Data Management (SAMPLE submission)

Question 1

How does NHS PS ensure the security on confidential/sensitive information?

Answer 1

Defence in depth strategy - multiple layers of security controls, if one fails the next kicks in.

• Web proxy/filters
• Antivirus solution for all company devices
• Email filtering (blocks malicious emails and attachments/links)
• Firewalls - inspect internet traffic and block malicious network pack
• Vulnerability management tools - identify vulnerabilities in software/operating system so they can be patched.
• Advanced threat detection tools - identify advanced persistent threats.

Question 2

Talk me through your development of the sales tracker.

Answer 2

1. Analysed available sources of information to decide what to include within the tracker
2. Began compiling sales evidence
3. Verified sales evidence with Transaction Manager/Land registry lease/registers and TR1’s
4. Added the information to my tracker
5. Analysed the information
6. Provided reports for each zone analysing the impact of method of sale on achieving sales receipts in excess of the market valuation.

Question 3

How did you ensure accurate data of the sales tracker was recorded?

Answer 3

• Verified sales evidence with the transaction manager/Land registry lease/registers and TR1s

Question 4

How was your sales tracker used to provide advice?

Answer 4

I didn’t provide advice in this example.

I analysed the impact the method of sale ahs on achieving sales receipts in excess of the valuation. I was aware that informal tender was often used for high value sites and so had the largest difference between valuation and sales receipt.

To mitigate this I also produced reports for properties which sold for £500,000k or less £250k or less and £100k or less.

Informal tender achieved the highest margin in all individual reports. I would have advised that if high levels of interest anticipated informal tender should always be considered.

Question 5

How was your data for the tracker shared with the transactions team? How did you ensure security.

Answer 5

It was password protected and stored within the transactions folder which only the internal team members had access too.

The file was password protected and the folder was also password protected.

Question 6

Tell me about a property information system you have used in your role?

Answer 6

E-pims – the public sector surplus assets portal. This is useful as many public bodies list their property on here before going to the open market. Therefore there’s opportunity to acquire assets before they go on the market.

Question 7

What are some disadvantages of Epims?

Answer 7

• data is often not updated.
• People often don’t remove listings
• Data is often incorrect
• Increased importance on verification

Question 8

Tell me about a complex report you have written?

Answer 8

• I wrote reports after the mapping system had been produced. The report largely factual about where exact adjacencies between the two estates lied.
• I advised on how best to keep the data secure, for example user controlled access to the mapping software itself.
• I also advised that the sharing of any data should be encrypted within minimum 128 bit or above encryption. If they were not familiar I advised that Vitru offered a good end-to-end encryption service.

Question 9

How do you ensure the information within a DCN is accurate?

Answer 9

I verify the information where I can with the Land Registry/Property Manager/Transaction Manager/Aconex.

Question 10

How do you use Horizon effectively?

Answer 10

I ensure that I am able to extract the information I require and verify this wherever possible. If an error is identified, after confirming information I will send a separate DCN to rectify.

Question 11

Talk me through your mapping project.

Answer 11

1. Instructed data sharing agreement
2. Waited to receive signed copy back
3. Collated and verified information to give to mapping consultant
4. Address, building sizes, tenure, book value, end dates/breaks (from Horizon).
5. Cross checked information with power BI (separate data base).
6. Compiled information before it was send and verified it with each property manager.
7. Received client’s data (held securely) - password protected file and folder.
8. Sent data to consultant (password protected).
9. Made suggestions for the functionality
10. Written reports highlighting exact adjacencies (health centre within 0.2 miles of X property you own).
11. Separate report highlighting potential redevelopment opportunities, after considering lease terms etc.
12. Client was unsure how to ensure the data was kept secure. I advised that if reports are shared from the mapping software these should be encrypted. I advised that Virtru offer a good 256 bit (AES - Advanced Encryption Standard) end to end encryption service.
13. I also advised that user controlled access and password protection would be the best was to ensure security of the mapping software itself.

Question 12

How did your mapping project this highlight adjacencies and joint redevelopment opportunities?

Answer 12

The mapping system was able to compile all properties within say 0.5 miles of the subject property. From there it was possible to consider joint redevelopment opportunities.

After highlighting adjacencies it would then be down to the user to consider, titles, heights, planning policy to advise if there was potential for redevelopment.

Question 13

How did your data sharing agreement work?

Answer 13

The data sharing agreement has a number of clauses which would protect the confidentiality of the data shared with the consultant. It was drafted by the legal team and included obligation such as;

Confidentiality obligations – keep the confidential information secret and confidential

Permitted disclosure – Only to their representatives provided they inform them of the confidential nature and keeps a written record of those representatives.

