Data Mangement

Question 1

Why is it important to consider data sources?

Answer 1

To consider the reliability and associated risks
Where possible should verify data against alternative sources through ‘triangulation’

Question 2

Why is it important data is stored safely?

Answer 2

To keep safe from corruption and control access to ensure privacy and protection
In order to comply with UK GDPR, as well as the RICS RoC and bylaws of confidentiality

Question 3

What data security technologies are there?

Answer 3

Disk Encryption - on a secure hard disk drive
Regular backups off site
Cloud storage
Password protection and anti-virus software protection
Firewalls and disaster recovery procedures

Question 4

What data security actions are undertaken in your office?

Answer 4

Password protection
firewalls
disaster recovery
Cloud storage

Question 5

What is Copyright?

Answer 5

A set of exclusive rights granted to the author or creator of any original work
Rights can be licensed, assigned or transferred

Question 6

What is intellectual property?

Answer 6

intangible property that is the result of creativity, such as patents, copyrights, etc

Question 7

What is Crown Copyright?

Answer 7

Refers to all material created and prepared by the government eg. laws, public records, official press releases and OS Mapping

Question 8

Should you acknowledge copyright in your work?

Answer 8

Yes for any copyright information duplicated in your work

Question 9

What is set out in the UK General Data Protection Regulation and the Data Protection Act, 2018?

Answer 9

Additional supplement to UK GDPR (2016) - EU no longer applies
Aims to create a single data protection regime affecting businesses and empower individuals to take control of how their data is used by third parties

Question 10

What are the 7 principles of GDPR?

Answer 10

1. Data minimisation
2. Purpose limitation
3. Storage limitation
4. processed fairly & lawfully
5. Accurate & up to date
6. Security
7. confidentiality

Question 11

What are the key requirements included in the Data Protection Act 2018?

Answer 11

An obligation to conduct data protection impact assessment for high risk holding of data
Gives people rights to be informed about how their personal information is used

Question 12

What is a data controller?

Answer 12

the person directly responsible for ensuring GDPR, decides how and why personal data is processed

Question 13

What is the principle of ‘data accountability’?

Answer 13

ensuring that organisations can prove to the information commissioner’s Office (ICO) how they comply with the regulations

Question 14

What should you do if there is a data security breach?

Answer 14

Must be reported within 72 hours to ICO where there is a loss of personal data and risk of harm to individuals

Question 15

What are the penalties for non compliance with UKGDPR?

Answer 15

fines of up to 4% of global turnover of the company or £17.5million (whichever is greater)

Question 16

What are the principles of the UK GDPR?

Answer 16

Article 5(1) principles relating to storage of personal data
Article 5(2) requires that the ‘controller shall be responsible for compliance with the principles

Question 17

How does Article 5(1) of the UK GDPR state data should be stored?

Answer 17

• Lawfully, fairly and in a transparent manner
• Collected for specified, explicit and legitimate purposes
• Adequate, relevant and limited to what is necessary for purpose
• Kept in form which permits identification of data subjects
• Appropriate level of security

Question 18

What are the 8 individual rights under UK GDPR?

Answer 18

Rectification
Erasure
Access
Data portability
Restrict processing
Automate decision making
Informed
Object

Question 19

What is the Freedom of Information Act 2000?

Answer 19

Gives individuals the right of access to information held by public bodies
The public body must declare whether it holds info
Public body has 20 days to supply info requested
It can charge for the provision of info

Question 20

What are the exemptions to the freedom of information act 2000?

Answer 20

1. If contrary to GDPR Requirements
2. It would prejudice a criminal investigation or a person/organisations personal interest

Question 21

How can Security of data be improved?

Answer 21

Firewalls
Encryption
Cloud-based systems
Passwords

Question 22

What is a non-disclosure agreement?

Answer 22

A legally enforceable contract between 2 parties relating to sensitive information
Creates a confidential relationship

Question 23

What RICS Professional Standard has been proposed?

Answer 23

A standard on Data Handling and Prevention of Cybercrime - covering best practice and mandatory obligations for the capture, storage and sharing of data

Question 24

What happens if an NDA is breached?

Answer 24

The party that was harmed can take legal action to enforce the agreement and seek damages for any losses that were incurred

Question 25

Why is it important to verify and analyse data to provide good advice?

Answer 25

It’s important to consider the reliability of data, and without verification of data sources you cannot guarantee accuracy, and therefore may be providing inaccurate advice

Question 26

What databases and systems have you used?

Answer 26

Microsoft Excel IDAT

Question 27

What online databases have you used?

Answer 27

Costar EGI Edozo Land Registry

Question 28

What are other sources of information in addition to online databases?

Answer 28

Speaking to local agents Physical evidence and documentation (although usually dated) Marketing boards

Question 29

How does a password protected data site ensure GDPR is adhered to?

