Data Management

Question 1

What are the GDPR consumer rights?

Answer 1

A - Access
C – Consent
C - Correction
E – Erasure
P – Data Portability
ACCEP
(Accep your rights)

Question 2

What regulation governs laws on data protection and privacy?

Answer 2

UK General Data Protection Regulation 202

Question 3

What is the maximum GDPR fine set by UK GDPR and DPA 2018?

Answer 3

20 million euros (£17.5 Million) or 4% of annual global turnover (whichever is highest).

Question 4

Data offences can be punished by what? Name two (excluding fines).

Answer 4

Warnings

Temporary or permanent ban on data processing

Question 5

What is DPA 2018?

Answer 5

Data Protection Act 2018

The Act works in two ways: it provides individuals with rights, including the right to know what information is held about them and the right to access that information. it states that anyone who processes personal information must comply with the principles in the Act.

UK’s implementation of GDPR

Question 6

Are you aware of the Freedom of Information Act 2000?

Answer 6

Yes, it provides the public access to information held by public authorities.

Question 7

How do FOI Act 2000 requests work?

Answer 7

Must be in writing

Question 8

What security measures can you use to protect data?

Answer 8

Password protection
Security markings
Physically locking storage units
Encryption firewalls
Two factor authentication

Question 9

What best practices would you encourage in terms of managing data?

Answer 9

Cross reference computer with hard copy

Back up IT systems

Write once, read many times

Keep an audit trail

Ensure electronic signature cannot be altered. (send PDFs not word)

Question 10

Tell me what you know about GDPR.

Answer 10

General Data Protection Regulation

Article 5 sets out the consumer rights which includes the right to be informed, right to access, right to erase, right to correct and right to withdraw consent.

Question 11

What is the definition of personal data?

Answer 11

Personal data are any information which are related to an identified or identifiable person.

Question 12

What is encryption/firewalls/blockchain?

Answer 12

Encryption is a means of securing data by encoding it mathematically such that it can only be read, or decrypted, by those with the correct key or cipher.

A firewall is a network security device that monitors traffic to or from your network. It allows or blocks traffic based on a defined set of security rules.

A blockchain is a digitally distributed, decentralized, public ledger that exists across a network.

Question 13

Tell me about how you extract data from a source regularly used in your role.

Answer 13

Internal database – CDB for rental information

Set parameters for data to refine prior to download

Use filters on excel to refine the data to what I need

Question 14

What is an electronic document management system (EDMS)?

Answer 14

Software package designed to manage electronic information and records within an organisation’s workflow.

Question 15

Give me an example of how you ensure that data is kept securely.

Answer 15

Permission levels, back up systems, sensitive tag

Question 16

How do you validate information?

Answer 16

Cross check with another source

Call to get further information / confirm details

Adopt a common sense approach

Question 17

What are pros/cons of primary data sources?

Answer 17

Pros
Greater control (type of data, design, method)
May be more accurate

Cons
Expensive (may make it more difficult)
Time consuming

Question 18

What are pros/cons of secondary data sources?

Answer 18

Pros
Easily accessible
Affordable

Cons
May lack reliability
May be outdated

Question 19

You shared rental evidence with an agent for rating purposes, did you have permission to share that information?

Answer 19

Yes - The Valuation Office Agency (VOA), as an executive agency of HMRC, is subject to the Commissioners for Revenue and Customs Act 2005 (CRCA)

Question 20

Can other colleagues access information you are working on?

Answer 20

No, if they are in a different team e.g. DVS then they will not be able to access information stored for rating purposes.

Question 21

Freedom of Information Act 2000 exemptions?

Answer 21

Personal data
National security

Question 22

Tell me more about the Data Protection Act 2018.

Answer 22

The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.

Question 23

What regulation covers sharing data?

Answer 23

Commissioners for Revenue and Customs Act 2005

CRCA ACT

Question 24

Benefits of cloud-based systems?

Answer 24

Information is backed up by encrypted servers

Accessibility can be managed via online settings

Cheaper than physically storing and managing files

More convenient to send and share files online instead of mailing physical copies

Question 25

Meaning of a non-disclosure agreement?

Answer 25

Used to protect against the disclosure or sharing of any confidential data.

Question 26

Who are the key persons outlined within GDPR?

Answer 26

Controller – person that determines the purpose and means of processing personal data e.g. the employer. Processor – person that processes personal data on behalf of the controller e.g., call centres acting on behalf of its client. Data Protection Officer – leadership role required by EU GDPR. Responsible for overseeing the data protection approach strategy and implementation.

