Data management - Level 1

Question 1

What is your understanding of the term confidentiality?

Answer 1

Confidentiality refers to the obligation to protect information that is shared in confidence and not disclose it without permission. In surveying, this includes client data, valuation reports, and sensitive property information. Maintaining confidentiality is essential to uphold trust and comply with legal and professional standards.

Question 2

What is your understanding of the term metadata and why is it important?

Answer 2

Metadata is information about a specific piece of data. For example, when sharing a cost planning document, metadata may include the author, file size, creation date, and keywords. Metadata must be treated with the same level of care as other confidential data. When sharing documents, it’s important to ensure that confidential metadata is not inadvertently disclosed.

Question 3

What is your understanding of intellectual property and copyright?

Answer 3

Intellectual property and copyright refer to the rights to control the use and ownership of original works. Typically, work created by an employee belongs to their employer unless otherwise agreed. In construction, clients are often granted a licence to use copyrighted material, such as designs by subcontractors, but the original copyright remains with the creator.

Question 4

What is the Freedom of Information Act 2000?

Answer 4

The Freedom of Information Act 2000 is UK legislation that gives the public the right to access information held by public authorities. It requires authorities to publish certain information and respond to requests for data, covering all information held — not just that created after the Act came into force.

Question 5

What are the benefits of cloud-based storage systems?

Answer 5

Cloud-based systems offer secure, encrypted backup of data, online accessibility, and cost savings compared to physical storage. They allow multiple users to access and synchronise documents, are environmentally friendly, and make sharing files more efficient than traditional methods.

Question 6

What is the meaning of a non-disclosure agreement (NDA)?

Answer 6

An NDA is a legal agreement used to prevent the disclosure of confidential information. Before sharing sensitive data, clients may require recipients to sign an NDA to protect intellectual property, innovative ideas, or commercially sensitive information from being used by competitors.

Question 7

What is the Data Protection Act 2018?

Answer 7

The Data Protection Act 2018 is the UK’s implementation of the EU GDPR. It governs how personal data is processed by organisations and public bodies. It replaces the 1998 Act and sets out principles for lawful, fair, and secure data handling.

Question 8

What are the key principles of the Data Protection Act 2018?

Answer 8

The Act requires that personal data is: Used fairly, lawfully, and transparently Adequate, relevant, and limited to its purpose Accurate and kept up to date Retained only as long as necessary Processed securely to prevent loss, misuse, or unauthorised access

Question 9

What rights do individuals have under the Data Protection Act 2018?

Answer 9

Individuals have the right: To be informed about how their data is used To access their data To have inaccurate data corrected To have their data erased To restrict or stop processing To data portability To object to data use

Question 10

Who are the key persons outlined within GDPR and what are their roles?

Answer 10

Controller: The person or organisation that determines the purpose and means of processing personal data. For example, an employer processing employee data is the controller. Processor: A person or organisation that processes data on behalf of the controller, such as a call centre acting for a client. Data Protection Officer (DPO): A leadership role required in organisations that process large volumes of personal data. The DPO oversees data protection strategy and compliance.

Question 11

What are the eight individual rights under GDPR?

Answer 11

The right to be informed The right of access The right to rectification The right to erasure The right to restrict processing The right to data portability The right to object Rights related to automated decision-making and profiling

Question 12

What sources of information do you use in your day-to-day surveying work?

Answer 12

I use a range of sources including: RICS guidance notes Contract documentation Valuation data Industry journals

Question 13

How do you manage these sources of information to ensure compliance with legislation?

Answer 13

I ensure confidentiality by only discussing projects with authorised colleagues. Hard copy documents are stored securely, and electronic files are kept on encrypted servers. I lock my computer when away from my desk and follow IT security policies, including regular password updates and cyber security training. I also seek written client permission before reusing non-public information.

Question 14

How do companies ensure compliance with data protection legislation?

Answer 14

Retaining only necessary data Informing individuals about how their data is used Storing data securely Keeping data accurate and up to date Deleting data that is no longer needed These practices help meet the requirements of the Data Protection Act 2018 and UK GDPR.

Question 15

How do you demonstrate your understanding of information security in your day-to-day work?

Answer 15

I follow internal VOA policies and procedures to ensure that sensitive data is stored, accessed, and shared securely. This includes using encrypted systems, locking my screen when away from my desk, and ensuring that confidential information is only shared with authorised individuals. I also complete mandatory training on data protection and cyber security.

Question 16

What is your understanding of how to report on sensitive property information?

Answer 16

When reporting on sensitive property information, I ensure that the data is accurate, relevant, and presented in a secure and professional format. I avoid including unnecessary personal data and follow VOA and RICS protocols to ensure confidentiality. If there is any uncertainty, I seek guidance from a manager or data protection lead.

Question 17

Can you give examples of internal and external data sources you use to support your valuations?

Answer 17

Internally, I use systems such as EDRM and CDB to access case files, historic valuations, and property records. Externally, I use Land Registry, planning portals, local authority websites, and commercial property databases. These sources help verify property characteristics, planning status, and market evidence.

Question 18

How do you ensure that the data you use from external sources is reliable?

Answer 18

I cross-check data from multiple sources and ensure it is current and relevant to the valuation date. I also consider the credibility of the source — for example, official government websites or regulated data providers — and document the source of any evidence used in my valuation reports.

