(2) Core/Optional General Questions > Data Management (L3) > Flashcards

Data Management (L3) Flashcards

(252 cards)

Study These Flashcards
1
Q

What is a Data Source?

Examples of Internal and External?

A

The origin or location where data comes from. It is the point of collection that feeds into analysis, reporting, or decision-making.

Internal sources:

  • Lease documents
  • Valuation reports
  • Client databases (CRM, property management systems)

External sources:

  • Land Registry (title info, comparables)
  • VOA (rating data)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the limitations of primary data sources?

A
  • Time consuming
  • High cost - e.g. hiring inspectors
  • Human error
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the limitations of secondary data sources?

A
  • No control on what is contained in data
  • Lack of confidence could be wrong and inaccurate - validity
  • above link to GDPR
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why is it important to be careful when accessing data sources?

A
  • Essential to consider the reliability of the source and associated risks;
  • Where possible, verify data against an alternative source through ‘triangulation’

*Important to know which data you might use in work for different purposes, where it comes from and
how reliable it is

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Why is Data Storage and Security important?

A

Essential that data is kept safe from corruption and that access needs to be suitably controlled to ensure privacy and protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Give me some examples of data security technologies?

A
  1. Disk encryption - encrypt data on secure hard drive disk
  2. Regular back-ups off site
  3. Password protection
  4. Use of anti-virus software protection
  5. Firewalls and disaster recovery procedures

Consider what action is undertaken in your office to ensure the security of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a firewall?

A

Computer network security system that restricts internet traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Give me an example of how you ensure that data is kept securely.

A

-Two factor authentication
- Using data rooms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is intellectual property?

A

Something that is created using your mind, protected by legal rights e.g. patent. copyright

It allows the creator/owner to control use of their work and to benefit commercially from it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Can intellectual property be transferred?

A

Yes - Written agreement e.g. contract/assignment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the Main types of Intellectual Property?

A
  • Copyright
    -Trademarks
    -Patent
    -Design Rights
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is copyright?

A

Type of IP –>

Set of exclusive rights granted to author or creator of any original work including the right to copy

These rights can be licensed, assigned or transferred
Protects: literary, artistic, musical, dramatic works, films, software, databases.

Automatic protection (no registration).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are trademarks?

A

o Protects: brand names, logos, symbols, slogans.
o Must be registered to be fully enforceable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the Data Protection Act 2018?

A
  • The UK’s main data protection legislation.
  • The UK’s implementation of the General Data Protection Regulations (GDPR).
  • Governs how organisations must handle, store, and process personal data, protecting privacy rights of individuals.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the UK GDPR (2021)

A
  • Came in when UK left the EU
  • Key principles remain
  • Relates to controllers and processors outside the UK if they are dealing with individuals inside the UK
  • Covers cross-boarder processing
  • Applies to both controllers and processors
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When did the DPA 2018 come into force?

What did it come in to achieve?

A

It came into force on 25th May 2018 and replaced the Data Protection Act 1998

  • Act is a complete data protection system so as well as governing personal data covered by GDPR, it covers all other general data as previously covered by the 1998 Act.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Does the UK GDPR 2021 override the 2018 DPA?

A

No — it doesn’t override it.
✅ They work together.

Think of UK GDPR as the main framework. After Brexit, the EU GDPR was brought into UK law as the UK GDPR.

DPA 2018 provides the detail, exemptions, and enforcement mechanisms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the key provisions/rules of the DPA 2018?

A

1) It incorporates the GDPR into UK law, ensuring data protection rules align with the EU regulations
2) It provides a framework for processing personal data in the UK
3) Covers personal data and sensitive peronal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What types of data does the DPA 2018 Cover?

A
  1. Personal Data - info that identify an individual (directly or indirectly)
  2. Sensitive Personal Data (special category data): Includes data about racial or ethnic origin, religious beliefs, health, sex, genetics
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is a Data Subject?

A

A living individual whose personal data is being collected, held or processed.
- An identified or identifiable natural person

This means a person can be:
* Directly identifiable → e.g., by name, ID number, email address.
* Indirectly identifiable → e.g., by combining information such as job title + workplace + date of birth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the key principles of data processing under DPA 2018?

A

LPDASIA

1) Lawfulness, fairness, transparency
2) Purpose limitation - only collected for specific, legitimate purposes
3) Data minimization - only data necessary for intended purposes
4) Accuracy - kept up to date
5) Storage limitation - minimal time/as long as necessary
6) Integrity + confidentiality- processed securely to prevent unauthorised access
7) Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is SAR?

A

Subject access request

  • Individual demands for info a company holds on them
  • Respond within at least 1 calender month
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

EXAMPLE: Who is the data processor and data controller for CCTV information?

A
  • Data controller = Client/Landlord- they direct the processors activities. Define the means and purposes for holding, using and processing the data
  • Data processor = Workman- they will collect process, store and transmit personal data.
  • Data Sub Processor = A security contractor, RFMs etc. People who views and has access to the data

Data is processed on behalf of controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is a data controller?

A

Person/entity that determines purpose and means of processing personal data (EG a client/landlord, employer holding employee HR records, university managing student records)

