8. Data Management

Question 1

How do you ensure data is managed and protected at your firm?

Answer 1

• Passwords
• Disk incryption
• Software updates
• Secure document storage
• Avoiding paper form

Question 2

How do you review the validity of data?

Answer 2

Must always consider the reliability the source. Undertake triangulation to verify information through another source.

Customer details: Application Form, ID/PoA checks, signatures.
Property details: third parties (valuers, solicitors, QS).

Question 3

Octopus Data Protection Policies

Answer 3

Framework of policies and procedures to ensure adherence to UK GDPR and Data Protection Act.

• Data minimisation
• Data anonymisation
• Data Retention (as long as necessary anonomise it where possible/ store securely)
• Clear Desk Policy

Question 4

“Stairs”

Answer 4

Social tenant access to information requirements.

Introduced under Social Housing Regulation Act 2023.
- Repairs and maintenance logs
- service charges and rent setting policies
- anti social behaviour records
- energy efficiency metrics

Respond 1 month

Allows tenant to get data about their property whereas a DSAR would be about them as an individual

Question 5

What is copyright?

Answer 5

• A set of exclusive rights granted to the author or creator of any original work, including the right to copy.
• These rights can be licensed, assigned or transferred.
• Form of intellectual property.
• Crown Copyright refers to all material created and prepared by the Government, e.g. Crown Copyright over OS Mapping.
• It is essential to acknowledge any copyright for information duplicated in your work.

Question 6

Data protection legislation

Answer 6

• The Data Protection Act (2018)
• UK General Data Protection Regulation (GDPR) - Gives people the right to be informed and control about how their personal information is used.
• Data (Use and Access) Act 2024

Question 7

GDPR Principles

Answer 7

7 principles of UK GDPR:
1. Lawfulness, Fairness & Transparency – Process data legally, fairly, and openly.
2. Purpose Limitation – Use data only for specified, explicit, legitimate purposes.
3. Data Minimisation – Collect only what is necessary for the intended purpose.
4. Accuracy – Keep data accurate and up to date; correct errors promptly.
5. Storage Limitation – Retain data only as long as necessary for its purpose.
6. Integrity & Confidentiality (Security) – Protect data against unauthorised access, loss, or damage.
7. Accountability – Be responsible for compliance and able to demonstrate it.

Little penguins dance and slide in antarctica

WHY – collecting specified, explicit and legitimate purposes.
WHAT – accurate and up to date, necessary.
HOW – lawfully, transparent.

The controller must be able to demonstrate compliance with the regulations.

Question 8

Rights under UK GDPR

Answer 8

8 fundamental rights

1. Right to be informed
2. Right of Access
3. Right to rectification
4. Right to erasure
5. Right to restrict processing
6. Right to data portability
7. Right to object
8. Rights related to automated decision-making and profiling

Ice age reindeers enjoy racing penguins over alps

Question 9

Data Protection Act 2018

Answer 9

• Companies must conduct data protection impact assessments.
• ‘Data Accountability’: must prove to Information Commissioner’s Office (ICO) how they are compliant.
• Data breaches must be reported within 72 hours (loss of personal data and risk of harm).
• Fines up to 4% of turnover or £17.5m (greater of).

Question 10

Freedom of Information Act 2000

Answer 10

Creates a legal right of access to information held by public authorities in the UK.

1. Public authorities must publish certain information proactively
2. Anyone can request recorded info

(NHS, LAs, Police, Public bodies)

20 working days

Question 11

NDA

Answer 11

Non Disclosure Agreement

A legally enforceable contract between two parties to protect against the sharing of confidential information.

Often used if information can be used by competitors. Party harmed can take legal action to enforce the agreement and seek damages for losses.

Question 12

NDA vs DSA

Answer 12

Both NDAs (Non-Disclosure Agreements) and Data Sharing Agreements (DSAs) deal with confidentiality.

An NDA focuses on preventing the disclosure of any confidential information, while a DSA specifically addresses the conditions under which data can be shared and used, including compliance with data protection regulations.

Question 13

DSAR

Answer 13

A DSAR, or Data Subject Access Request, is a right granted under data protection laws (like GDPR) that allows individuals to request access to their personal data held by an organization, and to understand how that data is being used.

A DSAR is a formal request made by an individual to an organization to access and understand the personal data they hold about that individual.

