Data Management Flashcards
(130 cards)
1
Q
What regulation governs laws on data protection and privacy?
A
UK General Data Protection Regulation 2020
2
Q
What is the maximum GDPR fine set by UK GDPR and DPA 2018?
A
20 million euros (£17.5 million) or 4% of annual global turnover (whichever is highest)
Could also face criminal charges
3
Q
Data offences can be punished by what?
A
- Warnings
- Temporary or permanent ban on data processing
- Restriction or erasure of data
- Suspend data transfers to 3rd party countries
4
Q
What is the Data Protection Act 2018?
A
- UK’s implementation of GDPR
- Replaced the DPA 1998
- Controls how personal information is used by organisations, businesses or the government
- Designed to protect personally identifiable information
5
Q
What is the Freedom of Information Act 2000?
A
- Gives individuals the right of access to information held by public bodies
- Public body must tell any individuals requesting sight of the information whether it holds that information
- Must be supplied within 20 working days in the format required
- Can be charged for the provision of the information
6
Q
How do Freedom of Information Act 2000 requests work?
A
- Must be in writing
- Information must not be exempt
7
Q
What security measures can you use to protect data?
A
- Password protection
- Security markings
- Physically locking storage units
- Encryption firewalls
- Two factor authentication
8
Q
What best practices would you encourage in terms of managing data?
A
- Cross reference computer with hard copy
- Back up IT systems
- Write once, read many times
- Keep an audit trail
- Ensure electronic signature cannot be altered (send PDF not Word)
9
Q
Tell me what you know about GDPR?
A
- Following Brexit, the UK GDPR 2020 was introduced.
- This set out the main responsibilities for organisations using, storing and handling personal data
- Article 5 sets out consumer rights
- Applies to the VOA - the right to correct is something we actively do in the Check stage in CCA and in the form of return where personal data is explicitly collected
10
Q
What is personal data?
A
Any information which is related to an identified or identifiable person
11
Q
What are encryption, firewalls and blockchain?
A
Encryption = Securing data by encoding it mathematically so it can only be read or destroyed by those with the correct key or cipher
Firewall = Network security device that monitors traffic to/from your network, it allows/blocks traffic based on a set of security rules
Blockchain = Digitally distributed, decentralised public ledger that exists across a network
12
Q
How do you process and handle confidential information?
A
- Don’t print what I don’t need to
- Ensure appropriate saving with correct name conventions
- Don’t leave computer unlocked or unattended
13
Q
How do you extract data from a source regularly used in your role?
A
- Internal database - CDB for rental and sale information
- Set parameters for data to refine prior to download
- Use filters on Excel to refine the data to what I need
14
Q
What is an Electronic Document Management System (EDMS)?
A
- Software package designed to manage electronic information and records within an organisation’s workflow
- Allows a user to manage the creation, storage and control of records while allowing others to access and edit documents
15
Q
What type of documents can electronic signatures be used for?
A
To replace handwritten signatures in virtually every personal or business process
e.g. contracts, application forms and non-disclosure agreements
16
Q
How do you ensure that data is kept securely?
A
- Permission levels on EDRM and Sharepoint to restrict who can access data, preventing conflicts o interest in terms of accessing information
e.g. rating valuer accessing plans and data collected for a different purpose - Back up work/systems where necessary
- Ensure properly labelled as ‘Official - Sensitive’ info to show others that care must be taken
17
Q
How do you validate information?
A
- Cross check with another source
- Call to get further information/confirm details
- Adopt a common sense approach
18
Q
What are the pros and cons of primary data?
A
Pros
- Specific to needs
- Greater control
- More up-to-date
- May be more accurate
Cons
- Expensive (may make it more difficult)
- Time consuming
19
Q
What are the pros and cons of secondary data?
A
Pros
- Easily accessible
- Affordable
- Less time consuming
Cons
- May lack reliability
- May be outdated
- May have to deal with irrelevant data before finding suitable data
20
Q
You shared rental evidence with an agent for rating purposes. did you have permission to share that information?