Answer 29

It ensured data is processed in a manner that ensured appropriate security of the personal data, as per the principles of GDPR -Confidentiality (security of data) -Data minimised and purpose limited to this use only

Question 30

What software did you use for the data site and why? Any others you could’ve used?

Answer 30

I have used our internal dealflow system and Thomson Reuters Data site hosting system (through BCLP lawyers). Secure and has been used several times by the lawyers previously to good effect.

Question 31

What was the purpose of the data site?

Answer 31

To provide a package of information for potential purchasers for the disposal, and ensure data was kept confidential

Question 32

What did you consider when setting up the data site?

Answer 32

Considered the principles of UKGDPR and the DPA, and ensured we would be able to deliver on the rights of UKGDPR e.g. right to erasure, right to access

Question 33

How did you ensure confidentiality to the public? Did you control distribution of the data site link?

Answer 33

Access was granted on an individual basis after providing a name, company and email. Once the link was sent the user had to set up a password protected email. Distribution of this link was controlled and only sent out to potential purchasers who had undertaken some level of due diligence, or their agents, who we generally knew.

Question 34

What’s the difference between UKDPR and the DPA?

Answer 34

* UKGDPR (2016) transcribed entirely from EU GDPR * DPA supplements UKGDPR * Certain rights under the UK GDPR, such as the right to object to and the right to data portability are not included in DPA (2018)

Question 35

Why did you close the data site once under offer? How did this comply with GDPR?

Answer 35

To comply with the principle of storage limitation as per UKGDPR guidelines – the data site was closed once it had served its purpose as to hold data this personal data for only as much time is required

Question 36

How do you comply with GDPR when dealing with mailing lists?

Answer 36

Ensure I comply with the principles of UK GDPR. Purpose limitation – only used for that purpose Data minimisation – only hold required information, nothing more Accuracy – updated regularly Storage limitation – information safely deleted once no longer required Integrity and confidentiality – not shared with any other parties

Question 37

How would you securely delete data?

Answer 37

Delete from files, and ensure this is entirely wiped off the system – checking the recycling bin, and potentially using additionally software such as an eraser system to delete off the drive.

Question 38

How would you deal with a data breach?

Answer 38

* Contain the breach * Assess the damage * Notify those affected * Investigate the cause * Take steps to further prevent further breaches

Question 39

Are you aware of any case law in regards to data breaches? What are the fines associated with a data breach?

Answer 39

Halfords, 2022 – fined £30,000 by the ICO, they sent out 500,000 marketing emails about ‘fix your bike scheme without gaining customer’s consent’.

Question 40

Difference between a data controller and data processor?

Answer 40

Data controller – decides how data is stored/what data/how it’s protected etc, data processor – just handles the data). Example – cbre is the controller, we are the processor.

Question 41

When does data become information?

Answer 41

When it is processed, interpreted, and organized

Question 42

How long can you keep data?

Answer 42

NB remember tie-in with PII and any potential future litigation Supposed to keep data for 6yrs for PI insurance etc.

Question 43

Who is the data controller at CBRE?

Answer 43

CBRE Management Service Ltd

Question 44

What data is required and held in your office?

Answer 44

Dependent on what department and for what use. – CBRE Data Retention Policy Investment – tracking investment market for trends and specific transactions, client details, mailing lists etc.

Question 45

What sorts of information can a firm reasonably retain in order to comply with other laws?

Answer 45

As per data minimisation and purpose limitation principles of UKGDPR, information for the purpose of use only can be used, and must be removed once no longer required for that purpose. E.g. client contact details for a specific transaction.

Question 46

Can you tell me about the retention of files and the Limitation Act 1980?

Answer 46

File should be kept for 6 years. The limitation Act 1980 states: * Contract – 6 years from date of negligence Tort – 6 years from the date the claimant suffered the loss

Question 47

How do you source title information?

Answer 47

Land registry

Question 48

How can you protect electronic data from viruses?

Answer 48

* Be aware of phishing attacks via emails * Update passwords regularly * Back up important business data

Question 49

What does block chain mean?

Answer 49

Blockchain is a system of recording information in a way that makes it difficult or impossible to change, hack, or cheat the system.

Question 50

Which records are manually kept in your office and why?

Answer 50

Health and safety documents

Question 51

What is an Electronic Document Management System (EDMS)?

Answer 51

A document management system is a system used to receive, track, manage and store documents and reduce paper

Question 52

Are electronic signatures accepted by the Land Registry?

Answer 52

Yes

Question 53

When sending sensitive information, what are the steps you would take?

Answer 53

* Identify the sensitivity of the information * Choose the appropriate method of transmission – secure transfer protocols (STFP) * Rensure the recipient is authorised to receive the information * Document the transmission * Review and update security practices regularly.

Question 54

What is data management?

Answer 54

This encompasses all aspects of handling data, from collection and storage to analysis and reporting.