Question 19

Why is it important to understand data protection frameworks such as the Data Protection Act 2018 and UK GDPR?

Answer 19

Understanding these frameworks ensures that I handle personal data lawfully and ethically. It helps me protect the rights of individuals, avoid legal breaches, and maintain public trust in the VOA. It also ensures that my work complies with both statutory obligations and RICS professional standards.

Question 20

What are the maximum fines for data breaches under UK GDPR and the Data Protection Act 2018?

Answer 20

There are two levels of fines: Standard maximum: £8.7 million or 2% of global annual turnover (whichever is higher) Higher maximum: £17.5 million or 4% of global annual turnover (whichever is higher) These fines depend on the severity of the breach and whether the organisation is considered an “undertaking”.

Question 21

What is the Commissioners for Revenue and Customs Act 2005 (CRCA 2005)?

Answer 21

CRCA 2005 is the legislation that established HM Revenue and Customs (HMRC) by merging the Inland Revenue and Customs & Excise. It outlines HMRC’s functions, including the operation of the Valuation Office Agency (VOA), and sets out strict rules around confidentiality, data handling, and disclosure of taxpayer information.

Question 22

How does CRCA 2005 relate to data management at the VOA?

Answer 22

CRCA 2005 imposes a statutory duty of confidentiality on all HMRC and VOA staff. It prohibits the disclosure of information held in connection with HMRC’s functions unless permitted by law. Disclosure is only allowed through legal gateways, with taxpayer consent, or in the public interest. Breaches can result in criminal sanctions.

Question 23

What safeguards are in place under CRCA 2005 to protect taxpayer data?

Answer 23

CRCA 2005 protects identifying information and restricts disclosure to authorised circumstances. It allows sharing only when: The taxpayer consents Disclosure supports HMRC’s functions A statutory gateway permits it It is in the public interest or ordered by a court These safeguards ensure that sensitive data is not misused or disclosed inappropriately.

Question 24

How does the Freedom of Information Act interact with CRCA 2005?

Answer 24

While the Freedom of Information Act (FOIA) allows public access to official information, CRCA 2005 exempts identifiable taxpayer data from disclosure under FOIA. This ensures that personal and sensitive data remains protected, even when transparency obligations apply.

Question 25

How do you ensure that sensitive property information is not shared inappropriately?

Answer 25

I follow internal VOA protocols and RICS guidance to ensure that sensitive property information is only shared with authorised individuals. I avoid including personal data unless necessary, use secure systems for storage and communication, and seek client consent when required. I also ensure metadata is reviewed before sharing documents externally.

Question 26

What is the difference between personal data and sensitive personal data under UK GDPR?

Answer 26

Personal data refers to any information that can identify an individual, such as names or addresses. Sensitive personal data includes more specific categories like health information, racial or ethnic origin, or political opinions. Handling sensitive data requires stricter safeguards and explicit consent under UK GDPR.

Question 27

How do you manage data when working remotely or in hybrid environments?

Answer 27

I ensure that all work is conducted on secure, encrypted devices provided by the VOA. I avoid using public Wi-Fi for accessing sensitive data, use VPNs where required, and follow remote working policies including secure storage and disposal of physical documents. I also maintain confidentiality during virtual meetings.

Question 28

What is your understanding of data minimisation and how do you apply it?

Answer 28

Data minimisation is a principle under UK GDPR that requires only collecting and processing the data necessary for a specific purpose. I apply this by avoiding the inclusion of unnecessary personal details in valuation reports and ensuring that only relevant data is retained and shared.

Question 29

How do you ensure version control when managing valuation documents?

Answer 29

I use structured file naming conventions and secure document management systems like EDRM to track versions. I ensure that only the latest approved version is used for reporting and that previous drafts are archived appropriately. This helps maintain accuracy and auditability.

Question 30

What is your understanding of the term ‘data portability’ under UK GDPR?

Answer 30

Data portability gives individuals the right to receive their personal data in a structured, commonly used format and to transfer it to another controller. While less common in valuation work, it’s important to understand this right when handling personal data, especially in client-facing roles.

Question 31

How do you ensure that data used in valuations complies with copyright laws?

Answer 31

I ensure that any third-party data or imagery used in valuations is either publicly available, licensed for use, or used with permission. I avoid reproducing proprietary content without consent and follow VOA and RICS guidance on intellectual property and copyright compliance.

Question 32

What is your understanding of profiling and automated decision-making under GDPR?

Answer 32

Profiling involves using personal data to evaluate aspects of an individual, such as behaviour or preferences. Automated decision-making refers to decisions made without human involvement. These practices are restricted under GDPR, especially where they have legal or significant effects, and require transparency and safeguards.

Question 33

How do you ensure that data is retained only for as long as necessary?

Answer 33

I follow VOA retention schedules and ensure that data is archived or deleted once it is no longer needed for operational or legal purposes. I avoid keeping duplicate records and regularly review stored data to ensure compliance with the storage limitation principle under UK GDPR.

Question 34

How do you contribute to a culture of data protection and professionalism within your team?

Answer 34

I lead by example in following data protection policies, raise awareness of best practices, and support colleagues in understanding their responsibilities. I also participate in training, report risks or breaches promptly, and encourage open discussion about data handling and ethical standards.