EFS), this is my firms encrypted filing system. I ensured these were saved under property specific folder
What was the purpose of contacting the property’s insurers at Merton Road?
To see if the insurance for the property allowed this and the potential impact on claims and general insurance premiums
What is in a sale checklist like the one you mention at 144-146 Ilford High Road?
Ensures correct information is given to buyers of property to avoid claims:
- Lease/legal information
- Property specific information – History of works, health and safety history, historic insurance claims, previous title deeds, EPCS, service charges, utility history, VAT election notice
How did you ensure that the folder you set up on your system for the sale ensured data safety principles were met?
1) Picked sharepoint as the data room provider - Ensured encryption and password entry
2) Add users - Set boundaries
3) Set permissions for users
4) Add documents and files - These can be downloaded to local internet networks
What are CPSEs used for?
- Selling property
- New lettings
- Assignments
CPSE 1-3 - New lease
CPSE 2 - Sale
CPSE 4 - Assignment
How do you practice handling and managing data in line with GDPR at Workman?
- We have a compliance team and a compliance officer
- Training provided ie. Cyber training on how to be safe online
- IT controls on client data, opt in distribution lists etc.
What does TRAMPS stand for?
Trace Microcomputer Property System
How is SAR requested?
Can be done in writing/verbally etc
What is the difference between the Data Protection Act and GDPR?
The Data Protection Act enacts GDRP into UK law
Who is the data processor and data controller for the CCTV information?
Data processor = security contractor who views and has access to the data
Data controller = Workman as we are defining the means and purposes for holding, using and processing the data
Data is processed on behalf of controller
Has your company got any policies regarding document handling?
Yes - Traffic light system relating to documents that are held and send
Green - Simple open documents such as blank forms and Workman LLP template forms
Amber - tracked and encrypted documents, usage is tracked, internal docs and emails e.g. tenant financial info, fees, meeting minutes
Red - Confidential docs only accessible for certain few people e.g. completed SAR request forms, internal and external audit findings
Where do Workman store their data?
On the cloud, which is stored in data centres within the UK.
How long does the RICS advise to hold data for?
15 years - The Limitations Act 1980 long stop date
In your experience, is it better to store data on Workman or Client data systems, why?
Conscious some clients are larger institutional funds handling commercially sensitive data and have own requirements and systems
- If using client system - ensure firewall to connect secure locations
- If using Workman system - be aware of client requirements RE password protection, access, location
Did you have a pay a fee for the CCTV?
Yes we had to pay a data protection fee of £2,900 to the ICO
For the sale at 144-146 Ilford High Road, you mention the folder was on your firms internal system, wouldn’t this mean that external visitors could access other files?
No, I ensured access restrictions to this individual file, which was confirmed with the IT department, ensuring no 3rd party access to other files
What is ISO27001?
Set of requirements for defining, implementing, operating, and improving an Information Security Management System (ISMS)
- Proves to customers that it safeguards their data
What do ISO27001 users have privilege for?
Privileged accounts may access important data or systems or exercise administrative powers.
- It is important to secure privileged accounts to prevent unauthorized use.