A
- Yes, the VOA is subject to the Commissioners for Revenue and Customs Act 2005
- This covers the confidentiality of information held by the VOA and when its lawful to disclose that information
- VOA cannot disclose information except in limited circumstances including legislative gateways/consent
- Section 18(2) and (3) allows sharing of data so long as it is reasonable and proportionate to do so
- BA treats information from VOA as confidential even if the information sharing agreement is terminated
21
Q
What is Section 18 of the CRCA 2005?
A
It sets out where information can be disclosed. Do not disclose this information unless:
- it is essential for one of our functions
- it is allowed by specific legislation
- it is with consent of the customer
- it is in the course of civil proceedings
22
Q
What is Section 7 of the CRCA 2005?
A
It sets out the VOA’s functions:
- compilation and maintenance of rating lists and council tax lists
- valuation of property
23
Q
What is Section 10 of the CRCA 2005?
A
It allows the VOA to provide a valuation of property:
- for any purpose relating to its function
- at the request of a public authority
24
Q
How did you store data collected on inspection?
A
- Electronically using Word and Excel
- Uploaded inspection notes and photographs to EDRM system with access restrictions and appropriate name and labelling
25
Can other colleagues access information you are working on?
Not if they are in a different team
e.g. DVS will not be able to access information stored for rating purposes
26
What are the exemptions in the Freedom of Information Act 2000?
- Personal data
- National security
- Information held by the VOA for its functions that either directly identifies a person or enables their identity to be deduced from it, is exempt from disclosure under S44 of the FOI Act 2000 as it is prohibited by S23 of the CRCA 2005.
27
Tell me about the DPA 2018?
- Controls how your personal information is used by organisations, businesses or the government
- Everyone responsible for using personal data has to follow strict rules called 'Data Protection Principles' also known as PACKAP
- Consumer rights (ACCEP)
28
How long do you keep information for and how is it disposed of?
- Kept for a minimum of 6 years
- VOA has a team who deals with erasure and data disposal
29
What regulation covers sharing data?
Commissioners for Revenue and Customs Act 2005 (CRCA)
30
What are the benefits of cloud based systems?
- Information is backed up by encrypted servers
- Accessibility can be managed via online settings
- Cheaper than physically storing and managing files
- More convenient to send and share files
- Environmentally friendly
- Multiple users can access the same document at the same time
31
What is a non-disclosure agreement?
- Used to protect against the disclosure of sharing any confidential data
- Prior to information being shared, clients will typically request that the recipient signs up to an NDA
- Often used to prevent confidential or sensitive property information being used or talked about by competitiors
32
If two departments within your firm were working for rival companies, how would you ensure sensitive data is managed?
- Make the client aware of risks
- Conflict of interest protocol
- Informed consent
- Keep staff exclusively in one team
- NDAs
- Separate working locations
- Use secure document systems with access restrictions
33
Who are the key persons outlined within GDPR?
Controller = person that determines the purpose and means of processing personal data e.g. employer
Processor = person that processes personal data on behalf of the controller e.g. call centres acting on behalf of its client
Data Protection Officer = leadership role required by EU GDPR - responsible for overseeing data protection approach study and implementation
34
What should companies put in place to ensure GDPR compliance?
- Raise awareness across the business
- Audit personal data
- Review procedures supporting individual rights
- Identify and document the legal basis for processing personal data under GDPR
- Train staff and give them the information
35
What personal and confidential information does your organisation hold?
- Personal data relating to VOA employees
- Emails containing sensitive or confidential information
- Customer correspondence received in confidence
- Customer records
- Property information
- Contractual information relating to past, present or future companies
36
What is disclosure?
- Sharing information with others
- Before sharing information you must be sure you have the right to disclose it and the person requesting it has the right to receive it
37
What two ways does the FOI Act provide the public with access to information held by public authorities?
1) Public authority obliged to publish certain information about their activities
2) Members of the public are entitled to request information from public authorities
38
When would you disclose information about taxpayers/customers to third parties?
In line with the CRCA 2005:
- if essential to functions
- in line with legislation
- consent
- civil proceedings
e.g. law allows us to disclose rental information when dealing with a rating challenge and the appellant can request rental information proportionate to ours
39
How do you deal with someone requesting to access their own personal information?