Must comply with principles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Who is the Data Protection Officer (DPO) and what is their role?
Responsible for overseeing the data protection approach, strategy & implementation. Needed if an organisation processes large amounts of sensitive data. - These people must comply with data protection principles. Companies are also required to implement:
26
When would an organisation need to appoint a Data Protection Officer (DPO)?
If they process large amounts of sensitive data or perform regular and systematic monitoring of data subjects
27
What would you do if there was a data breach under DPA 2018?
Under the DPA 2018: - Report to Information Commissioners office (ICO) within 72 hours - Notify affected individuals without delay, IF likely to result in a high risk their rights/freedoms If within company I would report to line manager/data protection officer
28
How can a data breach be discovered?
- Unusual network activity - Unauthorised data access attempts - Lost equipment - Reported thefts
29
What is your firms data protection policy?
That suspected breaches reported to line manager or data protection officer
30
What are the penalties under GDPR and data protection act?
Fines reaching up to which is higher; - 4% of global annual turnover - 20m euros (£17.5m)
31
What are exemptions to the Data Protection Act and GDPR?
Some exemptions to the rules apply, these could be for: - National Security - Law enforcement - Journalism - Academic research - Public health
32
What is GDPR?
The General Data Protection Regulation - A data protection law that applies to all EU members and aims to give individuals greater control over the personal data, while imposing strict rules on organisations who process that data. - It is a complete data protection system that governs personal data covered by GDPR and the previous act - Replaced 1995 Data Protection Directive
33
What law did the GDPR replace?
Replaced the 1995 Data Protection Directive and harmionsed data protection laws across the EU.
34
When did GDPR come into effect?
EU - 25 May 2018
35
When was GDPR first introduced?
- EU in 2016 (implemented in May 2018 after a transition period) - UK in 2018 under data protection act - UK released own updates in 2021 (UK GDPR)
36
Why Did UK GDPR 2021 come in?
- The EU GDPR came into force in May 2018. It applied directly in the UK (because were still an EU member then). - Brexit meant EU laws no longer applied automatically, meaning regulations like GDPR would have fallen away, leaving a gap in UK data protection law. To avoid a legal gap, GDPR was “retained” in UK law. The UK government copied EU GDPR into domestic law and renamed it UK GDPR. It sits alongside the Data Protection Act 2018.
37
Who regulates GDPR in the UK?
Information Commissioners Office
38
Where did the DPA 2018 come from?
- Before 2018, the UK operated under the Data Protection Act 1998. Based on the 1995 EU Data Protection Directive. - Framework was outdated (couldn’t cope with digital economy, big data, AI, cloud computing, etc.). - The EU introduced the General Data Protection Regulation (GDPR) in May 2018. As an EU member at the time, the UK had to adopt GDPR.
39
How did GDPR tighten up the former DPA 1998?
- Gave individuals greater control over personal data (e.g. right to be forgotten, right to data portability). - Harsher penalties for non-compliance — up to £17.5 million or 4% of annual global turnover, whichever is higher. - Introduced a duty to report data breaches to the ICO within 72 hours. - Certain organisations (public bodies/those processing large volumes of data) must appoint a Data Protection Officer (DPO)
40
What is the difference between the UK Data Protection Act and the rules of GDPR?
GDPR: - EU-wide data protection regulation (now UK GDPR post-Brexit). - Sets core principles, rights, and obligations for handling personal data. UK Data Protection Act 2018: - UK law that supplements the UK GDPR. - Adds national exemptions and rules (e.g. for law enforcement, intelligence). - Gives the ICO powers to enforce data protection.
41
What are the key principles of GDPR?
LPDASIA 1) Lawfulness, fairness and transparency 2) Purpose limitation - specified and explicit 3) Storage limitation - should only be kept as long as necessary 4) Data minimization - only necessary data 5) Accuracy - up to date 6) Integrity and confidentiality - processed securely to prevent unauthorised access 7) Accountability - data controllers demonstrate compliance with GDPR principles ARTICLE 5(1) AND (2)
42
What are the individual rights under GDPR and the data protection act?
1) Right to be informed --> collection/use of personal data 2) Right to access --> to their personal data + request free copy 3) Right to rectification --> request corrections to data 4) Right to erasure --> 'to be forgotten'/deletion of data when no longer required 5) Right to restrict processing 6) Right to data portability --> obtain and reuse data across services 7) Right to object --> to processing of personal data, such as marketing 8) Rights related to automated decision making and profiling --> right to request human intervention
43
What are the key obligations for organisations under GDPR?
1) Must have data controller and data processor- both must implement appropriate technical and organisational measures 2) Data Protection by design and default - integrate DP into business practices 3) Data Protection Impact Assessment (DPIAs) - required for processing activities 4) May require DPO if processing large amounts of sensitive information (also oversee compliance with GDPR) 5) Breach notification/process --> when breach occurs
44
What is a Data Protection Impact Assessment (DPIAs)?
a process to identify, assess and minimise risks to individuals’ personal data when undertaking high-risk data processing. It’s a requirement under UK GDPR for certain activities
45
What is the purpose of GDPR and DPA?
Governs how personal data should be processed + protects rights of individuals
46
Can you confirm how data from your examples are stored under the regulations?
In line with GDPR principles
47
How do you comply with GDPR in your role?
- Report breaches to the DPO, and will then they will escalate to ICO is high risk - Do not give out personal info - Keep records of data consent - Ensure info held is in line with GDPR - Data Purges
48
Can you give me some examples of data held by surveying practices covered under GDPR?
- Emails/correspondence - Customer data held for marketing - Data to help service a client (accounting info) - Standard and Sensitive personal data
49
Why was GDPR introduced?
To consolidate EU 2018 data laws and provide greater protection/rights to individuals
50
What is within the RICS guidance for GDPR compliance?
- Document purposes of holding information - Keep record of consent for processing, storage and retention - Check if you have contract for info
51
How long can you hold data for?
No specified time period - As of GDPR principle should be kept as long as necessary for processing purposes
52
How do you practice handling and managing data in line with GDPR at Workman?
- We have a compliance team and a compliance officer - Training provided ie. Cyber training on how to be safe online - IT controls on client data, opt in distribution lists etc.
53
What is the difference between the Data Protection Act and GDPR?
The Data Protection Act enacts GDRP into UK law
54
What things must companies put in place to ensure GDPR Compliance?
- Privacy notice informing employees and clients about how their personal data will be used - Training for employees on how to process personal / important data - Risk assessments for data processing activities - Firewalls / password changes / encryption etc.
55
Who are the key persons outlined within GDPR?
- DPO: Data protection officer - used when large amounts of sensitive data are being processed - Data controller: determines the purpose and means of processing of personal data - Data processor: processes the personal data on behalf of controller Eg contractor
56
How do you / your firm ensure compliance with GDPR?
- Our PM systems utilise personal data to link managers to their properties. - In line with the principles of GDPR, my firm requires us to add information in a secure way, using protected forms. - We also remove the information as soon as possible, in line with the data minimisation / storage limitation principles. Every 6 months there is a company-wide check of all properties and inactive managers are removed.
57
What is the Freedom of Information Act and when did it come into force?
IN THE UK --> Right for anyone to request public access to info held by a public body/authority. - Promotes transparency and accountability by allowing public to request information. -Public body required to provide within 20 working days (fee can be charged) - Introduced 30th Nov 2000
58
What are the exemptions to the Freedom of Information Act?
1) Absolute Exemptions (info that doesnt need to be disclosed) --> E.g national security, court records, parliamentary privilege, personal data protected under the DPA 2018. 2) Qualified Exemptions: Info that may be withheld if the public interest in maintaining the exemption outweighs the public interest in disclosure. --> E.g law enforcement, H&S etc
59
How much does it cost to submit a freedom of information request?
