Data management

Question 1

What are the data security technologies available?

Answer 1

1. Disk encryption
2. Regular backups offsite
3. Password protection
4. Use of anti-virus software protection
5. Firewalls and disaster recover procedures

Question 2

What is copyright?

Answer 2

A set of exclusive rights granted to the author or creator of any original work including the right to copy.

These rights can be licensed, assigned or transferred.

Form of intellectual property.

Question 3

What is Crown Copyright?

Answer 3

Refers to all material created and prepared by the Government, such as laws, public records, official press releases and OS mapping

Question 4

What does GDPR stand for?

Answer 4

General Data Protection Regulation 2016

Question 5

What is the Data Protection Act 2018?

Answer 5

UK’s implementation of GDPR

Question 6

What does the Data Protection Act 2018 cover?

Answer 6

The Act is a complete data protection system so as well as governing personal data covered by GDPR, it covers all other general data

Question 7

What did the Data Protection Act 2018 replace?

Answer 7

Data Protection Act 1998

Question 8

When did the Data Protection Act 2018 come into force?

Answer 8

25th May 2018

Question 9

What does the Data Protection Act 2018 aim to do?

Answer 9

To create a single data protection regime for anyone doing business in the EU and to empower individuals to take control of how their data is used by third parties.

Question 10

What is the ICO?

Answer 10

Information Commissioner’s Office

Question 11

How long do companies have to report data security breaches to the ICO?

Answer 11

72 hours

Question 12

What are some of the obligations under the Data Protection Act 2018?

Answer 12

There is an obligation to conduct data protection impact assessments for high risk holding of data

Question 13

What are the fines?

Answer 13

4% of global turnover or 20 million euros (whichever is greater)

Question 14

Article 5(2) requires that the controller shall be responsible for what?

Answer 14

for and be able to demonstrate, compliance with principles

Question 15

What are the 8 individual rights under GDPR?

Answer 15

1. Right to be informed
2. Right of access
3. Right of rectification
4. Right to erasure
5. Right to restrict processing
6. Right to data portability
7. Right to object
8. Right to automated decision making and profiling

Question 16

What is the Freedom of Information Act 2000?

Answer 16

It gives individuals the right of access to information held by public bodies

Question 17

The public body is required to supply the infomration within what period?

Answer 17

Normally 20 working days in the format requested

Question 18

What exceptions are there to the Freedom of Information Act 2000?

Answer 18

1. Contrary to the GDPR requirements
2. It would prejudice a criminal matter under investigation or a persons/organisation commercail interests

Question 19

How can the security of electronic data be improved?

Answer 19

1. Firewalls
2. Encryption
3. Passwords

Question 20

What is the purpose behind the RICS Professional Statement on Data Handling and Prevention of Cybercrime?

Answer 20

Covers best practice and mandatory obligations with which RICS professionals and regulated firms must comply.

It addresses how surveyors capture, store and share data appropriately and securely and it is likely to mandate policies, practices and training for all regulated firms and members.

Question 21

What is a Subject Access Request?

Answer 21

When a user requests information under Article 15 of GDPR

Question 22

If a tenant would like access to some CCTV footage, what is required?

Answer 22

Subject Access Request

Liaise with data protection officer on what is required and what can be given

Question 23

What is a firewall?

Answer 23

Network security system that monitors and controls incoming and outgoing network traffic, based on predetermined security rules

Question 24

What is encryption?

Answer 24

Mathematical function that codes data so only authorized users can access it

Makes readable text unreadable unless a code or decryption key is known

Question 25

What are the principles of GDPR and DPA 2018?

Answer 25

1. Information must be used lawfully and transparently 2. Information must be collected for a legitimate and specified purpose 3. Information must be adequate and limited to necessity 4. Information must be accurate and kept up to date 5. Information must be kept safe and no longer than necessary

Question 26

What are the obligations of GDPR?

Answer 26

1. Must have knowledge of the data you store and process 2. Must be able to delete every instance of an individuals data 3. Must demonstrate compliance in managing data 4. Must offer data portability 5. Must be able to prove how information is being processed

Question 27

How do you treat / manage confidential information?

Answer 27

1. Conduct data reviews 2. Anonymise data where possible 3. Encrypt data where possible 4. Treat commercial data as personal data 5. Understand what data we hold and how it is processed 6. Password protection and secure data sites 7. Use of firewalls 8. Have a breach policy response

Question 28

What other legislation is there relating to data management apart from GDPR and Data protection Act 2018?