- Deadline of 1 month to response to request
- Forward to subject access request (SAR) inbox immediately
- If part of an outstanding case, would consider if it can be dealt with more appropriately as business as usual under CRCA
- Verbal request for property information cannot always be answered verbally - we may require verification of the person's link to the property before deciding to disclose
40
How would you deal with a FOI request?
- Check the request is made in writing
- Check it includes the requester's name and address and clearly describe the information wanted
- Forward request to FOI inbox team
41
What are the 7 principles of the DPA?
Information held must be:
1) Secure
2) Fairly and lawfully processed for relevant purposes
3) Accurate and up-to-date
4) Not kept longer than necessary
5) Not given to 3rd parties
6) Disposed of securely
7) Processed in line with the data subject's rights
42
What are the 3 principles of GDPR and DPA 2018?
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
43
How do you comply with UK GDPR and DPA 2018 in your role?
- I am aware of different types of information we hold
- I complete the relevant training on understanding UK GDPR and DPA
- I store data in the appropriate locations
- I use appropriate document markings when storing and sharing information (Official-Sensitive)
- I use secure information sharing such as Outlook rather than Teams
44
What are the 7 principles of GDPR?
1) Lawfulness, fairness and transparency
2) Purpose limitation
3) Data minimisation
4) Accuracy
5) Storage limitation
6) Integrity and confidentiality
7) Accountability
45
What are the 8 individual rights under GDPR?
- To be informed
- To access
- To rectify
- To restrict processing
- Data portability
- To object
- To automated decision making and profiling
- To erasure
46
What do the Privacy and Electronic Communications Regulations 2003 as amended in 2018 and 2019 apply to?
- UK's implementation of EU eprivacy directive
- Set of rules that protect the private rights of customers for marketing
- A complement to the DPA and UK GDPR
- Specific rules on marketing calls, emails, texts and faxes; cookies; customer privacy; keeping communication services secure
47
What is copyright?
It is the exclusive and assignable legal right given to the originator for a fixed number of years to print, publish, perform, film or record literary, artistic or musical material
48
What is Intellectual Property (IP)?
It is intangible property that is the result of creativity, such as patents, copyrights etc.
49
Can Intellectual Property (IP) be transferred?
Yes
- Through written agreement such as a contract or assignment
- It should clearly state the details of the transfer including specific IP rights being transferred, parties involved and conditions/limitations
50
What is the Limitation Act 1980?
It is a section of UK law that sets out rules for how long someone can take legal action to recover money they are owed.
It only applies when no contact has been made between the creditor and debtor within the given time limit and only applies to residents of England and Wales.
51
Tell me about the retention of files under the Limitation Act 1980?
Files kept for 6 years:
- personal injury
- crime
- debt collection
- county court litigation
- immigration
Files kept for 15 years:
- sales of leasehold properties
- residential property purchases
- property sales
- probate
- financial services
Files kept for longer than 15 years:
- name change
- wills
- pension schemes
- IP
- company formation
52
What is the difference between a deed and a registered title?
Deed = The physical document that proves ownership
Title = Concept of legal ownership that the deed grants
53
What are the differences between manual and electronic records?
- Paper documents are difficult to search/carry/copy and modify
- Paper documents are easily damaged, misfiled or misplaced
- Electronic documents are delivered by networks, disks, flash memory and CD/DVD and stored on a file system
- Electronic documents can be hacked externally
- Multiple users review electronic documents simultaneously
54
What is an index map?
- A type of finding aid that enables users to find a set of maps covering their regions of interest along with the name or number of the relevant map sheet
- Provides geospatial data on either paper or computer screen
55
How can you protect data from viruses?
- Keep systems, browsers and important apps up to date
- Antivirus software
- Anti-spy software
- Firewalls
- Strong passwords
- Be wary of phishing and suspicious emails
- Use a secure wifi connection (VPN)
56
What does blockchain mean?
A system in which a record of transactions especially those made in a cryptocurrency, is maintained across computers that are linked in a peer to peer network
57
What is BIM?
Building Information Modelling
- Workflow process
- Based around models used for the planning, design, construction and management of building and infrastructure projects
58
What is an AVM?