- Can be £0 - Limit is £450 for public authorities - Limit is £600 for central government
60
If you are working for a public sector client, and you receive a FOI request about a valuation you’ve prepared, what would you do?
- I would not release the information myself. - I would advise my client, who as the public authority is responsible for handling the request. - I would flag potential exemptions, such as commercial sensitivity or personal data, but the decision lies with the authority.”
61
What is Privacy and Electronic Communications (EC Directive) Regulations 2003?
- PECR = Privacy and Electronic Communications (EC Directive) Regulations 2003. - Sits alongside UK GDPR & DPA 2018 → applies specifically to electronic communications.
62
How does the PECR 2003 relate to UK GDPR & DPA 2018?
UK regulations that sit alongside the Data Protection Act 2018 and UK GDPR. They give people specific privacy rights in relation to electronic communications. Purpose: - To regulate how organisations can use electronic communications for marketing, cookies, and network security.
63
What is the Land Registry Act 2002?
- Framework to ensure possibility of transferring and creating registered land interests electronically - Aims to get all freehold land in England and Wales registered by 2030 - Any sale/lease over 7 years, or mortgage must be registered with HM Land Registry
64
What are the Key areas covered in the Privacy and Electronic Communications Regulations 2003 (PECR)?
1. Electronic Marketing- Rules for emails, texts, calls, faxes. Consent usually required (opt-in), but “soft opt-in” allowed for existing customers. 2. Cookies & Tracking - Websites/apps must tell users, explain purpose, and get consent before using cookies 3. Security of Communications Services - Telecoms/ISPs must keep services secure. 4. Customer Privacy- Confidentiality of communications (no unlawful interception). Rules on caller line ID and location data.
65
What is the Retention of files and Limitations Act 1980?
Sets out how long business should keep documents for. - States legal action must be brought within 6 years of issue arising. - 12 years: Deeds and certain property-related claims - Ensures surveyors are aware that claims for breach of lease obligations, defects, or valuation disputes may be barred after a certain time.
66
How long does the RICS advise to hold data for?
15 years - The Limitations Act 1980 long stop date
67
What is the Limitations Act 1980?
The Limitation Act 1980 is a UK law that sets out the statutory time limits (known as “limitation periods”) within which legal claims can be brought in England & Wales.
68
What is a Deed? Example?
- Legal document transferring or creating property rights. - Evidence of a transaction (sale, transfer, lease). Example: Transfer deed for a house sale
69
What is a Registered title? Example?
- Official Land Registry record of ownership. - Proof of legal ownership and interests. Example: Land Registry shows buyer as owner.
70
What is the difference between a deed and a registered title?
- Deed = Legal document that formally transfers legal ownership - Registered Title = concept of giving right to own electronically Title takes precedent (it is what the public uses) 💡 Tip: Deed = the document; Registered title = the official ownership record
71
What is an Index Map?
A large-scale map used to show the location and boundaries of a property or land parcel. It is usually referenced in deeds, conveyances, or registered titles to identify the land being transferred or leased
72
What are the Key features of Index maps?
- Shows plot boundaries, adjoining land, and reference numbers. - Acts as a visual reference to legal documents (e.g., a deed or lease). - Used in Land Registry and property records to link physical land to legal ownership.
73
How would you source title information?
1. Land Registry (Registered Titles)- Official record of ownership, easements, covenants. Searched via HM Land Registry. 2. Deeds (Unregistered Land)- Historical documents showing transfers, leases, or legal rights. Typically stored at solicitors’ offices or archives. 3. Title Plans/Index Maps. Show location and boundaries of property. Often included with deeds or Land Registry entries. 4. Official Searches & Enquiries- Local authority searches for planning restrictions, rights of way.
74
What are CPSEs?
Commercial Property Standard Enquiries A standardised set of questions used by surveyors, purchasers, or prospective tenants to obtain essential information about a commercial property before acquisition, lease, or investment.
75
What is the benefit of CPSEs?
They are designed to save time, reduce risk, and improve transparency in commercial property transactions.
76
Give me some examples of what the different types of CPSEs are used for?
- CPSE.1 (General pre-contract enquires) - Freehold, Purchases, New Lease - CPSE.2 - Sale or Purchase of leasehold properties - CPSE.3 - Grant of a new lease - CPSE.4- Assignment - CPSE.5- Surrenders
77
Which CPSE would you use for a lease assignment?
CPSE.4 is the standard form used for the assignment of an existing lease. It focuses on issues such as whether landlord’s consent is required, any arrears of rent or service charge, whether there are disputes under the lease, and details of alterations or break clauses
78
When might a data room be used?
- Used in sales, leases, or refinancing → for due diligence. - Key for property sales.
79
What are the benefits of a data room?
- Efficiency – all documents in one place, easy remote access. - Security – controlled access, encryption, audit trails. - Transparency – everyone sees the same up-to-date info. - Cost & Time Saving – no printing/couriers, faster due diligence. - Auditability – clear record of what was shared and when.
80
Explain the growing use of AVMs in the industry
1. Speed & Efficiency- Provide instant property valuations without manual inspection. 2. Cost-Effectiveness- Reduce the need for traditional surveyor input for every valuation. 3. Data-Driven Decision Making- Banks, lenders, and insurers use AVMs to assess risk and lending limits. Helps property investors analyze portfolios and market trends. 4. Integration with Digital Platforms- linked with BIM, GIS, and property databases for richer insights.
81
How do Workman manage and protect data?
- Keep documents secured – EFS files - Have annual audits carried out - Usually, Workman/landlord are data controller, and the contractor is the processor - DPO to contact with any queries - All about getting consent for marketing, taking photos of individuals, displaying cleaner/security certificates etc - ISO9001 – Protects documents relating to their business - ISO27001 - protect sensitive information systematically and manage risks related to data breaches or cyber threats
82
How do Workman Ensure GDPR compliance?
- Raise awareness across the business - Audit all personal data - Update privacy notice - Review procedures supporting individuals’ rights - Identify and document legal basis for processing personal data - Annual GDPR training
83
How do Workman practise handling/ managing data in line with GDPR?
- We have a compliance team and a compliance officer - Training provided ie. Cyber training on how to be safe online - IT controls on client data, opt in distribution lists etc.
84
Where does Workman store data?
On the cloud, which is stored in data centres within the UK.
85
Does your firm have a privacy notice? What is included?
- Yes - it is on the website - It identifies the data controller - Shows what data is held, Outlines uses for data, Outline how long you hold data for - Outlines the data rights - Cookies used etc
86
Disadvantages of Workman Management Systems?
1.Updates to ensure strong encryption and firewall --> Downtime 2. Always security risk 3. Dependent on internet connections (tech). If not, their data can’t be accessed
87
How do you extract data in your role?
1.Horizon 2.Encrypted login 3. Search up property on system - go to data source needed e.g. invoice
88
How do you validate information received in your role?
- Avoid duplications - Reviews leases/legal documents - Cross check against historic data - Tenant/Landlord info - DI form dates correct - correct charges and sent to correct recipients
89
How do you comply with GDPR in your role?
- Report breaches - Do not give out personal info - Keep records of data consent - Ensure info held is in line with GDPR - Data Accuracy - ensure records are accurate and kept up to date (e.g. updating tenant contact details when notified).
90
What is the Use of horizon/tramps and meridian?
* Tramps --> Client reporting, sending tenant invoices, Accounting figures for budget, Legal documentation, Password protected - change every month * Meridian --> Actioning health and safety queries / documentation, Prop inspection report
91
How do you handle Confidential Information in a lease assignment (in line with GDPR principles)?
1) Secure Collection - Documents are submitted password-protected encrypted email. 2) Restricted Access - Only the responsible surveyor and legal team can view the information. Only certain people copied into email. 3) Purpose-Limited Use - Information is used solely to assess the assignee’s financial strength and advise the landlord. 4) Secure Storage - Digital files stored on EFS within the relevant property. 5) Data Minimization - Only necessary information is extracted for reports; irrelevant details are not retained. When reporting to the client, I summarise findings rather than sharing raw data unnecessarily. 6) Disposal & Compliance - After the assignment process, confidential files are securely deleted or shredded.
