What are the different types of data security technologies
- disk encryption
- Regular backups off site
- Cloud storage
- Password protection
- Anti-virus software
- Firewalls and disaster recovery procedures
What is cloud storage
A form of computer data storage where digital data is served on off-site locations. Servers are maintained by third-party providers that allow companies to store, access or maintain data so companies don’t have to invest in data centers
What is copyright
Form of intellectual property. A set of exclusive rights granted to the author/creator of any original work including the right to copy
What is intellectual property
intangible property that is the result of creativity, such as patents, copyrights, etc
Can copyright be licensed?
Yes, the rights can be licensed, assigned or transferred
What is Crown Copyright
Crown copyright is a legal protection for original material created by government officials and departments in the UK
What key legislation applies to the UK
UK GDPR
- EU GDPR no longer applies in the UK although was almost entirely transcribed into UK GDPR in 2016
What act covers UK GDPR
Data Protection Act 2018
What is the aim of the Data Protection Act
To create a single data protection regime affecting businesses and empower individuals to take control of how their data is used by third parties
- gives people the rights to be informed about how their personal information is used
What is the Freedom of Information Act 2000
Gives individuals the right of access to info held by public bodies
- public bodies must tell any individual requesting sight of info whether it holds it
- must supply in 20 days in requested format
- can charge for the provision of info
What is excempt from Freedom of Info Act 2000
- contrary to GDPR requruirements
- would predjuidice a criminal matter under investigation or a person’s/orgs commercial interest
What is an NDA
a legally binding contract that protects confidential information by obligating the recipient of the information to keep it private and not share it with unauthorized third parties. NDAs can be unilateral (one-way, protecting information disclosed by only one party) or mutual (two-way, protecting information shared by both parties). For the NDA to be effective, it must clearly define the confidential information, outline the permitted uses of that information, specify the duration of the agreement, and state the consequences of breaching the terms, such as legal damages.
What are the 8 individual rights under UK GDPR
Right to be informed: Individuals have the right to know how their personal data is being collected, used, and processed.
Right of access: You can request access to your personal data and receive information about how it is being used.
Right to rectification: You have the right to request that inaccurate or incomplete personal data be corrected.
Right to erasure: Also known as the right to be forgotten, this allows you to request the deletion of your personal data under certain circumstances.
Right to restrict processing: You can request to limit or suppress the processing of your personal data in certain situations.
Right to data portability: This right allows you to obtain and reuse your personal data for your own purposes across different services.
Right to object: You can object to the processing of your personal data in certain circumstances, such as for direct marketing or scientific research.
Rights related to automated decision-making and profiling: This protects individuals from decisions made solely on automated processing, including profiling, that have significant legal or similar effects.
What are the key principals of UK GDPR
Article 5(1) relating to the storage of personal data:
- processed lawfully, fairly and in a transparent manner
- collected for a specific, explicit and legitimate purpose
- adequate, relevant and limited for it purpose
- accurate and where necessary, kept up to date
- kept in a firm which permit identification of individuals for no longer than necessary
- processed in a manner that ensured appropriate security of the personal data
Article 5(2) requires that the controller shall be responsible for, and be able to demonstrate compliance with the principals
What are the key requirements
- an obligation to conduct data protectuon impact assessment for high risk holding data
- new rights for individuals to have access to info on what personal data is held and have it erased
- data security breaches must be reported to ICO within 72 hrs where there is a loss of personal data and a risk of harm to individuals
- fines up to 4% of global turnover of the company of £17.5mil (greater)
- Policed by ICO
What is copyright
Set of exclusive rights granted to the author/creator of any original work
Includes the right to copy
What is UK GDPR
EU GDPR no longer applies
Almost entirely transcribed into UK GDPR in 2016
Sets out core principles and rights for personal data processing
What is Data Protection Act 2018
supplements Uk GDPR with specific details and exemptions
What are the eight individual rights
- Right to be Informed
You must tell people how and why you’re using their data.
Example: When collecting client details for a valuation, you must provide a privacy notice explaining the purpose, legal basis, and data retention.
- Right of Access
Individuals can request a copy of their personal data.
Example: A tenant can ask your firm for all the data you hold about them, including emails, reports, and tenancy records.
- Right to Rectification
People can ask you to correct inaccurate or incomplete data.
Example: If a client’s name is misspelled in your system, they can request a correction.
- Right to Erasure (“Right to be Forgotten”)
Individuals can ask for their data to be deleted in certain cases.
Example: A former client may request deletion of their data if it’s no longer needed and there’s no legal reason to keep it.
- Right to Restrict Processing
People can ask you to limit how you use their data, without deleting it.
Example: A client disputes the accuracy of their data — you must stop using it until the issue is resolved.
- Right to Data Portability
Individuals can request their data in a machine-readable format to transfer to another service.
Example: A tenant wants to move their data from one property management firm to another.
- Right to Object
People can object to data processing based on legitimate interests, direct marketing, or research.
Example: A client can opt out of receiving marketing emails from your firm.
- Rights Related to Automated Decision-Making and Profiling
Individuals have the right not to be subject to decisions made solely by automated means that significantly affect them.
Example: If your firm uses automated tools to screen tenants, you must offer human review if requested.
What are the seven core principals of how personal data must be handled
Article 5(1)
- Lawfulness, Fairness, and Transparency
Meaning: You must have a lawful reason to process data, treat people fairly, and be open about what you’re doing.
Example: If you’re collecting tenant data for a lease agreement, you must explain why, how it will be used, and get proper consent or rely on a legal basis like contract.
- Purpose Limitation
Meaning: Only use data for the specific purpose you collected it for.
Example: If you collect client data for a valuation, you can’t later use it for marketing unless you get new consent.
- Data Minimisation
Meaning: Only collect the data you actually need.
Example: Don’t ask for a tenant’s passport number if a name and address will suffice for your records.
- Accuracy
Meaning: Keep data up to date and correct errors quickly.
Example: If a client updates their contact details, your system must reflect that change promptly.
- Storage Limitation
Meaning: Don’t keep personal data longer than necessary.
Example: If a project ends, archive or delete personal data unless you need it for legal or audit reasons.
- Integrity and Confidentiality
Meaning: Keep data secure — protect it from loss, theft, or unauthorised access.
Example: Use encrypted systems and access controls for client files and tenancy records.
- Accountability (from Article 5(2))
Meaning: You must be able to prove you’re following all the above principles.
Example: Keep records of consent, data audits, and staff training to show compliance.
What is the aim of UK GDPR and Data Protection Act
Aim is to create a single data protection regime affecting businesses and empower individuals to take control of how their data is used by third parties
What is the Freedom of Information Act 2000
Public body must tell individual requesting sight of info whether it holds it
Must supply in 20 working days
How does FOIA differ from SAR
FOIA refers to public information where Subject Access Requests refers to personal data about requester
Different response times (1 month SAR, 20 days FOIA)
What is exempt from FOIA
Two categories, absolute exemptions and qualified exemptions.
Absolute does not require a public interest test - if the exemption applies, the information must not be disclosed.
Qualified means the authority must weigh whether the public interest in withholding the information outweighs the interest in disclosing it.