Automated Valuation Model
RICS definition: "using one or more mathematical techniques to provide an estimate of value of a specified property at a specified date, accompanied by a measure of confidence in the result, without human interaction post-initiation"
59
Explain the growing use of AVMs in the industry
- They are increasingly being used as an input to the valuation process or as a second opinion
- Examples of funds being valued using an internal AVM, with a human valuer reviewing and providing assurance in their roles as an external, independent valuer e.g. Rightmove or Hometrack (used by Zoopla)
60
What is ISO 9001?
- It sets out the requirements on how firms should control data and documents relevant to the service they provide
- Sets out requirements for a company's Quality Management System (QMS) which is about the management of the entire enterprise and its operational processes
61
What does ISO 27001 relate to?
International standards for information security
- It sets out the specification for an effective ISMS (Information Security Management System)
- Helps organisations manage their information security by addressing people, processes and technology
62
What is the Civil Evidence Act 1995?
It is an Act to provide for the admissibility of hearsay evidence, the proof of certain documentary evidence and the admissibility and proof of official actuarial tables in civil proceedings; and for connected purposes
63
Are electronic signatures accepted by the Land Registry?
Yes
- Under English law a deed can be validly signed and witnessed using an electronic signature platform e.g. Docusign e-signature
64
What type of documents can electronic signatures be used for?
- Legal documents
- Contractual agreements
- Invoices
- Financing documents
65
What is data redundancy?
- When the same piece of data exists in multiple places whereas data inconsistency is when the same data exists in different formats in multiple tables
- Data redundancy can cause data inconsistency which can provide a company with unreliable/meaningless info
66
What is Vlookup used for?
- It is a built-in Excel function used to search for a value in the first column of a table range and return a corresponding value from another column in the same row
- It means "vertical lookup"
- Commonly used for data retrieval and analysis tasks
67
What is a pivot table?
- It is an interactive way to quickly summarise large amounts of data
- Used to analyse numerical data in detail
- Used to query large amounts of data in many user-friendly ways
68
What is a Business Management System?
- A set of tools for strategic planning and tactical implementation of policies, practices, guidelines, processes and procedures that are used in the development, deployment and execution of business plans and strategies and all associated management
69
AVM example - What is an AVM?
Put simply, a market valuation produced through mathematical modelling.
Based on market analysis of location, market conditions and real estate characteristics.
70
AVM example - What is your view on the use of AI/AVMs in property valuation?
- It has the potential to offer greater accuracy and efficiency in carrying out valuations.
- AI algorithms are able to evaluate other comparable properties and pinpoint an estimated valuation.
- Drawbacks = site specific abnormal factors such as property condition and special values cannot be considered i.e. HRRBs.
= susceptibility to a reliance on bad data which can reduce the accuracy of the inputs.
= can provide access to a wide array of data and greater efficiencies when used as a data collection and processing tool.
= critical to have significant input from a human appraiser standpoint in order to undergo rigorous checks and due diligence.
71
AVM example - Have the RICS considered the use of AVMS recently?
Yes in the RICS Harris Debate 2024. The Harris Debate is organised annually and provides a platform to address ethical concerns in the field of surveying and valuation.
Focussed on the theme of ethics in the age of artificial intelligence and its impact on valuation practice.
72
AVM example - What are the ethical implications of adopting AI/AVMs in property valuation?
- Rely on data and if this in inaccurate, incomplete or intentionally weighted following bias data input, this dramatically skews results.
- Issues with transparency of data input and analysis with operators of AI not always fully cognisant of how the results have been generated
- Creators can't fully explain how decisions are made so valuations with sole AI/AVM input would not comply with current regulations and industry standards.
73
AVM example - What wider impact will AI/AVMs have on the property industry?
- Enhanced property management
- Data-driven decision making
- Streamlining transactions
- Simulate impact of new developments
- Risk management
Emphasises the collaboration between technology and human expertise
74
AVM example - What RICS guidance is there on AVMs?
Insight Paper 2022 - Automated valuation models (AVMs): implications for the profession and their clients
Red Book 2025 - PS1 and VPS5 Valuation models - ‘No model without the valuer applying professional judgement, for example an automated valuation model (AVM), can produce an IVS-compliant valuation’.
75
AVM example - What are non-useful sales?
The objective of the modelling is to produce value estimates which are consistent with the statutory basis of valuation for Council Tax. They key assumptions being:
- open market sale between a willing buyer and seller
- vacant possession
- freehold or long leasehold (at least 99 years)
- reasonable state of repair
- use restricted to a private dwelling
- no development value.
