What does the Data Protection Act 2018 control?
How personal data is used by organisations and businesses
It protects personal data and requires adherence to seven data protection principles.
List the seven data protection principles (SAIL PAD).
- Storage limitation
- Accuracy
- Integrity and confidentiality
- Lawfulness, fairness and transparency
- Purpose limitation
- Accountability
- Data minimisation
These principles guide the handling of personal data under the Data Protection Act.
What are the personal rights under GDPR (BARE CORD)?
- Be informed
- Access
- Rectify
- Erasure
- Object
- Restrict processing
- Data portability
These rights empower individuals regarding their personal data.
True or false: The GDPR came into force in May 2018 as an EU regulation.
TRUE
It sets out broad principles for data protection across the EU.
What does the DPA 2018 do?
Supplements GDPR and incorporates it into UK law
It adds UK-specific provisions to the GDPR framework.
Under Section 170 of the Data Protection Act 2018, what is an offence?
- Obtain or disclose personal data without consent
- Procure disclosure of personal data without consent
- Retain personal data without consent
These actions are considered serious violations of data protection laws.
Who is the Data Protection Officer responsible for VOA?
David Burke
The DPO oversees compliance with data protection regulations.
What are the mandatory requirements for firms according to the RICS Professional Statement?
- Risk assessments for client data
- Define and adhere to data retention policy
- Appoint a person responsible for data handling
- Use passwords to control access
These requirements aim to enhance data security and compliance.
How can you keep data safe? List some methods.
- Lockable secure document storage
- Electronic information on encrypted servers
- Lock computer when away from desk
- Comply with employer’s IT policies
- Obtain clients’ written permission to share data
These practices help ensure the security of personal data.
What does the CRCA stand for?
Commissioners for Revenue and Customs Act 2005
It applies to all HMRC officers and sets out statutory functions and confidentiality duties.
What is required in case of a data breach?
- Report internally within 48 hours
- Notify ICO within 72 hours if necessary
- Inform affected individuals if high risk
These steps are crucial for compliance and protecting individuals’ rights.
What does the Freedom of Information Act 2000 provide?
- Right to request information from public authorities
- Authority must respond within 20 days
It ensures transparency and accountability in public authorities.
What is the maximum fine under GDPR?
£17.5 million or 4% of global turnover
This penalty applies to serious violations of data protection laws.
What is a non-disclosure agreement (NDA)?
Protects against sharing confidential data
Clients typically request an NDA before sharing sensitive information.
What is the purpose of the Data Use and Access Act 2025?
Allows ‘stop the clock’ for service access requests
It requires organisations to conduct reasonable and proportionate searches for Subject Access requests.
What is a data controller under GDPR?
The organisation or individual that determines the purposes and means of processing personal data
Data controllers are responsible for ensuring compliance with data protection laws.
What is a data processor under GDPR?
The organisation or individual that processes personal data on behalf of the controller
Data processors must follow the instructions of the data controller.
List the principles of the ICO data sharing code of practice.
- Accountable
- Lawful
- Fair
- Secure
These principles guide responsible data sharing practices.
What is the purpose of the RICS global standard on responsible use of AI?
Provide a basis for upskilling the profession
It includes provisions for clear policies around data and AI use.
What must clients be informed about regarding AI use?
When AI has been used and given the option to opt out
This ensures transparency and client consent in AI applications.