Question 14

Who are the key persons outlined under UK GDPR?

Answer 14

• Data Controller
• Data Processor
• Data Protection Officer

Question 15

Data Controller

Answer 15

The person, company, or organization that decides why and how personal data is processed. They determine the purposes and means of processing and ensures compliance with GDPR principles. They must take appropriate technical and organizational measures to ensure processing is compliant.

Question 16

Data processor

Answer 16

The person, company, or organization that processes personal data on behalf of the data controller, following their instructions.
More limited compliance responsibilities – must act in accordance with the controllers’ instructions and GDPR. E.g. a company that processes payroll for another company

Question 17

DPO

Answer 17

A Data Protection Officer (DPO) is a designated individual responsible for overseeing an organisation’s compliance with data protection laws, specifically the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Core Duties:
1. Inform and advise the organisation and staff on GDPR obligations.
2. Monitor compliance through audits and training.
3. Advise on Data Protection Impact Assessments (DPIAs).
4. Serve as the contact point for the Information Commissioner’s Office (ICO) and data subjects.

Question 18

What is personal data?

Answer 18

includes any information which relates to a living individual who can be identified, directly or indirectly, from that information. Examples of personal data are a person’s name, address, date of birth, photographs, telephone numbers, email addresses, IP addresses, geolocation, next of kin, passport details and bank and payroll information

Question 19

What is sensitive personal data?

Answer 19

Race, political opinions, religious beliefs, trade unions, genetic data, health data and sexual orientation.

Question 20

What is the importance of effective data management?

Answer 20

1. Ensures compliance with UK GDPR and the Data Protection Act 2018
2. Reduces risk of data breaches or loss
3. Enhances data accuracy, accessibility & security
4. Supports informed decision-making
5. Maintains client confidentiality and trust

Question 21

What is your firms policies on data collection, storing and processing?

Answer 21

1. Collect only necessary data with clear purpose
2. Store securely using encrypted, access-controlled systems
3. Limit access to authorised personnel only
4. Regular audits and reviews of data processes
5. Comply with GDPR, DPA 2018, and RICS standards
6. Data retention and disposal policies in place

Question 22

Explain your example of data owner and processor and their different role?

Answer 22

Data Owner:
* Client (the Fund) owns the For-Profit Registered Provider (FPRP)
* Legally responsible for tenant data as the RP
* Determines why/how tenant data is used
* Does not directly process or hold tenant details day-to-day

Data Processor:
* Managing Partner (affordable housing operator)
* Manages the properties on behalf of the FPRP
* Processes tenant data (e.g. lettings, repairs) under instruction from data owner
* Must comply with data protection rules as a processor

Question 23

Tell me about Artificial Intelligence?

Answer 23

The RICS has completed a public consultation of its new Professional Standard, which was released in Sep 2025 and will take effect from March 2026.

PS: Responsible Use of AI in Surveying

Some of the key provisions of the new standard include:

1) Governance & Risk Management: Firms must implement clear policies around data use, AI system governance, and risk documentation - including the creation of risk registers and due diligence procedures.

2) Professional Judgment & Oversight: Surveyors must assess the reliability of AI outputs and remain accountable for all work, applying professional scepticism and expertise throughout.

3) Transparency & Client Communication Clients must be informed, in writing, of when and how AI will be used in service delivery, including options for redress or opting out.

4) Ethical Development of AI: For firms developing their own AI systems, the standard mandates assessments of data quality, stakeholder involvement, sustainability impact, and legal compliance.

Question 24

Tell me about Data (Use and Access) Act 2025

Answer 24

The Data (Use and Access) Act 2025

Designed to reform, rather than replace, the UK GDPR and the Data Protection Act 2018

Impacts:

• DSAR - only need to conduct a “reasonable and proportionate” search when responding to data requests, reducing the burden.
• cookies tracking need explicit consent.
• Expands lawful ground for using AI but must disclose to clients.

Question 25

What are the benefits of cloud based storage systems?

Answer 25

* Information is backed up securely on encrypted servers * Accessibility can be managed securely via online settings * Tend to be cheaper than physical storage * Multiple users can access documents at the same time

Question 26

What things must companies put in place to ensure compliance with UK GDPR?

Answer 26

* Raise awareness across the business * Audit all personal data * Update privacy notice * Identity and document legal basis for processing personal data