Therefore exclude non-open market sales such as connected parties, discounted sales, forced or repossession sales. Also sales from properties with a sitting tenant, part shares, reflecting development value or in a poor state of repair.
76
AVM example - What is sales verification?
Investigation of sales information to verify that a sale is open market value, that it is useful for modelling purposes and to ensure that the property attribute data at the date of sale is correct.
This improves the model accuracy, reduces unnecessary outlier investigation and verifies the data inputs.
77
AVM example - What data does the AVM rely on?
- Sales data (SDLTs and Land Registry) - verified during the sales verification stage.
- Property attribute data of both sold and unsold properties
- Geographical data including ONS boundaries and grid co-ordinates
78
AVM example - What property attribute data explains differences in house values?
The characteristics of a property such as location, size, type, age, construction, date of sale, plot size, condition, number of bedrooms and any additional value significant factors
79
AVM example - What is Council Tax Welsh Reform?
The re-assessment of over 1.4 million domestic properties whilst providing greater transparency and improved engagement with customers.
80
AVM example - What is Council Tax?
A tax on domestic property collected by the local authority.
81
AVM example - How did you verify the property attribute data linked to the sale?
Checked our internal records and verified this with local planning documents and Rightmove sales particulars.
82
AVM example - How did you ensure the evidence was securely stored?
Password protected, official-sensitive marker, information barriers in place so only the team working on this project have access.
83
What is Section 18 of the CRCA 2005?
Section 18 of CRCA makes clear that you must not disclose HMRC information to anyone, unless you have lawful authority to do so:
- For the purposes of HMRC’s functions. An example is where it is necessary to advise a bailiff of a taxpayer’s name and address in order that the bailiff can enforce collection of overdue tax.
- Where the person or organisation that the information is about has given their consent. An example could be a taxpayer who provides authorisation for an agent, accountant or other third party to receive confidential information.
- Where the duty of confidentiality is specifically overridden by legislation that permits the disclosure of information to a particular third party. These are often known as ‘legal’ or ‘information’ ‘gateways’.
- Where HMRC receives a court order that is binding on the Crown which instructs HMRC to disclose information.
- Where disclosure is made for the purposes of a prosecution being pursued by HMRC.
- Where disclosure is in the public interest.
- Disclosure to the relevant prosecuting authorities.
84
Can you talk me through your example of using the AVM for sales verification?
I assisted with the sales verification exercise for the Welsh Council Tax Revaluation 2025. I removed non-useful property sales from the AVM model in order to improve model accuracy. Using SDLT and Land Registry sales evidence, I verified sales which were at open market value. I then verified the property attribute data linked to that sale to ensure it correctly reflected the property at the time of sale. I then ensured all evidence was securely store within the VOA's internal database.
85
Can you talk me through the Form of Return viewing you carried out?
During a Challenge case the agent requested to view rental evidence submitted within my response. As copies of the rental evidence cannot be provides, I arranged for the agent to view them at my local office. I arranged access with the building's estates team, booked a private room to mitigate the risk of a data breach to colleagues within the building. I met the agent in reception and escorted them at all times. I advised the agent that they could view the data but not take photocopies or photographs. I ensured personally identifiable information was redacted in accordance with CRCA. I then escorted the agent back to reception and witnessed them leave the premises.
86
What is Reg 17 of the Valuation Tribunal for England (Council Tax and Rating Appeals) Regs 2009 as amended?
This specifies that the VT can give directions on evidence required, the manner and time in which they're provided.
- Within 2 weeks of the hearing, all info to be used has been given to the other party to the proceedings.
- If not less than 24 hours notice, each party is permitted to inspect the documents or media
- The number of dwellings in the notice should not exceed 4 or if greater, the number in our notice.
87
Which section of CRCA presents personally identifiable information?
Section 18 - disclosure
88
Can you talk me through your example of creating the Valuation Tribunal Pack for the Resi in Lichfield?