Question 14

What decisions did you make on functionality of the mapping project?

Answer 14

I ensured there was the ability to select a particular property and find all properties within the two estates that were say, within 1 mile.

Similarly you could drill down into all properties that were within say, 0.5 miles of each other as a list.

I also ensured the lease terms/tenure/break/rent when you clicked on a property.

Question 15

How did you ensure compliance with your data sharing agreement?

Answer 15

I requested proof of how the data was being stored, including a list of their representatives as per the data sharing agreement.

Question 16

Talk me through your template for portfolio optimisation.

Answer 16

1. Identified need to highlight void space at a commissioning (CCG level).
2. Created a template which is able to extract information from Horizon.
3. Template was then used to highlight high levels of void space by CCG and property level.
4. This was used as the basis of discussion for strategic reviews with the CCGs
5. After further engagement with the clients I was able to identify strategy (long term hold/short term etc).
6. I was then able to advise where there are potential optimisation/disposal opportunities after analysis of void space/strategy lease events etc.

Question 17

What information was inputted into your optimisation templates?

Answer 17

• Occupancy data (aconex would produce occupancies for each building where I could then extract the utilisation to be included
• Floor areas
• Site areas
• Occupiers
• Debt
• Planned maintenance
• Lease break/end

Question 18

How were your templates used to provide SREC advice?

Answer 18

Strategic review workshops were organised wit the client to run through the properties which they occupied. From here, they which buildings services might be being commissioned or decommissioned. If for example, a property was 40% vacant (evident from my tracker), and we were informed that the current occupier in there’s service was being decommissioned. This would then be flagged as a potential disposal opportunity (pending declaration the building is not needed for other healthcare services).

• I advised that should this data need to be shared with their colleagues, that it should be done so using an encryption service. I advised that Vitru offered a good end to end 256 AES encryption service.

Question 19

What impact to sale method have on the results?

Answer 19

Informal tender was the method which saw the largest excess in terms of the market valuation and the final sales receipt.

Question 20

How does NHS PS ensure the accuracy of Horizon?

Answer 20

Cross references with our other system, Aconex. Property managers are also encouraged to verify information in person where possible.

Question 21

How did you use the information to inform your advice on disposal/optimisation opportunities?

Answer 21

The template would highlight where for example there were high levels of void, I could then discuss this with the CCG (client) to understand whether they considered the property a long-term hold. If they did then there was an optimisation opportunity (consider co-locating services etc.). If it wasn’t then could be seen a disposal opp.

Question 22

What was the outcome? (SREC advice)

Answer 22

The strategy at a number of sites is now being considered from both an optimisation and disposal enabling point of view.

Question 23

How did your data-sharing agreement differ from an NDA?

Answer 23

It was a confidentiality agreement.
A non-disclosure agreement implies you must not disclose personal or private information.

A confidentiality agreement ensures you are more proactive in making sure information is kept secret.

Question 24

APPLIES TO MAILSHOT LIST -What does the Privacy and Electronic Communications Regulations 2003 apply to? When was it updated?

Answer 24

This guide is for organisations that wish to send electronic marketing messages (by phone, fax, email or text), use cookies, or provide electronic communication services to the public.

• Updated 2018 and came into effect January 9th 2019

Question 25

APPLIES TO MAILSHOT LIST - What does the Privacy and Electronic Communications Regulations 2003 restrict? What are the penalties?

Answer 25

• Restricts unsolicited marketing (solicitated meaning requested)
• Require consent to send marketing material to a customer
• Restricts use of cookies
   - Tell people the cookies are there
   - Explain what the cookies are doing and why
   - Get the person’s consent to store a cookie on their device
• Penalties can include criminal prosecution and fines of up to £500,000

Question 26

APPLIED TO MY EXAMPLES - Give me an example of a property information tool.

Answer 26

Land registry, CoStar, Rightmove, Zoopla

Question 27

EXAMPLES - What are the limitations of primary/secondary data sources?

Answer 27

• Primary data more likely to be subject to human error

- Secondary data, likely to be outdated before you get it therefore, requires validation before reliance on it.

Question 28

EXAMPLES - How do you validate information?

Answer 28

Legal documents, agents, colleagues (if we have an interest), public records.

Question 29

EXAMPLES - Give me an example of when you have applied password protection/user controlled access.

Answer 29

When sending DCNs as this contains a lot of confidential information

Question 30

When have you set up a database and how did you do this?

