Data Management

Question 1

What data sources do you frequently use?

Answer 1

CarboniCa, EPDs and LCAs, PST

Question 2

What systems do you use to store data?

Answer 2

CarboniCa, SharePoint, Teams, Excel, Concur, Eric

Question 3

Techniques or methodologies most appropriate to collect and store data:

Answer 3

EPDs stored in a spreadsheet, CarboniCa logic in Excel, manually collecting BNG data for our central tracker

Importance of verifying data through triangulation

Question 4

What is the Data Protection Act 2018?

Answer 4

The 2018 Act replaces the 1998 Data Protection Act and relates to personal data. The Act creates a single data protection regime which affects businesses and empowers individuals to take control of how their data is used by third parties. Similar to EU law.

Question 5

What are the key requirements for the Data Protection Act 2018?

Answer 5

• Obligation on data collectors to conduct data protection impact assessments for high risk holding of data
• New rights for individuals to have access to information on what personal data is held and to have it erased
• New principle of ‘data accountability’ ensuring that organisations comply with the new regulations and they must prove this to the ICO
• Data breaches must be reported to the ICO within 72 hours when there is loss of personal data
• Fines can be up to 4% of the global turnover of a company who have not complied (or £17.5m – whichever is higher)
• The ICO police this

Question 6

What is UK General Data Protection Regulation (GDPR)?

Answer 6

GDPR enhances the current data protection regulations and means that for personal data, informed consent must be obtained, all data processing must be in accordance with ‘privacy by design’ and personal data can only be collected for specific legitimate purposes.

Question 7

What is personal data under the GDPR?

Answer 7

Defined by Article 4(1) of the GDPR, personal information is defined as being ‘identifiable’ e.g. a name, number, location data or other online identifiable like IP address

Question 8

What could happen if GDPR is not adhered to?

Answer 8

If GDPR is not adhered to, reputational damage can occur, as well as damage to the research process, distress to individuals or harm to personal safety, substantial financial or legal punitive penalties

Question 9

Implications of GDPR for children?

Answer 9

GDPR for children is anyone under the age of 18.

GDPR enhances the protection of children’s data and ensures children are addressed in plain clear language – safeguarding issue for.

Data Protection Impact Assessment (DPIA) can be used for children to mitigation data protection risks to the child

Question 10

Key principals of GDPR

Answer 10

• Personal data must be stored lawfully, fairly and in a transparent way for individuals
• Collected or specified purposes and not further processed for something beyond that purpose
• Data limited to the purposes for which they are processed
• Taking all steps to keep personal data up to date; if out of date, it should be erased or rectified
• Kept in a format which only allows individuals to be identified for the purpose in which the data was collected
• Data is processed in a manner which ensures appropriate security of personal data, including protection from unlawful processing
• Section 5(2) requires that the controller is responsible for compliance of the principles and should be able to demonstrate these

Question 11

What are an individual’s rights under GDPR?

Answer 11

1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erase
5. Right to restrict processing
6. Right to data portability (use the data for their own purposes)
7. Right to object
8. Rights to automated decision making and profiling

Question 12

Tell us about how you comply with GDPR in your role?

Answer 12

Collecting personal email addresses to give the participants access to CarboniCa. Individually provided by email after I gave them informed consent regarding the project:

• Understand the scope of the project and why their email address was needed
  o They only have the accounts for 3 months then they are deleted with all of the personal data too
• Provision to sign them up to CarboniCa with MSES
• At any point they could remove themselves from the study and leave CarboniCa

Question 13

How do you align yourself to ISO 27001?

Answer 13

Updated in 2022 - MSC working to re-align but aligned to 2013 model, gap analysis done by MSG

MSC Information Management System is aligned

Question 14

What is ISO 27001?

Answer 14

ISO 27001 is an international standard to manage information securely. It specifies the requirements for establishing, implementing, maintaining and improving an information security management system within the context of an organisation. This framework requires organisations to identify information security risks and select appropriate controls to tackle them.

Question 15

What is IP?

Answer 15

Intellectual property (IP) is a category of property which you create using your mind. Example types include copyrights, trademarks, and patents.

Question 16

What would happen if IP were breached?

Answer 16

Violation of IP laws may be a breach of civil or criminal law, depending on the type of IP.

CarboniCa has IP which must be protected. This is written into a collaboration agreement with NTU. We offer license only under a non-disclosure agreement (NDA) with Circular Ecology and NTU.

Question 17

What is copyright?

Answer 17

Copyright refers to a set of exclusive rights to the author of particular work, including the right to copy. It is a form of IP
o These rights can be licensed or transferred
* Crown Copyright is anything created by or prepared by the Government, such as laws, public records, OS mapping
* Copyrights within work must be acknowledged

Question 18

What is informed consent?

Answer 18

Informed consent is at a minimum, that the participant understands what the research is and what they are consenting to. They should never be pressured, and this should be before the research begins

For our Innovate UK project with NTU, we gathered written consent from all participants. I provided them with a brief on the project and gave ample time for consent replies. I used NTU written consent template as this was familiar to them and understandable to the participants

Question 19

How is data securely stored?

Answer 19

Password protected EPD spreadsheet to avoid human error, controlling access

Encrypted ‘data at rest’ - need to log back in to view or edit

In two places to avoid deleting

Did read online that the RICS are planning to release a Data Handling and Prevention of Cybercrime Professional Statement. It is proposed that this will cover how surveyors capture, store and share data – mandated for all firms and members

MSG use ‘Prevalent’ which is a 3rd party risk management system e.g. GAIA

Question 20

What is an NDA?

