Data Management (L1)

Question 1

What are the key pieces of legislation relating to Data management?

Answer 1

Freedom of Information Act 2000
CRCA 2005
Data Protection Act 2018
UK GDPR

Question 2

What is the relationship between UK GDPR and the Data Protection Act 2018?

Answer 2

DPA 2018 supplements UK GDPR

UK GDPR is the retained version of EU GDPR following Brexit

Question 3

What is the Freedom of Information Act 2000?

Timeframe for info to be provided?

Answer 3

Gives public legal right to access information held by public authorities.

Must be provided within 20 working days, subject to exemptions.

Question 4

What is the purpose of the Data Protection Act 2018?

Answer 4

Supplements UK GDPR

Controls how personal data is used by businesses

Question 5

What are the 7 data protection principles from the Data Protection Act 2018?

(LADPASS)

Answer 5

Lawfulness, fairness, transparency
Accuracy
Data minimisation
Purpose limitation
Accountability
Storage limitation
Security

Question 6

What are the 8 individual rights in the Data Protection Act 2018?

(AO RAIDER)

Answer 6

Access
Object

Rectification
Automated decision making / profiling
Informed
Data portability
Erasure
Restrict processing

Question 7

What is CRCA 2005?

Answer 7

Commissioners for Revenue and Customs Act 2005

Applies to all HMRC officers - provides duty to keep information confidential

Question 8

What is in section 10 of CRCA 2005?

Answer 8

Explicit to VOA - allows ‘officers of revenue and customs’ to provide valuation of property for HMRC, public authorities, or functions in connection with public purposes.

Question 9

What is in section 17 of CRCA 2005?

Answer 9

Allows sharing of information between HMRC and VOA.

(e.g. SDLTs, RALDs)

Question 10

What is in section 18 of CRCA 2005?

Answer 10

Permits disclosure of information outside VOA/HMRC in line with function.

(e.g. RALDs to agent)

Question 11

What is in section 19 of CRCA 2005?

Answer 11

Makes it a criminal offence to disclose information that can identify an individual, unless covered by s18.

Question 12

What personal data is protected under GDPR?

Answer 12

Information relating to an individual.
Examples:
- Name
- Home address
- Email address
- ID card number
- Phone number
- IP address

Question 13

Who are the key persons outlined within GDPR?

Answer 13

Controller – determines purposes and means of processing personal data.

Processor – processes personal data on behalf of controller.

Data Protection Officer (DPO) – leadership role required by EU GDPR - oversees data protection approach.

Question 14

Imagine you’ve identified a potential data breach while working at the VOA. Who would you report this to, and what statutory reporting requirements or deadlines would apply in this situation?

Answer 14

Report breach (internally) within 72 hours of becoming aware. Data Protection Officer (DPO) required for public authorities.

If breach has high likelihood to risk people’s rights and freedoms - Report to Information Commissioner’s Office (ICO) within 72 hours.

Stronger legal protection for more sensitive information, such as race, religious or political beliefs, sexual orientation.

Question 15

What is the maximum fine for a data breach under UK GDPR?

Answer 15

20 million euros or 4% annual global turnover

Question 16

What are the advantages of storing property related documents in a secure network drive?

(ABC)

Answer 16

o Access management

o Backup and Recovery

o Compliance

Question 17

In what circumstances can a Freedom of Information (FOI) request be refused?

Freedom of Information Act 2000

Answer 17

• Cost and time.
• Vexatious request.
• Repeated request.
• Contrary to GDPR.
• Disclosing the information would prejudice (harm) a criminal investigation or law enforcement.

Question 18

Can the VOA disclose property related information (e.g. general sales, rental information, property attributes)?

Which legislation does this relate to?

Answer 18

No - it could identify an individual.

Freedom of Information Act 2000

Question 19

Hypothetically, what would you do if you lost a flash drive containing a client’s personal information?

Answer 19

Report breach to DPO within 72 hours of becoming aware.

If breach has high likelihood to risk people’s rights and freedoms - Report to Information Commissioner’s Office (ICO) within 72 hours.

Also let client know and (if data had been sent to another party incorrectly) contact other party to request deletion.

Question 20

You have mentioned that you regularly research, gather and analyse data from external sources.

As an example of this, if you find a rental transaction on CoStar, how can you verify the accuracy of the data?

Answer 20

Cross-check against multiple sources, such as:
- other databases (EIG, internal records)
- agent information (brochures / particulars, market listings)
- direct verification (call/email agent)

Also apply professional judgement to assess reliability.