Answer 30

Collate and analyse the data appropriate for the purpose and readership. I created a database on specialist market evidence which included details of the property, whether information was confidential outside the firm, asking prices, yields achieved, turnover, multiples of EBITDA, trading information and physical size. This is then possible to be filtered for use in reports or to provide colleagues with comparable information.

Question 31

What can you tell me about how you store your information? How would you store information collected from an inspection?

Answer 31

I keep electronic files so I immediately scan my inspection notes and upload my photographs to the system.

The electronic file is accessible only to my department and sensitive documents are password protected.

Question 32

How does your office store data relating to valuations?

Answer 32

Electronic and hard copy files.

Question 33

How has your firm changed their data management practices to comply with GDPR?

Answer 33

• Conducted data protection impact assessments i.e. evaluated risks associated with holding information about individuals
• Ensure data accountability through the appointment of a named data controller
• Contacted individuals who were on distribution lists to confirm that they wanted to be contacted
• Trained staff
• Ensured correct firewalls were in place to ensure appropriate security of personal data

Question 34

What are your Quality Assurance procedures relating to the creation of valuation reports?

Answer 34

• Operate a file checklist approach to ensure that all valuers are working to the same standard
• The checklist includes: conflict of interest check, terms of engagement, liability caps, due diligence, comparables, methodology, peer reviews, report sign-off
• Reports are peer reviewed and counter-signed by another valuer

Question 35

Give me an example of when you have applied password protection/user controlled access.

Answer 35

When sending DCNs as this contains a lot of confidential information

Question 36

Which records are manually kept in your office? Why?

Answer 36

Some employee records but no others. I believe because these haven’t been transferred to electronic records yet.

Question 37

How do you ensure electronic/manual information is kept safely?

Answer 37

I always ensure documents are password protected, and if necessary password protect the folder as well.

• Encrypt data - Data encryption translates data into another form, or code, so that only people with access to a secret key (formally called a decryption key) or password can read it.

Question 38

How do you manage data (C, C, L, S, R/S)?

Answer 38

• Collect - email
• Collate - job
• Label – job no., date etc.
• Store – in job folder in WBS
• Retrieve and share.

Question 39

When you collected comparable evidence – how did you ensure its security?

Answer 39

I stored it electronically on our password and departmentally stored system. Paper files were kept in a locked filing cabinet and is shredded after the instruction.

Question 40

How do you keep your data safe?

Answer 40

Lock my PC and electronic passwords are protected with departmental access only

Question 41

Tell me about a property information system which you have assisted with developing?

Answer 41

I assisted in developing a database of comparables in the specialist market. This covers the date of the
transaction, the purchase price, yield and any other relevant details. I have assisted to ensure the
information is presented in a way which is easy to interpret and summarises well.

Question 42

Tell me about an AVM which you work with?

Answer 42

I have used Rightmove which collates sale prices, dates and information on the sales to create trends and collated information.

Question 43

What measures are in place to ensure the security of your practices electronic data?

Answer 43

The company has anti-virus software, departmentally locked data and password protected documents. In
addition, laptops and desktops are password protected and secured.

Question 44

What property information systems have you used during your training?

Answer 44

I have used comparable databases, excel databases for valuations, AVMs such as Rightmove, EGI, EIG and
Focus.

Question 45

What records are still kept manually in your office and why?

Answer 45

In my department, valuation files are securely held for the run-off period. However, current files are held
electronically as the office moves toward electronic filing.

Question 46

What is correlation? When have you used this technique?

Answer 46

Where there is a relationship between two factors. Correlation graphs are used when providing market
evidence to clients in market commentary.

Question 47

What methods have you used to verify data?

Answer 47

I call agents when gaining information from secondary sources such as Focus or EGI and where information
cannot be verified I place appropriate risk and caveats on the use of these.

Question 48

With regards to data handling/cybercrime, what is best practice for a valuer re.:
handling transaction data
sensitive data
securing data

Answer 48

 Transaction data may be confidential, and must be kept securely and used solely for the purpose intended.
 Valuers may receive sensitive data not intended for a valuation – e.g. a landlord’s credit history or bank statements as part of a mortgage security valuation – that cannot be retained and therefore must be removed or deleted.
 Valuers should ensure they capture, store and share data only using approved devices and via a secure connection with robust passwords and encryption.
 Must secure commercial and financial data against unauthorised ‘read’ leaks and ‘write’ access, such as ransomware that targets operational and financial data.

Question 49

How should information you have taken on site be stored?

Answer 49

o Many valuers at SMEs are unaware that photographs and notes taken when they visit sites are classified as personal data and, according to the Statement, must be stored differently. I suspect most just store them on the same server as everything else, to which any employee can gain access.