Answer 28

Freedom of information act 2000 Limitations Act 1980

Question 29

How long can you hold data for?

Answer 29

No specific time limit – GDPR says no longer than necessary. Organisations privacy policy should dictate As short as possible and as agreed with the data subject

Question 30

Why was GDPR introduced?

Answer 30

To consolidate data protection laws across EU member countries and provide greater protection and rights to individuals

Question 31

Why is it important that data is uploaded correctly?

Answer 31

To ensure protection of individuals data and compliance with legislation

Question 32

When are you allowed to upload data / share date? How did you know you were allowed to do this?

Answer 32

Firms privacy notice dictates what data we hold, how it is processed and also how and when we might share with a third party and which third party it would be shared with. For example, at the sale of a property. This privacy notice is issued to all tenants.

Question 33

How have consent conditions been strengthened under GDPR?

Answer 33

1. Consent must be clear and indistinguishable from other matters 2. Consent must be provided in an intelligible and easily accessible form, using clear and plain language 3. Must be as easy to withdraw consent as it is to give consent

Question 34

When can an individual request for their information to be deleted?

Answer 34

1. If an individuals data has been unlawfully processed 2. If an individuals data is no longer necessary for the purpose it was originally collected

Question 35

What is privacy of design and is it a legal requirement?

Answer 35

Implementation of security systems into the original design of management systems as opposed to later additions – yes it’s a legal requirement

Question 36

List the 7 key principles of GDPR?

Answer 36

1. Lawfulness, fairness and transparency 2. Purpose Limitation 3. Data minimisation 4. Accuracy 5. Storage Limitations 6. Integrity and Confidentiality 7. Accountability

Question 37

How long can you hold data for?

Answer 37

Shortest time is 6 years for accounting VAT/tax purposes but the Limitation Act 1980 provides for a period of up to 15 years for a professional negligence claim. Depends on different factors though such as, do they include any original contracts or leases, do they relate to a current project, do you need them to justify your fees, are the files relevant to any disputes and are they needed for any litigation.

Question 38

f an assignment completed on a lease please can you confirm how long you should hold the assignor information for on the system?

Answer 38

Would depend on the terms of the assignment Is there an AGA in place, if so you would hold the assignor details until the end of the lease and then 6 plus one year. Same for privity of contract Could also argue you can hold details until arrears are cleared in full

Question 39

What are CPSEs?

Answer 39

Commercial Property Standard Enquiries

Question 40

What constitutes personal data?

Answer 40

Information relating to a person to identify that person e.g names, photo, email, bank details, IP address

Question 41

Give some examples of personal data and how they apply to property companies.

Answer 41

1. Data relating to investors 2. Data relating to fund managers / Clients 3. Valuations 4. Compliance 5. Bookkeeping payroll 6. Background checks 7. HR 8. Tenant information

Question 42

What organisations are exempt from GDPR?

Answer 42

1. Exceptions for organisations with fewer than 250 employees 2. Private individuals not engaged in business activities

Question 43

What is your firms data protection policy?

Answer 43

1. Follow legislation 2. Suspected breaches should be reported to the individual line managers or firms data protection officer

Question 44

How do you apply your firms data protection policy?

Answer 44

1. I ensure i have an understanding of sensitive and protected data 2. I don’t send sensitive or protected data unless it is to the individual 3. Anonymise information where possible 4. I report suspected breaches

Question 45

Who regulates GDPR in the UK?

Answer 45

The Information Commissioners Office

Question 46

What are the obligations imposed by GDPR?

Answer 46

1. MUST have knowledge of the data you store and process (including its location and security) 2. MUST be able to delete every instance of individuals data 3. MUST demonstrated compliance in managing data 4. MUST be able to prove how information is being used 5. MUST offer data portability

Question 47

What are the RICS best practice guidance points for GDPR compliance?

Answer 47

1. Conduct data reviews to understand risks 2. Anonymise data where possible 3. Encrypt where possible 4. Create breach policy response 5. Treat commercial data as personal data 6. Understand data processes

Question 48

Give me an example of how you process and handle confidential information?

Answer 48

1. Use document systems to add, amend and remove information 2. Upload files to secure data room 3. Anonymise information 4. Password protection to access files

Question 49

What should be included in a firms privacy notice?

Answer 49

1. What information you have 2. What information will be used for 3. Which third parties you may share information with 4. How long information is being kept for 5. What legal right the firm has