Question 27

What should companies put into place to ensure GDPR compliance?

Answer 27

Raise awareness across the business Audit personal data Review procedures supporting individual rights Identify and document the legal basis for processing personal data under GDPR Train staff and give them the information

Question 28

What personal and confidential information does the VO hold?

Answer 28

Personal data relating to VOA employees Emails containing sensitive or confidential information Customer correspondence received in confidence Customer records Property information Contractual information

Question 29

Define what disclosure means?

Answer 29

The sharing of information with others

Question 30

What does CRCA set the VO’s functions as?

Answer 30

Producing rating lists Council tax valuation lists Valuation of property

Question 31

What two ways does the Freedom of Information Act provide the public with access to information held by public authorities?

Answer 31

Public authorities are obliged to publish certain information about their activities. Members of the public are entitled to request information from public authorities.

Question 32

When would you disclose information about taxpayers (or their properties) or our customers to third parties?

Answer 32

In line with CRCA Act 2005: If essential for one of our functions In line with legislation or statutory gateway under LGFA With consent of the taxpayer, customer or client For civil proceedings such as valuation tribunal hearings

Question 33

How would you deal with someone requesting to access their own personal information?

Answer 33

There is a deadline of one month to respond to a request. I would forward any request where a requester asks for their own information to the SAR inbox immediately by emailing.

Question 34

How would you deal with a Freedom of Information request?

Answer 34

Check the request is made in writing (email/letter) Check it includes the requester’s name and address and clearly describe the information wanted. Forward request to FOI inbox team

Question 35

How do you store data?

Answer 35

When gathering data for any reason I always ensure to place it within the VOA’s secure drives. Case documents go in restricted drives where only certain staff can reach.

Question 36

Where was the data stored?

Answer 36

Two secured VOA drives. One so that the valuer can download the sale alongside others when needed and another database I created to describe what the land was for.

Question 37

What are the seven principles of GDPR?

Answer 37

Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality Accountability

Question 38

What is a data controller?

Answer 38

Determines the purposes and means of processing personal data.

Question 39

What is a data processor?

Answer 39

Processes personal data only on behalf of the controller.

Question 40

What is discrete data?

Answer 40

Discrete data is information that can only take certain values. Such as the profit of a company.

Question 41

What is continuous data?

Answer 41

Continuous data is data that can take any value. Such as Height, weight, temperature.

Question 42

How long to report a data breach?

Answer 42

48 hours to report internally 72 hours to report to Information Commissioners Office - legally.

Question 43

What is CRCA?

Answer 43

The Commissioners of Revenue and Customs Act (CRCA) 2005 is the Act of Parliament that created HM Revenue and Customs (HMRC) in April 2005. The Act also puts those functions formerly undertaken by the Valuation Office Agency in respect of the valuation of property on a statutory footing specifically referring to the Valuation Office Agency (VOA) in section 10.

Question 44

Where are the functions of the VOA stored?

Answer 44

Schedule 1 Section 7 and Section 10 of CRCA

Question 45

What does section 7 refer to?

Answer 45

- Rating Lists and Council Tax Valuation Lists, and the valuation of property.

Question 46

What does section 10 refer to?

Answer 46

allows VOA to provide a valuation of property; § For any purpose relating to the functions of HMRC, [being for Rating Lists and Council Tax Valuation lists, or HMRC functions such as Inheritance Tax]; § At the request of a public authority [allowing for Property Services to undertake work for other public bodies]; § At the request of any other person, if the valuation is necessary or expedient, in connection with: · (i) the exercise of a function of a public nature; or · (ii) the management of money or assets received from a person, exercising functions of a public nature; § To advise about matters connected to the valuation of property [this is the test against which VOA determines the work it can do].

Question 47

What does section 17 refer to?

Answer 47

allows sharing of information held for one function with another function (within HMRC and VOA)

Question 48

What does section 18 refer to?

Answer 48

sets out the circumstances when HMRC and VOA may disclose information outside HMRC and VOA [Note – it doesn’t say we must supply]

Question 49

What does section 19 refer to?

Answer 49

it is a criminal offence for VOA officers to disclose VOA information that either identifies a legal person or enables their identity to be deduced when it is not covered by the circumstances set out in section 18

Question 50

What do sections 20 and 21 refer to?

Answer 50

covers when information can be disclosed where it is either in the public interest or is to a prosecuting authority.

Question 51

What do sections 22 and 23 refer to?

