Data Mangement Flashcards
Why is it important to consider data sources?
To consider the reliability and associated risks
Where possible should verify data against alternative sources through ‘triangulation’
Why is it important data is stored safely?
To keep safe from corruption and control access to ensure privacy and protection
In order to comply with UK GDPR, as well as the RICS RoC and bylaws of confidentiality
What data security technologies are there?
Disk Encryption - on a secure hard disk drive
Regular backups off site
Cloud storage
Password protection and anti-virus software protection
Firewalls and disaster recovery procedures
What data security actions are undertaken in your office?
Password protection
firewalls
disaster recovery
Cloud storage
What is Copyright?
A set of exclusive rights granted to the author or creator of any original work
Rights can be licensed, assigned or transferred
What is intellectual property?
intangible property that is the result of creativity, such as patents, copyrights, etc
What is Crown Copyright?
Refers to all material created and prepared by the government eg. laws, public records, official press releases and OS Mapping
Should you acknowledge copyright in your work?
Yes for any copyright information duplicated in your work
What is set out in the UK General Data Protection Regulation and the Data Protection Act, 2018?
Additional supplement to UK GDPR (2016) - EU no longer applies
Aims to create a single data protection regime affecting businesses and empower individuals to take control of how their data is used by third parties
What are the 7 principles of GDPR?
- Data minimisation
- Purpose limitation
- Storage limitation
- processed fairly & lawfully
- Accurate & up to date
- Security
- confidentiality
What are the key requirements included in the Data Protection Act 2018?
An obligation to conduct data protection impact assessment for high risk holding of data
Gives people rights to be informed about how their personal information is used
What is a data controller?
the person directly responsible for ensuring GDPR, decides how and why personal data is processed
What is the principle of ‘data accountability’?
ensuring that organisations can prove to the information commissioner’s Office (ICO) how they comply with the regulations
What should you do if there is a data security breach?
Must be reported within 72 hours to ICO where there is a loss of personal data and risk of harm to individuals
What are the penalties for non compliance with UKGDPR?
fines of up to 4% of global turnover of the company or £17.5million (whichever is greater)
What are the principles of the UK GDPR?
Article 5(1) principles relating to storage of personal data
Article 5(2) requires that the ‘controller shall be responsible for compliance with the principles
How does Article 5(1) of the UK GDPR state data should be stored?
- Lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary for purpose
- Kept in form which permits identification of data subjects
- Appropriate level of security
What are the 8 individual rights under UK GDPR?
Rectification
Erasure
Access
Data portability
Restrict processing
Automate decision making
Informed
Object
What is the Freedom of Information Act 2000?
Gives individuals the right of access to information held by public bodies
The public body must declare whether it holds info
Public body has 20 days to supply info requested
It can charge for the provision of info
What are the exemptions to the freedom of information act 2000?
- If contrary to GDPR Requirements
- It would prejudice a criminal investigation or a person/organisations personal interest
How can Security of data be improved?
Firewalls
Encryption
Cloud-based systems
Passwords
What is a non-disclosure agreement?
A legally enforceable contract between 2 parties relating to sensitive information
Creates a confidential relationship
What RICS Professional Standard has been proposed?
A standard on Data Handling and Prevention of Cybercrime - covering best practice and mandatory obligations for the capture, storage and sharing of data
What happens if an NDA is breached?
The party that was harmed can take legal action to enforce the agreement and seek damages for any losses that were incurred
Why is it important to verify and analyse data to provide good advice?
It’s important to consider the reliability of data, and without verification of data sources you cannot guarantee accuracy, and therefore may be providing inaccurate advice
What databases and systems have you used?
Microsoft Excel
IDAT
What online databases have you used?
Costar
EGI
Edozo
Land Registry
What are other sources of information in addition to online databases?
Speaking to local agents
Physical evidence and documentation (although usually dated)
Marketing boards
How does a password protected data site ensure GDPR is adhered to?
It ensured data is processed in a manner that ensured appropriate security of the personal data, as per the principles of GDPR
-Confidentiality (security of data)
-Data minimised and purpose limited to this use only
What software did you use for the data site and why? Any others you could’ve used?