92
If you come across a data breach, what is the process?
* Notify affected individuals without delay * Report to Information Commissioners office within 72 hours - * If within company I would report to line manager/data protection officer
93
How do you protect Electronic Data from Viruses?
1. Antivirus & Anti-Malware Software- Install programs and keep updated. Regularly scan devices for threats. 2. Firewalls- Use hardware or software firewalls to block unauthorized access. 3. Regular Software Updates- Keep operating systems and applications patched to fix vulnerabilities. 4. Email & Download Security- Avoid opening suspicious attachments. Verify sources before downloading files. 5. Data Backups- Maintain regular backups to recover files if infected. Store backups offline/in secure cloud storage
94
What is ISO9001?
Sets out requirements for how firms should control data + documents relating to their business
95
Can you confirm how data from your examples are stored under the regulations?
In line with GDPR principles
96
What are the differences between manual and electronic records?
Electronic = stored online on file system and can read multiple at once Manual = Physical storage and harder to locate
97
What is the purpose of GDPR and data protection act?
Governs how personal data should be processed + protects rights of individuals
98
Can you give me some examples of reports that you run?
Arrears report Tenancy schedules Service charge analysis
99
What is the right to be forgotten?
The right for individuals to have their personal data erased if no longer required or if data processed unlawfully
100
What is an electronic document management system?
Software that centrally stores and organises documentation. E.g. Workman EFS
101
Who regulates GDPR in the UK?
Information Commissioners Office
102
How is data managed on the Tramps (Horizon + Sharepoint) platform?
- Collaboration and sharing between different teams within businesses (and between business) - Only authorised users can access certain files - Audit trails document activity - Documents held via the cloud - Double factor authentication to get into the site
103
What is hard and soft data?
Hard - quantifiable, numerical facts Soft - not measurable - e.g opinions
104
Explain your use of horizon/tramps and meridian?
Tramps - Client reporting - Sending tenant invoices - Accounting figures for budget - Legal documentation - Password protected - change every month Meridian - Actioning health and safety queries / documentations - Prop inspection reports
105
RICS best practice points for complying with GDPR?
- Conduct data review - Anonymise data where possible - Encrypt everything where possible - Treat commercial data same as personal data, even though not covered by GDPR
106
What are the benefits of the cloud?
- Env friendly - less space - Speed - Accessibility managed via online settings - Collaboration - Information backed up securely on encrypted servers - Multiple users can access the same documents
107
When you downloaded the tenants account history reports, how do you ensure that these are stored safely?
Stored on electronic filing system (EFS), this is my firms encrypted filing system. I ensured these were saved under property specific folder
108
How did you ensure that the folder you set up on your system for the sale ensured data safety principles were met?
1) Picked sharepoint as the data room provider - Ensured encryption and password entry 2) Add users - Set boundaries 3) Set permissions for users 4) Add documents and files - These can be downloaded to local internet networks
109
What does TRAMPS stand for?
Trace Microcomputer Property System
110
What is ISO27001?
Set of requirements for defining, implementing, operating, and improving an Information Security Management System (ISMS) - Proves to customers that it safeguards their data
111
What do ISO27001 users have privilege for?
Privileged accounts may access important data or systems or exercise administrative powers. - It is important to secure privileged accounts to prevent unauthorized use. - Accessing sensitive data
112
How do you ensure compliance with the Data Protection Act 2018 and UK GDPR?
- Process data lawfully and fairly for its intended purpose. - Obtain consent where necessary. - Secure personal and financial information through password protection and restricted access. - Keep records of processing and retention periods. - Report breaches promptly according to company procedures.
113
What systems do you use for data management?
Accounting systems: Tramps and Horizon for financial records, tenant accounts, and service charge management. Health & Safety systems: Vantify and Meridian for tracking inspections, risk assessments, and H&S compliance.
114
How do you maintain data accuracy in these systems?
- Regular audits and reconciliations of financial data. - Cross-checking property information with lease documents and inspection reports. - Ensuring all entries are updated promptly when changes occur.
115
What have you learned from managing property and client data?
- Effective data management reduces errors, improves efficiency, and supports compliance. - Regular training and system familiarity enhance accuracy and security. - Cross-referencing multiple systems ensures consistency across financial, property, and H&S records.
116
What are Vantify and Meridian?
A H&S management system used to track, manage, and report on inspections, risk assessments, and compliance actions. Helps ensure H&S obligations are monitored and met.
117
What are Tramps and Horizon?
A property and financial management system used to manage tenant accounts, service charges, rent collection, and financial reporting
118
What is the impact and importance of GDPR?
- Signficantly impacted how organisations worldwide handle personal data, driving greater respect/accountability for individual privacy rights. - Set a high standard for data protection - It is essential for any organisation processing personal data of EU Citizens, regardless of location
119
What is the public interest test?
Decides under a qualified exemption if it is in the public interest to publish the data
120
What is a publication scheme?
A guide that a public authority must produce under the Freedom of Information Act 2000 (FOIA). - Where public authorities are required to proactively publish certain info through a publication scheme. - schemes must be approved by ICO and intend to make more info available, without specific requests.
121
What is the impact/importance of Freedom of Information Act (2000)
- Transparency and accountability --> providing a mechanism for public scrutiny - Public participation --> enables citizens to participate more effectively in decision-making processes - Press and research --> frequently requested/use FOIA requests.
122
What other steps should be taken when erasing personal data?
Ensure erasure from back-up systems as well as live systems
123
How quickly do you need to delete personal data if someone requests this?
Within a month - 30 days
124
What information is stored electronically in your firm?
- Property related information - Client information – names, contact details - General admin – fee invoices, staff contracts
125
What information is stored hard copy in your office?
Older leases and property files
126
What would you do if a piece of land is unregistered?
In this instance, proof of ownership is by production of a deed which sets out information about the ownership and the property details. - Check if it should be registered – registration is compulsory on sale, transfer, lease over 7 years, assignment of such a lease, or first legal mortgage. If none have occurred, it may remain unregistered. - Obtain the title deeds – these are the only proof of ownership. - Carry out extra due diligence – site inspection and local searches, as Land Registry guarantees don’t apply.
127
What are title documents?
A copy of the original register of title that the land registry can provide (a title plan and title register) detailing: - Owner - Address of owner - Tenure - Price paid (if sold since April 2000) - The boundaries - Any rights of way or restrictions & covenants on the land noted on the register
128
What is a Non-disclosure agreement? Why might you use it?
An agreement in which the parties agree not to disclose the information covered by the agreement. With parties involved in a potential transaction, if it is of a sensitive nature.
129
What are examples of data security threats?
- Phising and Whaling - Hacking - Loss or theft of equipment - Insider threat - an employee causes a data breach (can be mistakenly or malicious)
130
When would RICS investigate a social media post online?
- One that adversely impacts public confidence and trust in the profession This includes posts that: - are discriminatory, dishonest, abusive or threatening - bully, harass other people
131
What is primary vs secondary data?