Answer 51

relates to the rights to information under GDPR and FOIA and set out how these requests should be treated

Question 52

Which regulation within the Non-Domestic Rating (Alterations of Lists and Appeals) England allows the VO to share information such as FOR details which relate to the grounds of the proposal?

Answer 52

Regulation 9 (7) Or Section 18 of the Commissioner for Revenue and Customs Act would also allow the VO to disclose FOR information if it is for the purpose of one of our functions.

Question 53

What legislation does VOA follow regarding data protection?

Answer 53

General Data Protection Regulation 2016 (GDPR) / Data Protection Act 2018 (the UK’s implementation of the GDPR). The GDPR gives people the right to access their own information and came into force in May 2018. This legislation modernises laws due to rapid technological changes and gives individuals more control of their information.

Question 54

What must you ensure regarding section 18 to section 23 of the Commissioners for Revenue and Customs Act 2005?

Answer 54

You must ensure you are aware of the implications when considering disclosure about taxpayers and our clients.

Question 55

How should we deal with data?

Answer 55

Keep only what you need, do not pass personal information, hold data securely, limit access to data, keep data up to date and delete where appropriate, and think about what data you are using in work.

Question 56

What sources of data does VOA use?

Answer 56

VOA uses published sources of data such as CoStar (lease, sales, building information, and market knowledge reports) and the VOA Public Business Rates Portal for valuation and assessment information.

Question 57

How does VOA collect data?

Answer 57

VOA collects data from ratepayers and representatives, forms of return (RALD), inspection, public domain, and subscription websites.

Question 58

What must be done with the information collected by VOA?

Answer 58

All information must be securely stored, protected, and labelled for correct retrieval and manipulation.

Question 59

What is essential to understand regarding the Freedom of Information Act 2000?

Answer 59

It is essential to understand the rights of individuals to request the information which we hold on them.

Question 60

What are the 7 principles for the lawful processing of personal data?

Answer 60

Lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitations; integrity and confidentiality (security); accountability.

Question 61

What are the 8 GDPR rights?

Answer 61

Right to be informed, right to access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, rights to automated decision making and profiling.

Question 62

What constitutes a personal data breach?

Answer 62

Personal data breaches include losing personal data, accidentally sending personal data to an incorrect recipient, and altering personal data without permission.

Question 63

What are the penalties for breaching GDPR rights?

Answer 63

Penalty for non-compliance is up to 20 million euros (£17.5 million in UK) or 4% of annual global turnover. HMRC and VOA may face investigation and sanctions from the information commissioner, and individuals could face criminal charges.

Question 64

What is the Freedom of Information Act 2000?

Answer 64

It gives anyone a general right of access to recorded information held by public authorities and is enforced by the Information Commissioner. It provides two rights: to be told whether information is held and to have that information communicated, both subject to exemptions.

Question 65

What are the exemptions under the Freedom of Information Act 2000?

Answer 65

Exemptions include contrary to GDPR requirements, prejudice to a criminal matter under investigation, and prejudice to a person’s/organisation’s commercial interest.

Question 66

What is the ICO?

Answer 66

The ICO is the UK’s independent body set up to uphold information rights, responsible for regulating compliance with the Data Protection Act 1998, Freedom of Information Act 2000, and Environmental Information Regulations 2004.

Question 67

What role does data management play in your day-to-day job?

Answer 67

Data management is essential for handling and organizing information effectively.

Question 68

If you worked in private practice, would your considerations differ?

Answer 68

Yes, considerations would differ, such as no CRCA and handling client data to aid organization.

Question 69

What does CRCA stand for?

Answer 69

CRCA stands for the Commissioners for Revenue and Customs Act.

Question 70

What does Section 18 of CRCA 2005 refer to?

Answer 70

Section 18 refers to confidentiality and disclosure, outlining conditions under which Revenue & Customs officials may disclose information.

Question 71

What is the maximum prison time for wrongful disclosure under the CRCA?

Answer 71

The maximum prison time is two years.

Question 72

What is the ICO?

Answer 72

ICO stands for Information Commissioner’s Office.

Question 73

What are the five principles of better regulation?

Answer 73

The five principles are Proportionality, Accountability, Consistency, Transparency, Targeting.

Question 74

What does TARGETING mean in Principles of Better Regulation?

Answer 74

TARGETING means regulation should focus on the problem and minimize side effects.

Question 75

What are the data protection principles under the DPA 2018?

Answer 75

The principles are: LAWFUL, SPECIFIED, RELEVANT, ACCURATE, TIMELY, SECURE.