I have used our internal dealflow system and Thomson Reuters Data site hosting system (through BCLP lawyers). Secure and has been used several times by the lawyers previously to good effect.
What was the purpose of the data site?
To provide a package of information for potential purchasers for the disposal, and ensure data was kept confidential
What did you consider when setting up the data site?
Considered the principles of UKGDPR and the DPA, and ensured we would be able to deliver on the rights of UKGDPR e.g. right to erasure, right to access
How did you ensure confidentiality to the public? Did you control distribution of the data site link?
Access was granted on an individual basis after providing a name, company and email. Once the link was sent the user had to set up a password protected email.
Distribution of this link was controlled and only sent out to potential purchasers who had undertaken some level of due diligence, or their agents, who we generally knew.
What’s the difference between UKDPR and the DPA?
- UKGDPR (2016) transcribed entirely from EU GDPR
- DPA supplements UKGDPR
- Certain rights under the UK GDPR, such as the right to object to and the right to data portability are not included in DPA (2018)
Why did you close the data site once under offer? How did this comply with GDPR?
To comply with the principle of storage limitation as per UKGDPR guidelines – the data site was closed once it had served its purpose as to hold data this personal data for only as much time is required
How do you comply with GDPR when dealing with mailing lists?
Ensure I comply with the principles of UK GDPR.
Purpose limitation – only used for that purpose
Data minimisation – only hold required information, nothing more
Accuracy – updated regularly
Storage limitation – information safely deleted once no longer required
Integrity and confidentiality – not shared with any other parties
How would you securely delete data?
Delete from files, and ensure this is entirely wiped off the system – checking the recycling bin, and potentially using additionally software such as an eraser system to delete off the drive.
How would you deal with a data breach?
- Contain the breach
- Assess the damage
- Notify those affected
- Investigate the cause
- Take steps to further prevent further breaches
Are you aware of any case law in regards to data breaches? What are the fines associated with a data breach?
Halfords, 2022 – fined £30,000 by the ICO, they sent out 500,000 marketing emails about ‘fix your bike scheme without gaining customer’s consent’.
Difference between a data controller and data processor?
Data controller – decides how data is stored/what data/how it’s protected etc, data processor – just handles the data). Example – cbre is the controller, we are the processor.
When does data become information?
When it is processed, interpreted, and organized
How long can you keep data?
NB remember tie-in with PII and any potential future litigation
Supposed to keep data for 6yrs for PI insurance etc.
Who is the data controller at CBRE?
CBRE Management Service Ltd
What data is required and held in your office?
Dependent on what department and for what use. – CBRE Data Retention Policy
Investment – tracking investment market for trends and specific transactions, client details, mailing lists etc.
What sorts of information can a firm reasonably retain in order to comply with other laws?
As per data minimisation and purpose limitation principles of UKGDPR, information for the purpose of use only can be used, and must be removed once no longer required for that purpose.
E.g. client contact details for a specific transaction.
Can you tell me about the retention of files and the Limitation Act 1980?
File should be kept for 6 years.
The limitation Act 1980 states:
* Contract – 6 years from date of negligence
Tort – 6 years from the date the claimant suffered the loss
How do you source title information?
Land registry
How can you protect electronic data from viruses?
- Be aware of phishing attacks via emails
- Update passwords regularly
- Back up important business data
What does block chain mean?
Blockchain is a system of recording information in a way that makes it difficult or impossible to change, hack, or cheat the system.
Which records are manually kept in your office and why?
Health and safety documents
What is an Electronic Document Management System (EDMS)?
A document management system is a system used to receive, track, manage and store documents and reduce paper
Are electronic signatures accepted by the Land Registry?
Yes
When sending sensitive information, what are the steps you would take?
- Identify the sensitivity of the information
- Choose the appropriate method of transmission – secure transfer protocols (STFP)
- Rensure the recipient is authorised to receive the information
- Document the transmission
- Review and update security practices regularly.
What is data management?
This encompasses all aspects of handling data, from collection and storage to analysis and reporting.