- Primary = Data collected for the first time by the researcher to meet a specific, current need. - Secondary = Data that already exists and was collected by someone else for a different purpose
132
What is the request called when someone wants information about themselves?
Subject Access Request (SAR) ICO have 30 days to respond to
133
What would you do if you lost a management/confidential report on the way to site?
- I would be open and honest with the client - I would inform my line manager, and because it was high risk, i would inform my DPO at my company - Inform the individual asap - Then would they handle it
134
Can you tell me how CCTV relates to GDPR and the principles that underpin it?
- Data transparency - Lawful/fair - Purpose limitation - requires personal data to be collected - Storage limitation - Only retained for time period - Secured against unauthorised access - data controller etc
135
What would you do if someone wanted to review the CCTV footage at Holborn/Lewisham/Guildford?
1) Request received 2) Check with data protection officer 3) Notify police (if required) 4) Ask subject to complete SAR whilst awaiting advice from data protection officer
136
What do the GDPR regulations say about CCTV?
- Reason for surveillance - Consider privacy - access/detecting incidents/audit - Policies and procedures - what to be recorded/who can view/how long to retain - Regular reviews - updated system/cameras added/removed - Accountability - Named person (IT team - Data Controller + data protection officer) - Need to pay data protection fee to ICO - Register with ICO as CCTV operator - Complete a data privacy impact assessment with ICO
137
What is Article 6 of GDPR?
- Outlines the lawful bases required for any processing of personal data, meaning data processors must have one of these legal grounds to proceed. - The six bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. - Without one of these bases, processing personal data is not permitted
138
What does block chain mean?
Shared ledger system that facilitates process of recording transactions across a computer network
139
How do you extract data in your role?
1. SharePoint - extract tenant lease information from the property management database to prepare valuation reports and lease reviews. 2. Horizon – Tenant rent information, service charge/rent invoices etc
140
What are Automated Valuation Models (AVMs)
Computerized systems that estimate property values using algorithms, statistical models, and available data (sales, rents, property attributes, market trends).
141
What is Building Information Modelling (BIM) and how can it be used?
A process supported by digital tools that enables stakeholders (surveyors, contractors, and owners) to create, manage, and exchange information about a building in a coordinated way. - Generate and manage digital representations of elements of a building e.g. project planning and historic preservation
142
What is a Data Room?
A centralised secure location (physical or digital) where all relevant documents, records, and data relating to a property are stored for review by authorised parties. - Share sensitive docs, controlled access and relevant docs (in line with GDPR/DPA)
143
What are the rights of access under GDPR?
Individuals have right to access their personal data and supplementary information - can request copy of data free of charge
144
What are special provisions around DPA/GDPR?
1. Children’s Data- merit special protection. UK GDPR sets 13 as the minimum age for a child to consent to online services (with parental consent required below this). 2. International Data Transfers - When personal data is sent outside the UK, the law steps in because not all countries have the same level of protection.
145
What is a Data processor?
Processes data on behalf of controller (sometimes known as a third-party E.g a Cloud IT company)
146
What are the rights of individual Data Subjects? (Under GDPR/DPA)
1. Right to be informed 2. Right of access: access their own personal data 3. Right to rectification: request corrections 4. Right to erasure: to be forgotten 5. Right to restrict processing: limitations of data 6. Right to data portability: obtain & reuse personal data across different services 7. Right to object 8. Rights related to automated decision making and profiling
147
How is data managed and protected in your firm?
- Consistent password changes (every 30 days) - Microsoft Authentication - Firewalls - EFS encryption - Consistent data purges - Regular training on how to protect data
148
How often do you update your management systems?
Vantify/Meridian: - Ongoing Actions at site --> at least once every fortnight - Key documents have a red, amber, green dependant on high-risk/importance. These are completed dependant on when they're due (most yearly) - Inspection reports: usually 6 monthly Accounting Management Systems (Horizon etc): - Updated when there a lease renewal/expiry - New charges, arrears due There are often data purges throughout company
149
What systems do you use for data management?
Accounting systems: Tramps and Horizon for financial records, tenant accounts, and service charge management. Health & Safety systems: Vantify and Meridian for tracking inspections, risk assessments, and H&S compliance.
150
How do you check the accuracy of the health and safety reports?
- Review the document thoroughly - ensure all areas/points have been covered - Confirm compliance: Check against legislation, RICS guidance, and internal policies. - Send them to the RFM to review - We make sure they are carried out by safe approval contractors
151
What action points do you review – give an example of an ‘action point’?
Action points --> tasks/remedial measures identified to reduce risk, ensure compliance, or address issues highlighted in inspections or audits. Examples are: - Faults with lifts following inspection - Remedial task- repair loose tile, uneven walkway, redecoration - Emergency Equipment: service fire extinguishers, something expired
152
What information goes into a data input form? (DI FORM)
A data input for is used for any changes at a property. For example: - Changes in registered address - Lease Renewal/Expiry - Break Dates - Rent Free periods - For new properties
153
How do you verify accuracy on Horizon / TRAMPS?
- Check against the lease, held on sharepoint - TRAMPS/Horizon information comes directly from the lease. - ALWAYS CHECK LEASE
154
Tell us more about the EFS?
- Software that centrally stores and organises documentation. E.g. Workman EFS - This is Workman's encrypted filing system. - I ensure files are always saved under the correct property. - It provides Secure Storage - Digital files stored on EFS within the relevant property.
155
Where is the EFS ‘stored’?
It is stored within the files on our computer It is network location- online cloud
156
Do you have a back up for the EFS?
- We have client management systems too which also hold the same information (SecureDocs, Sharepoint etc) - Regular Automated Backups: Daily or weekly backups to a secure server or cloud storage. - Version Control: Retain multiple versions so previous data can be restored if needed. - Testing: Periodically test backups to ensure data can be recovered correctly. - Access Controls: Only authorized personnel can access or restore the backups.
157
What is TRAMPS?
Computerised property management system (PMS) used to manage, track, and report on various aspects of property operations. It’s particularly common in UK commercial property portfolios. Key Features of TRAMPS - Lease Management: Tracks lease terms, rent reviews, expiries, and options. - Financial Reporting: Produces reports for clients on rent roll, service charges, and arrears. - Reporting (Tenancy schedules)
158
Give me an example of when you have used a data input form?
- New Lease: Oryx Align or Myriad at Cornhill. - Use it all the time.
159
Can you tell me about how you extract data from a source regularly used in your role?
Horizon 1) Encrypted login 2) Search up property on system - go to data source needed e.g. invoice Sharepoint/SecureDocs: - Double authentication - Client management systems
160
Explain how the H&S updates you make, ensure you can monitor compliance on Meridian/Vantify?
- Time stamped record of actions completed and comments made - See when risk assessments run out - Instruct - Notified to make updates fortnightly. - Green, amber, red - Action tracking system
161
How is data managed on the Tramps (Horizon + Sharepoint) platform?
- Collaboration and sharing between different teams within businesses (and between business) - Only authorised users can access certain files - Audit trails document activity - Documents held via the cloud
162
Where do Workman store their data?
On the cloud, which is stored in data centres within the UK.
163
In your experience, is it better to store data on Workman or Client data systems, why?
- Conscious some clients are larger institutional funds handling commercially sensitive data and have own requirements and systems - If using client system - ensure firewall to connect secure locations - If using Workman system - be aware of client requirements RE password protection, access, location
164
What information is contained with your London Office portfolio monthly client reports?
- Meeting participants - Meeting minutes (salient points at each property) - Breakdown of the previous months' action points - Tenancy scheduled - Review of budgets/recs - Arrears position