Question 76

Who has to comply with the data protection principles in the DPA 2018?

Answer 76

Everyone responsible for using personal data must comply.

Question 77

What is the Freedom of Information Act 2000?

Answer 77

It gives individuals the right of access to information held by public bodies, which must be supplied within 20 working days.

Question 78

What is an SAR?

Answer 78

An SAR is a Subject Access Request, giving individuals the right to obtain a copy of their personal data.

Question 79

What does an individual obtain from an SAR?

Answer 79

An individual is entitled to confirmation of processing, a copy of their personal data, and other supplementary information.

Question 80

What are the individual rights under UK GDPR?

Answer 80

The rights include: right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, rights related to automated decision making.

Question 81

What are the principles of UK GDPR?

Answer 81

The principles are: Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality; Accountability.

Question 82

Who are the key persons outlined within GDPR?

Answer 82

Key persons include Controller, Processor, and Data Protection Officer (DPO).

Question 83

How would you ensure data management for two competing clients?

Answer 83

You would implement an information barrier/Chinese wall and ensure informed consent is gained.

Question 84

Why could you provide FOR information under section 18 of the CRCA?

Answer 84

Disclosure is made for the purposes of a function of HMRC.

Question 85

What legislation prevents an agent from taking photos of an FOR?

Answer 85

Regulation 17(4)(b)(ii) of The Valuation Tribunal for England (Council Tax and Rating Appeals) (Procedure) Regulations 2009.

Question 86

How did you verify the evidence you provided in this case?

Answer 86

Verification was done through appropriate checks and documentation.

Question 87

What advice did you give for your Reval inspections?

Answer 87

Advice focused on verifying information and ensuring it is up to date.

Question 88

Why was it important to undertake the task for Reval?

Answer 88

It was important to verify information and increase its reliability.

Question 89

Is the Electronic Document Management 1st edition current guidance?

Answer 89

No, it has been archived, and updates should be checked before acting on it.

Question 90

How did you determine which transactions were non-useful for your sales verification task?

Answer 90

Determination was based on specific criteria for usefulness.

Question 91

What is a Subject Access Request (SAR)

Answer 91

SAR is a request made by an individual to access their personal information that is held by an organisation. SAR may ask some or all of the following: What personal information an organisation holds about the individual How the organisation uses it Who the information is being shared with Where the information came from

Question 92

FOR viewing, what is regulation 17?

Answer 92

It is located in Valuation Tribunal for England regulations 2017

Question 93

What does it set out?

Answer 93

Gives directions that: Evidence should be submitted to all parties two weeks prior to the hearing Have to wait 24 hours to request to view any information Make a copy of the information but not a photographic copy

Question 94

What information did you retract?

Answer 94

Any information which could identify the occupier

Question 95

What does CRCA stand for?

Answer 95

Commissioner for Revenue and Customs Act 2005

Question 96

What are the key principles of the Data Protection Regulation?

Answer 96

Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity

Question 97

What does the Data Protection Act Set out?

Question 98

Tell me about how you extract data from a source regularly used in your role?

Question 99

How do you validate information?

Question 100

What does the freedom of Information Act (2000) set out?

Question 101

What are some of the reasons why a FOIA request for information may be refused?

Answer 101

Reasons for refusal: Prejudice criminal matter under investigation or a person’s commercial interest Too costly or too much staff time The request is vexatious (causing annoyance, frustration, or worry) The request is a repeat of previous from same person Contrary to GDPR

Question 102

Any recent high profile fines you are aware of regarding Data breaches?

Answer 102

Meta – €1.2 billion (May 2023): Was fined after an irish court rulked that it ciolated GDPR laws related to data transfers between the EU and the US. Amazon – €746 million (2021): Imposed on Amazon Europe by Luxembourg’s National Commission for Data Protection, after establishing that Amazon was not getting consent from its users before storing advertisement cookies. Instagram – €405 million (September 2022): Irish Data Protection Commission (DPC) fined Instagram for violating children’s privacy online, including publishing kids’ phone numbers and email addresses.

Question 103

What is special category data?

Answer 103

Special category data is personal data that needs more protection because it is sensitive.

Question 104

What are the types of special category data?

Answer 104

racial or ethnic origin political opinions religious or philosophical beliefs trade union membership genetic data biometric data for the purpose of uniquely identifying a natural person data concerning health data concerning a natural person’s sex life or sexual orientation

Question 105

What is the purpose of the better regulation framework?

Question 106

How does the VOA receive SDLT transactions?

Answer 106

Through solicitors