I produced the statement of case to be used when presenting at VT. The taxpayer disputed their Council Tax banding. I sourced comparable evidence and organised the sales and tonal evidence, weighted it and presented it in a table. I provided a floorplan and location plan of the subject and comparables using mapping software. The disclosure was in line with Section 18 CRCA and Reg 17 of the VTE Regs. I ensured this statement of case was sent to both the VT panel and taxpayer via email, verifying email addresses and ensuring it was sent in a PDF format with the Official-Sensitive marker.
89
VT pack Lichfield - What is tonal evidence?
Tone is the general level of bands which have been established in an area for a particular type of property.
This is where a number of similar properties have bandings which, over time, have not been challenged or changed. A tone is also set when appeals on properties in the area have been settled or decided by the Tribunal.
90
Can you talk me through the database you created for agricultural properties?
I developed a spreadsheet of comparables to value agricultural properties for Council Tax Welsh Reform. I cleansed the data we had to ensure it was reliable. I then compiled evidence of farm and land transactions in order to place a price per acre on the land depending on its size. External sources such as market reports were used to validate my values. I exported this sales data into a database along with non-composite comparables in order to be able to compare dwelling and outbuilding values. It was password protected with restricted access. I transposed the data over a map of Wales to visualise the data and found that a broad brush approach was most appropriate when applying adjustments to agricultural properties based on their acreage. I presented this to senior surveyors who agreed with my valuation approach.
91
Agricultural database - What is horizon scanning?
Foresight method to detect any potential risks.
I ensured data had been cleansed so that reliable data was used, preventing reputational damage and ensuring correctness
92
Agricultural database - What do you mean by data cleansing?
Identifying and correcting inaccurate or unreliable data.
93
Agricultural database - What does composite and non-composite mean?
A ‘composite’ hereditament is a dwelling which has domestic and non-domestic parts as per Local Government Finance Act 1998.
94
Agricultural database - Why are allowances applied to agricultural properties?
This is to reflect an average value reduction for the domestic element based on size of the holding
95
In relation to your FOR viewing example, why could you provide FOR information under section 18 of the CRCA?
Disclosure made for the purposes of a function of HMRC
96
What legislation provides that an agent is unable to take photos of an FOR?
Regulation 17(4)(b)(ii) of The Valuation Tribunal for England (Council Tax and Rating Appeals) (Procedure) Regulations 2009; The Valuation Tribunal for England (Council Tax and Rating Appeals) (Procedure) (Amendment) Regulations 2021.
97
Is the Electronic Document Management 1st edition current guidance?
No, it’s been archived, and updates should be checked before electing to act in accordance with this guidance document.
98
How much notice must an appellant provide in order to view an FOR?
“not less than 24 hours”, as per Regulation 17.
99
Why must personally identifiable information be redacted in accordance with the CRCA?
Only relevant information required to perform function of HMRC. Also bound by GDPR.
100
If, while at the FOR viewing, the agent asked to view the 2023 rent on one of the comparables, how would you advise the agent?
As per Reg 17 of the VTE Regs 2009 as amended, I would not disclose this evidence as it not relevant to the existing proposal (being a 2017 list Challenge).
101
Can you talk me through your management of data in your agricultural property example, and the advice you gave off the back of this?
I developed a spreadsheet of comparables to value agricultural properties for CT Welsh Reform. I ensured data had been cleansed so that reliable data was used, preventing reputational damage and ensuring accuracy. I compiled comparable evidence of farm and land transactions to place a price per acre on the land using SDLT transactions and validating these values using external sources such as Knight Frank and Savills. This spreadsheet was password protected, with the correct naming conventions and had restricted access. The sales data was then exported into a database along with data of non-composite comparables in order to compare dwelling values. I transposed this information over a map of Wales and established a broad brush approach could be taken when applying adjustments to composite properties based on the acreage of the land. I advised senior surveyors of the data I had collected and manipulated in order to reach my final values which they agreed to. This then allowed surveyors to value agricultural properties in Wales.
102
For your VT pack example, if you provided transaction information enabling the identity of the parties to be deduced, what part of the CRCA would cover this?
Section 19(1)(b)
103
In accordance with what legislation would you be unable to use transaction data in VT proceedings unless it has been provided to all parties at least 2 weeks in advance?
Regulation 17(4)(a) of The Valuation Tribunal for England (Council Tax and Rating Appeals) (Procedure) Regulations 2009.