165
What reasoned advice do you give the clients in these London Office portfolio monthly reports?
- Existing position of the property, whether any major works are going on (and how to progress them), - Any disputes and how we recommend to resolve them, - Arrears position and anything we recommend to resolve (CRAR, forfeiture, stat demand etc) - Advise them on upcoming SC Budgets and recs, what to set the budgets at, if any major works are required etc. - Provide updates on upcoming lease events and lease expiry/void management.
166
What KPI’s do you have /use in your reports to the client for the London Office portfolio?
KPI's: - Qtr day rent KPI --> 90% Q Day, 95% 14 days, 98% 28 days - Arrears KPI: To be at 2% of rent roll and SC - Providing reports within 2 working days following meetings
167
How do you achieve your KPIs for the London Office portfolio monthly meetings?
- Maintain good landlord and tenant relationship - Have processes in place to chase debts and pre-chase charges before becoming due
168
What advice did you give your client at Cornhill for the 4th and 7th floor tenant when discussing in the monthly London Office portfolio meeting?
- Recommended CRAR in the December and March Qtr, due to late payment, both times they made payment following the 7 day letter.
169
How did you ensure that sensitive/ confidential data was handled correctly in the Lombard Sale?
- Used a data room- a secure online data room with password protection, rather than email circulation. - Add users - Set boundaries - Set permissions for users - Add documents and files - These can be downloaded to local internet networks - Access Controls: Shared data only with authorised parties (client, solicitors, and instructed agents). - GDPR Compliance: Ensured handling was consistent with GDPR, only sharing information necessary for the transaction. - CPSEs were contained within the data room
170
What legislation did you follow in this handover for Lombard Sale?
- General Data Protection Regulation ( UK GDPR) / Data Protection Act 2018- To ensure tenant and client data was processed lawfully, securely, and only shared on a need-to-know basis. - Ensure purpose limitation and accuracy
171
Why was it necessary to terminate contracts – could these not just have been transferred in the Lombard Sale?
- Contracts are legal agreements with the individual seller, not with the property itself - Cost Control- These services will no longer be paid for by the client - Most supplier/FM contracts are signed between the client (landlord/vendor) and the contractor. They cannot automatically transfer to a purchaser - Purchasers may have their own preferred suppliers - Due diligence- provide the buyer with a clean sale
172
What H&S docs were sent to the new managing agents on Lombard Street?
- Asbestos Register & Management Plan (Control of Asbestos Regulations 2012). - Fire Risk Assessment (Regulatory Reform Fire Safety Order 2005). - Gas Safety Certificates (Gas Safety (Installation & Use) Regs 1998, if applicable). - Electrical Safety Certificates (e.g. EICR – Electricity at Work Regs 1989). - Lift Inspection & LOLER Certificates (if passenger/goods lifts are on site). - Water Hygiene / Legionella Risk Assessment (Health & Safety at Work Act 1974, COSHH). - Accident / Incident Logs (RIDDOR 2013 where relevant).
173
How did you ensure your client complied with GDPR/DPA during the handover of Lombard Sale?
- I ensured only necessary and proportionate data was shared, in line with GDPR principles. - No personal data was required as the property was vacant - Used a secure electronic data room with access restricted to authorised parties and kept an audit trail of data shared. This safeguarded both the client and tenants’ data
174
What risks would there have been if you had not provided full and accurate arrears data to the purchaser during the Lombard Sale?
- Inaccurate arrears data would also erode trust and potentially delay completion. - Providing transparent arrears information protected my client’s position and ensured a smooth transaction.
175
What arrears were on account during the Lombard Sale?
No arrears on account- building was a vacant FRI
176
How did you decide the most appropriate method of data transfer in the Lombard Sale?
- Recommended a secure online data room with password protection and limited user access. - This ensured compliance with GDPR, maintained an audit trail, and allowed for controlled updates. - Hard copies were avoided to reduce risk of data loss or breach.
177
Which RICS Rules of Conduct/ professional standards did you consider when handling sensitive information?
- I followed the RICS Rules of Conduct on acting with integrity, competence, and in the client’s best interests while also ensuring compliance with the law (GDPR). - I also adhered to professional statements on client money and service charges, ensuring data was accurate, transparent, and not misleading.
178
Can you pass over tenant names when assigning arrears on a sale?
You can when assigning arrears, but only where it is: - Necessary for the purchaser to manage the property post-sale (GDPR “legitimate interest” basis). - Limited to what is required – e.g. tenant name, arrears balance, lease reference, contact details for rent collection. DO NOT PROVIDE PERSONAL ADDRESSES, BANK DETAILS ETC - Transferred securely (e.g. encrypted email or secure data room).
179
Why did you complete a COT for the Lombard Sale?
- To get the utility contracts out of the tenants name, and into the new purchasers name - I agreed this with them in the handover.
180
What are CPSEs used for?
Selling property New lettings Assignments CPSE 1-3 - New lease CPSE 2 - Sale CPSE 4 - Assignment CPSE always used, in a addition to another relevant one…
181
Disadvantages of Workman Management Systems?
1.Updates to ensure strong encryption and firewall –> Downtime 2. Always security risk 3. Dependent on internet connections (tech). If not, their data can’t be accessed
182
Tell me about another example of something you have advised on following a monthly meeting?
- Upcoming lease expiry at Moorgate (outside of 1954 act), asking them their plans - Collecting large arrears E.g D A solutions, cornhill, advising how to resolve the issue.
183
How did you complete the handover for the Lombard Sale?
- Data Rooms (primarily) - Online teams meetings to discuss the main points of the property - Site meeting to have a tour around the property/show them any issues or answer q's
184
You say the property (Lombard) was vacant at point of sale, what did you do in terms of business rates?
- We were currently paying the rates at the property. - I informed GL Hearn (our business rates advisor) to inform the council. - They only needed the full legal entity of the purchaser and the date of sale. - We then updated the Council to advise that the clients liability should be terminated from the date of sale.
185
Tell me about your responsibilities for the vacant lombard building before it sold?
- Vacant unit inspection - these were completed fortnightly. - Rates - Ensuring building is suitable for viewing
186
What is a property managers responsibility when managing a vacant building?
- Insurance - Repairs - EPC (and consider MEES) - Inspections - insurance purposes (FORTNIGHTLY) - Inform council - rates - Security -Maintain landscaping / asbestos - Undertake a health and safety and fire risk assessment of the building
187
Who is liable to pay business rates?
Liability: - Always the occupier of property pays business rates (not the landlord), unless the property is vacant. If vacant → liability reverts to the landlord (after an initial 3-month exemption, or 6 months for industrial).
188
What are the different types of rates relief avaliable?
- Small Business Rates Relief (SBRR): Full or tapered relief if RV ≤ £15,000; only for single/main property. - Empty Property Relief: First 3 months (6 months industrial); after that, full rates payable. - Charitable / CASC Relief: Mandatory 80%, discretionary up to 100% for charitable use. - Rural Rate Relief: Up to 100% for qualifying rural properties.
189
Can you tell me about some common mitigation schemes that would have been available at Lombard?
- Short-Term Occupation: Letting the property for at least 13 weeks resets the empty property relief period. Often used with temporary tenants, “meanwhile” uses, or pop-up shops. - Charitable Lettings- Leasing to a genuine charity can trigger mandatory charitable rate relief (80% relief; councils can give up to 100%). Charity must use the premises wholly or mainly for charitable purposes—mere token use can be challenged. - Demolition or Alteration- If a property is rendered incapable of beneficial occupation (e.g., major works, stripped interiors), it can be removed from the rating list until usable again. - Exemptions for Specific Properties- Agricultural buildings, places of worship, some listed buildings, and small properties below certain thresholds may be exempt. **(RICS advises that all should comply with law and ethical guidance — avoidance schemes exploiting loopholes can be challenged.)
190
Are rates mitigations stratgies considered ethical under RICS?