Answer 20

A non-disclosure agreement is an understanding of a confidential relationship between parties, typically to protect any type of confidential information.

Question 21

What is the Freedom of Information Act 2000?

Answer 21

This Act gives the public the right to access information held by public bodies:
* The public body must tell a person seeking sight of information whether they have it or not
o They must supply it within 20 working days in the format requested
* The public body can charge for the provision of information

Exemptions to the above are allowed when:
* It is contrary to GDPR requirements
* It would prejudice a criminal matter under investigations or
* A person or organisations commercial interest

Question 21

What are CarboniCa’s databases?

Answer 21

1. Carbon factor - EPD library, government convergence factors, BATH ICE 3.0
2. IMPACT

Question 22

Why only those Scope 3 categories?

Answer 22

CarboniCa calculates our biggest impact categories (most relevant to our business). MSG fills in some of the blanks – I provide the most accurate data for the bulk of our Scope 3

We also have a PPN 21/06 or Carbon Reduction Plan which is mandatory for other scopes (we report things like operational business miles in that report)

Question 23

How are we re-aligning to ISO 27001?

Answer 23

All operating companies have IT systems and data. First round is doing a scenario analysis, getting an audit we pay to check us

The updated standard means there are changes - a lot more focus on cloud-based systems and SasS products. There are 11 new controls

Question 24

What security does CarboniCa have?

Answer 24

External security sits in our Adzure environment which is inside our firewalls and further security

Question 25

How does Construction comply with MSG data security system?

Answer 25

Construction sits within MSG’s system so it is aligned

Question 26

What else are you aligned to?

Answer 26

Cyber Essentials Plus is mandated for government – must have if you want to work on central government projects. This means everything has to be up to date all the time – all updates have to be done within 14 days

Secure by Design (SBD) is the new government standard for contracts which need security clearance e.g MoD projects

Question 27

What is the difference between Cyber Essentials Plus and ISO 27001?

Answer 27

ISO 27001 is an internal standard whereas Cyber Essentials Plus is a government backed certificate. Cyber Essentials Plus is the highest level of the certificate and needed for government contracts. This entails the cyber security team testing vulnerabilities to your system

Question 28

How do we securely store data?

Answer 28

We have a hybrid architecture which means we have 2 data centres and we rent space from companies as well as using Cloud software. Adzure holds all of our data centre services, security, integration layers, firewalls, etc

In terms of tools, we use predominately Mircosoft 365

Question 29

What are typical issues we face? How do we prevent phishing for example?

Answer 29

Phishing attacks are common, user error (Chat GBP HR example)

E-learning, fake phisihing attacks

Question 30

What would be our procedure if we have a confidential leak?

Answer 30

Teams should notify the IT shared services team

It should be declared with information commissioner office (ICO) within 72 hours of becoming aware of the breach

Question 31

What is a firewall?

Answer 31

A firewall is a security system which prevents unauthorised access into or out of a computer system

Question 32

What is an integration layer?

Answer 32

An integration layer refers to the portion of IT which serves to aid the flow between different databases or systems. It is like a bridge

Question 33

What can go wrong if data isn’t protected?

Answer 33

Either £17.5m or 4% global turnover fine from the ICO

Interserve have just been fined £4.5. by the ICO for failing to protect data and for not following up on ‘suspicious activity’

Question 34

What is the National Infrastructure Service (NIS)?

Answer 34

MSC is not covered by this

Applies to people providing a service into infrastructure, we do not run the service but we provide the product. Our buyer would be subject to this

NIS2 came out in 2023 – in law by Oct 2024

Question 35

Why should we worry about data leaks/risks?

Answer 35

Short term risks - profitability and ICO fine
Long term risks - Reputational damage in the market, loss of government contracts, big loss in revenue

Question 36

Does it matter that you are not currently ISO 27001 2022 aligned?

Answer 36

No - we are aligning to 2013 and working towards 2022 which is end of May

Steps include:
1. Internal audit with Blackmoors who make a 3 year plan where all controls are tests
2. External company for 2-day audit

Question 37

What are other legislation regarding data security?

Answer 37

Data Protection Act 2018 and the EU GDPR
Computer Mis-Use Act
Intellectual Property Act 2014
Trade Marks Act 1994
The Protection of Freedoms Act 2012
Privacy and Electronic Communications Regulations 2016
Digitial Economy Act 2016

Question 38

Tell us about how you got IMPACT Compliance

Question 39

What are Global Warming Indicators and Mat 01?

Question 40

How is data collected and stored within CarboniCa?

Question 41

Why do you sense check EPDs?

Question 42

How are CarboniCa’s databases managed?

Question 43

How did you create an R&D tracker for all stakeholders for CarboniCa R&D?

Question 44

Why did you advise the Client to create a new report format?

Question 45

Why did you advise the Client to create Client Targets in the web app?

Question 46

How is data graphically displayed in CarboniCa?

Question 47

Why did you advise for all data to be in one location on the PST?

Answer 47

Streamline KPI reporting
Keep the data secure - monthly back ups
Avoid data duplication and effort
Give 1 person ownership
All of the above is more efficient

Question 48

How did you advise the other divisions to follow your Scope 3 approach?

Question 49

What are the penalties which the ICO can give?

Answer 49

They can give warnings, notices, penalties, and the maximum fine for the most serious data breaches are £17.5m or 4% of global turnover

Example is Interserve who recently got a £4.4m fine for failing to prevent a phishing attack which led to comprised systems and the leaked the personal data of 113,000 employees. One employee sent the phishing email to the other