104
What is a SAR?
Subject Access Request - the right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data from you, as well as other supplementary information.
105
What does an SAR entitle an individual to obtain?
Confirmation that you are processing their personal data; a copy of their personal data; and other supplementary information.
106
What does TARGETING mean in Principles of Better Regulation?
Regulation should be focused on the problem and minimise side effects.
107
What is the ICO?
Information Commissioner's Office
108
What is the maximum prison time for wrongful disclosure under the CRCA?
2 years
109
If you worked in private practice, would your considerations differ (i.e. CRCA)?
No CRCA, you would handle client data to aid your organisation but still comply with DPA and GDPR
110
Who has to comply with the data protection principles in the DPA 2018?
Everyone responsible for using personal data
111
Are there any recent updates to data management in the general market?
Data (Use and Access) Bill is still in the House of Commons - aims to enhance data sharing between public and private sectors while ensuring individual privacy protections.
Increase in ICO’s fees paid by data controllers
112
What is the ICO?
The ICO is the UK’s independent body set up to uphold information rights.
In the UK, the Information Commissioner’s Office is responsible for regulating compliance with the Data Protection Act 1998, Freedom of Information Act 2000 and the Environmental Information Regulations 2004.
113
How does the VOA collect data?
* From ratepayers and representatives
* Forms of return (now RALD)
* Inspection
* Public domain
* Subscription websites
114
What kind of information does the VOA hold?
* Lease information
* Sales information
* Building information
* Market knowledge reports
115
What is a data subject?
The identified or identifiable living individual to whom personal data relates.
116
What is ISO 27001?
International information security standard for how company should implement security management system - government framework that contains structured activities that allows companies to manage information security risks.
117
Are you aware of any recent high profile fines you are aware of regarding data breaches?
Meta – €1.2 billion (May 2023): Was fined after an Irish court ruled that it violated GDPR laws related to data transfers between the EU and the US
118
How are DPA and GDPR different?
GDPR relates to personal data whereas data protection relates to all data
119
How soon should you report a data breach and to whom?
- Must report breach (internally) within 72 hours of becoming aware. Dedicated Data Protection Officer (DPO) required for public authorities.
- You must report breach to Information Commissioner's Office (ICO) if breach has high likelihood to risk people’s rights and freedoms within 72 hours.
- Stronger legal protection for more sensitive information, such as race, religious or political beliefs, sexual orientation.
120
Can you name a type of security as laid out in the VOA's arrangement in complying with the CRCA 2005?
Physical Security:
- Access Control: All VOA staff and visitors require passes for access to premises.
- Secure Storage: Sensitive data is stored in secure environments, including locked security cabinets.
- Strict Access Control: Access to classified statistical data is strictly controlled in line with the VOA's security policy.
Technical Security
Organisational Security
Disclosure Security
121
What role must firms have under GDPR?
Data Protection Officer
122
How would you handle a data breach? (In VO and in private practice as a sole practitioner)
At the VOA you would report the incident to the Information Security Team.
Private as a sole practitioner:
- Assess the breach.
- Attempt to remedy the breach.
- Notify client / ex-client.
- Serious breach and loss to client/ex-client report to the Information Commissioners Office
123
How do you ensure the integrity of the data you hold?
Ensure it's accurate, consistent, reliable, access controls, data back up, data encryption, audit trails
124
What is special category data?
Personal data that reveals sensitive information, such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or a person's sex life or sexual orientation, and requires stricter protection.
Article 9 of the UK GDPR
125
VT pack - How did you manipulate the data?
Merging data from various sources, organising and arranging it into tables
126
How do you source title information?
Land registry
127
What are exemptions to GDPR?
- Domestic use
- Law enforcement
- Intelligent services
128
When can FOI request be refused?
Too costly, prejudice a criminal matter, if repeat request
129
What data sources do you use to check statutory functions?
- Asbestos register
- EPCs
- Planning
- Flood risk map
- Coal mining authority map
130
Why did you feel it was important to restrict access to this spreadsheet via password protection?
The Council Tax Welsh Reform was a particularly confidential project as the Welsh Government hadn't yet publicly made a decision on when the Reform would be undertaken or the proposed bandings.