Permitted: - Strategies must be legal, transparent, and not misleading. - E.g. genuine short-term lettings or occupation by property guardians. Not Permitted: - Artificial arrangements that are sham occupations (e.g. putting a token amount of furniture in a building to claim “occupation”). - Anything that could be viewed as tax evasion or misrepresentation. - Breaching the RICS Rules of Conduct: act with integrity, avoid misleading, and uphold public confidence.
191
You say you provided 'key historic financial data' for the Lombard Sale, how did you avoid mentioning tenant names?
- I anonymised/redacted data by unit/lease reference number. Where tenant names had to be disclosed (e.g. in arrears schedules), - It was also justified, because they are the legal counterparty. - Securely transferred – via data room or encrypted file sharing. I followed GDPR principles: data minimisation, confidentiality, and lawful processing (legitimate interest).
192
How do Workman manage and protect data?
- Back up documentation - Keep documents secured – EFS files - Have annual audits carried out - Data Protection Officer to contact with any queries - All about getting consent for marketing, taking photos of individuals, displaying cleaner/security certificates etc - ISO9001 – Protects documents relating to their business - ISO27001 - protect sensitive information systematically and manage risks related to data breaches or cyber threats
193
How do Workman Ensure GDPR compliance?
- Raise awareness across the business - Audit all personal data - Have/update privacy notice - Review procedures supporting individuals’ rights - GDPR annual training - Identify and document legal basis for processing personal data
194
How do Workman practise handling/ managing data in line with GDPR?
- We have a compliance team and a compliance officer - Training provided ie. Cyber training on how to be safe online - IT controls on client data, opt in distribution lists etc.
195
Where does Workman store data?
On the cloud, which is stored in data centres within the UK.
196
Do Workman have a privacy notice?
YES - identifies Workman as a data controller Shows what data is held (not kept for longer than necessary), uses for data and how long data can be held, rights of data subjects etc
197
Disadvantages of Workman Management Systems?
1.Updates to ensure strong encryption and firewall --> Downtime 2. Always security risk 3. Dependent on internet connections (tech). If not, their data can’t be accessed
198
Tell me how you extract data in your role?
- Horizon - lease/invoice/rental information - Encrypted login - Pull data off of data rooms - Sharepoint - lease information - Search up properties on managed systems
199
How do you validate information received in your role?
- Avoid duplications - Cross check against historic data - Tenant/Landlord info - Make sure date is complete - DI form dates correct - correct charges and sent to correct recipients - Check prelists
200
Tell me how you comply with GDPR in your role?
- Report breaches - Do not give out personal info - Keep records of data consent - Ensure info held is in line with GDPR - Data Accuracy - ensure records are accurate and kept up to date (e.g. updating tenant contact details when notified).
201
Give me an example of when you have complied with GDPR in your role?
Lombard Sale - Used a data room- - Set permissions for users - Access Controls: Shared data only with authorised parties (client, solicitors, and instructed agents). - GDPR Compliance: Ensured handling was consistent with GDPR, only sharing information necessary for the transaction. - CPSEs were contained within the data room
202
What is your firms data protection policy?
Suspected breaches are immediately reported to the line manager and DPO.
203
How does your use of TRAMPS, Horizon and meridian uphold GDPR?
- password protected, - double-factor authentication - Password changed every month
204
Tell me about a time you processed and handled confidential information?
Lease Assignment at Unit 7 Wanstead (case study) 1) Secure collection - documents submitted to a data room 2) Restricted access - only responsible surveyor/legal team could view info 3) Purpose-limited use - Information is used solely to assess assignee financial strength and provide landlord recommendation 4) Secure storage - all relevant info stored in our EFS after assignment was completed (lease info) 5) Disposal & compliance - after the assignment, all confidential files were deleted (that were no longer required)
205
Workmans data breach process?
- Notify affected individuals without delay - Report to ICO via DPO within 72 Hours - If an internal issue, report to line manager, DPO immediately.
206
How do you protect Electronic Data from Viruses?
1. Antivirus & Anti-Malware Software- 2. Firewalls- 3. Regular Software Updates- 4. Email & Download Security- 5. Data Backups- 6. Regular training to ensure awareness.
207
How do you ensure confidential tenant information is kept secure in your reports for the monthly london meetings?
- When distributing reports to the client, I use secure email transfer, and any unnecessary personal information is excluded. - All docs are ISO9001 - Docs are password-protected - All reports are stored on our EFS with access restricted/encrypted I follow GDPR principles of data minimisation and confidentiality, ensuring only business-critical info is included.
208
What risks could arise from poor data management in your reporting, and how do you mitigate them?
- Lead to inaccurate arrears reporting, missed lease events, or incorrect tenancy information, - Also not redacting info about tenants/props etc - Which could expose the client to financial loss or reputational risk. Therefore: - Ensure rigorous cross-checking, use our internal filing system/ management systems for latest version control - Always clarify discrepancies with the rest of the PMs before sharing.
209
Can you give an example of when your report highlighted an issue that led to a management action/recommendaiton?
Yes --> highlighted persistent late payments by a tenant occupying the 4th and 7th floors at Cornhill. - Advised the client on initiating CRAR as a proportionate recovery action. - This proactive reporting enabled the client to take timely steps to protect income and address ongoing arrears.
210
Can you confirm how data from your examples are stored under the regulations?
In line with GDPR principles
211
Which records are manually kept in your office and why?
Financial records e.g. invoices and receipts - Low risk of data loss and provide an audit trail
212
What is an electronic document management system?
Software that centrally stores and organises documentation. E.g. Workman EFS
213
What is a data room such as the one you used at Lombard Street?
Secure online repository - Shares sensitive documents - Controlled access - Leaves audit trail - When and where users are accessing - Stored in line with GDPR - Password protected and encrypted
214
Can you give me some examples of data held by surveying practices covered under GDPR?
- Emails/correspondence - Contact details of tenants, clients etc - Demographic, personal information - Customer data held for marketing - Data to help service a client (accounting info)
215
Was the data you mention as part of the data input forms held under GDPR regulations?
Yes I can confirm
216
Explain how H&S updates you make ensure you can monitor compliance on Meridian?
- Time stamped record of actions completed and comments made - See when risk assessments run out - Instruct Green, amber, red - Action tracking system
217
What is RICS best practice points for complying with GDPR?
- Conduct data review - Anonymise data where possible - Encrypt everything where possible - Treat commercial data same as personal data, even though not covered by GDPR
218
When you downloaded tenants account history reports/arrears information for your monthly portfolio meetings, how do you ensure that these are stored safely?
- Stored on electronic filing system (EFS), this is my firms encrypted filing system. I ensured these were saved under property specific folder
219
When sending out the London Office Monthly reports, how do you ensure this is secure?
- I use secure email transfer, and any unnecessary personal information is excluded. - I only include relevant recipients into the email. - Workman uses ISO27000 - helps encryption during transmission, ensures access control - Avoid including unnecessary personal data,
220
How often are Fire Risk Assessments reviewed and required?
- Typically reviewed annually or when significant changes occur in the building or its use - New assessment every 3-5 years
221
What is included in General Risk Assessments?
- Identify hazards. - Decide who might be harmed and how. - Assess risk (likelihood × severity). - Record and implement control measures. - Assign responsibility and set review dates
222
How often are General Risk Assessments reviewed and required?
- Typically reviewed annually or when significant changes occur in the building or its use - New assessment every 3-5 years
223
Tell me what is included in asbestos reports/surveys?
- Survey details & summary. - Register of ACMs (location, type, condition). - Risk assessment (likelihood of fibre release). - Photos/plans. - Recommendations (manage, encapsulate, or remove).
224
How often are asbestos re inspection reports required?
- The asbestos register must be kept up to date. - It should be reviewed at least every 12 months. - A new survey/report is required if there are significant changes (e.g. refurbishment, demolition, or suspected disturbance of ACMs).
225
Tell me an example of where you have had an issue/incident with asbestos?
- Warwick House - Getting works done in basement plantroom, and M&E contractors reported potential disturbed asbestos. - Therefore, we requested immediate sealed off/isolation of the affected area. Put up signage etc - Notify the dutyholder/RFM/H&S team straight away. - We then engaged the licensed asbestos contractor to inspect, test, and safely remediate. - They confirmed it was OK, resealed it, made safe and didn't need to be removed.
226
What advice did you provide to your client during the sale of Lombard Sale?
- Advised them on the key post-sale obligations (COTs, contracts termination, providing key documentation, TRAMPS termination, Utilities termination etc) - Using the data room for secure access - Existing payment history reports levels - Advised on any issues within the property.
227
What types of H&S documents do you commonly manage, and how do you handle them?
- Manage fire risk assessments, general risk assessments, and asbestos reports. - Upload them into the relevant system (Vantify etc), and log any action points for follow-up by the property management team or contractors.
228
Why is accurate data management important in health and safety compliance?
- Ensures statutory compliance - Reduces risk to tenants and visitors - Protects the client from enforcement action or reputational damage. - Errors or delays in updating systems could result in missed actions, exposing the client to liability.
229
Which RICS or legal requirements guide your approach to managing these records?
- I comply with the RICS Rules of Conduct around providing a high standard of service and acting in the client’s best interests. - Also ensure compliance with the Health and Safety at Work etc. Act 1974 and the Management of Health and Safety at Work Regulations 1999, which require dutyholders to manage/monitor risk through proper record-keeping
230
How do you ensure the accuracy of the data you input?
- I verify details against the signed lease when completing the form. - Once completed, I double-check key fields such as rent commencement, review dates, and break clauses. - I then sign off the form before forwarding to the data input team for processing.
231
Why is it important to store critical lease documents on the Electronic Filing System (EFS)?
- EFS provides a secure and centralised system for all important documents. - Ensures version control, allows quick access in emergencies - Supports compliance by making sure client and tenant information is stored in line with GDPR and firm policies
232
Tell me some risks that could arise from poor data management in lease event recording?
- Errors could lead to missed rent reviews, - Unnoticed break dates - Incorrect billing These could cause financial loss and reputational damage to the client.
233
Which professional standards apply when managing and storing this lease input data?
- RICS Rules of Conduct require me to act with integrity and provide a high standard of service. In practice, that means ensuring lease data is accurate, transparent, and securely stored. - I also follow GDPR and the DPA 2018 when handling tenant information.
234
For your London office portfolio example, can you tell me how you download relevant lease documentation?
- Access TRAMPS to locate executed leases and side documents. - Retrieve scanned copies from the Electronic Filing System (EFS) if not on Horizon/TRAMPS. - Also check the client managed systems for any updates - Ensure version control and compliance with GDPR / firm data policies.
235
How have you applied your data management skills to add value for your client during your monthly London Portfolio meetings?
- Provide my client with a clear view of portfolio performance and risks. For example, I identified persistent arrears at Cornhill and recommended using CRAR to protect income.
236
How do you ensure your London Portfolio reports are reliable enough to inform strategic decisions?
- Cross-check data from our internal systems against lease documentation, arrears schedules, and property manager updates. - Only include verified information, and I highlight uncertainties to the client so they can make informed decisions. - I asked request updates from the client where there are any ongoing disputes, lease events etc
237
How does your London office portfolio example take into account GDPA/DPA 2018?
- Store tenant/occupier data securely in internal systems with restricted access. - Apply data minimisation – include only relevant lease/financial details. - Exclude unnecessary personal data. - Distribute reports via secure channels (e.g. encrypted email/portal). - File final versions in the Electronic Filing System (EFS) for compliance, audit trail, and version control.
238
How do you ensure internal management systems remain accurate following a disposal, such as Lombard Sale?
- Complete data input forms to update Horizon/TRAMPS - Remove the asset from arrears reporting - Confirm the disposal is recorded. - We have a post-sale obligations checklist to adhere to
239
Why are Change of Tenancy (COT) forms important when managing disposals?
- COT forms ensure utility and supplier accounts are terminated or transferred correctly, This prevents ongoing liability for the client and ensuring a smooth handover to the new owner.
240
Which RICS professional standards guide your approach to managing and transferring property data for the Lombard Sale?
- RICS Professional Statement: Real estate management (2016) 3rd edition - RICS Professional Standard: Service Charges in Commercial Property (2018) 1st Edition, (Effective April 2019, reissued 2023 as PS). - RICS Guidance Note: Commercial Property Management in England and Wales (2011) 2nd Edition - RICS Rules of Conduct (2021)
241
How did your data management during the Lombard Street sale add value for your client?
By ensuring all information was accurate, complete, and securely transferred - Helped avoid potential disputes - Minimised the risk of post-sale liabilities - Provided confidence to the purchaser, supporting a smooth and timely transaction.
242
What does RICS Professional Standard: Service Charges in Commercial Property (2018) 1st Edition, (Effective April 2019, reissued 2023 as PS), say about sales?
Appendix D - commercial property handover - Reconcile any outstanding closed service charge years. - Transfer any SC credit balance. - Recover arrears/shortfalls, confirming whether buyer or seller can pursue. - Provide buyer/managing agent with full service charge records for continuity. - Provide property financial information
243
Did you complete Sale Rec for Lombard Street sale?
NO - It was a vacant FRI office property and there was no service charge in place. Sale recs only relevant for service charge income or expenditure to reconcile. - Did carry out a financial reconciliation to cover rent apportionments, historic arrears, and insurance to ensure a clean handover to the purchaser
244
How have you used data analysis to advise clients or support business decisions?
London Portfolio example - lease events, CRAR, poor tenants etc
245
How do you ensure data quality and integrity in large datasets?
- Validate data on entry to ensure accuracy, completeness, and correct formatting. - Perform regular checks and audits to identify errors, duplicates, or anomalies. - Implement version control and maintain a clear audit trail of changes.
246
For your managed properties, who is the data controller and who is data processor
Data Controller - Workman/Us, can be the landlord Data Processor - Contractor, usually the security contractor.
247
If you needed to review CCTV, are you able to?
- You can if you are on the list of those authorised to do so. - If not, you can speak to the DPO to request access and gain the necessary permissions - Access must comply with GDPR, the DPA 2018, and the CCTV policy — ensuring footage is only viewed by authorised personnel, kept secure, and not retained longer than necessary.
248
How did you ensure that the folder you set up on your system for the sale ensured data safety principles were met?
1) Picked sharepoint as the data room provider - Ensured encryption and password entry 2) Add users - Set boundaries 3) Set permissions for users 4) Add documents and files - These can be downloaded to local internet networks
249
Can you tell me about the retention of files and limitations act 1980?
Sets out how long business should keep documents for. States legal action must be brought within 6 years of issue arising
250
Can you give an example of when you identified and advised on a risk during the data handover process for Lombard Street?
- An issue with the ground floor bathroom, and recently having flies in it
251
Can you give me some examples of reports that you run?
- Arrears report - Tenancy schedules - Service charge analysis
252
How do you validate information used/received?
- Avoid duplications - Cross check against historic data - Tenant/Landlord info - Make sure date is complete - DI form dates correct - correct charges and sent to correct recipients
(2) Core/Optional General Questions
flashcards
Decks in class (8)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions