Skip to content

Data handling

Data handling

Types of data

Depending on your business, your surveying firm may collect various types of data from different sources.

You might collect personal data from:

  • employees
  • clients
  • prospective clients
  • tenants of properties you manage or
  • third parties involved in matters where you are providing a service.

Personal data is any information that can identify an individual, including name, address, date of birth, etc. as well as images captured on photos or CCTV. It also includes reference numbers; for example, if you allocate case numbers to individuals you work with/represent.

Firms also collect confidential but not personal information from clients and others; for example, information that is not in the public domain about companies rather than individuals you act for, or information about individual properties or contract terms that is private or commercially sensitive. You may also have data from other sources such as valuation databases or information collected by CCTV cameras, which may or may not be personal data.

Data ethics

You should consider what you are using all confidential information for. It is good practice to take the following steps.

  • Think about whether the information you hold is personal information, sensitive personal information or confidential information from clients or other stakeholders.
  • Document the purposes for which you are allowed to hold the information and the processes for gaining consent, if applicable.
  • Keep a record of consent (where needed) for processing, storage and retention.
  • Check if you have appropriate contractual clauses for use of the information or that data used for measurement, valuation, calculations, analysis, etc. is owned or licensed for that use.

Also think about whether it is right to use information in the way you intend. Could there be damage to people, or to the reputation of your firm? Just because you can collect and use information does not mean you should. And just because you hold it for one purpose does not mean you can automatically use it for another purpose.

Think about whether there are any risks to individuals or whether you are doing something they wouldn’t reasonably expect with their information. For example, you might find that you can collect and use personal information to deliver your services under a contract, but if you want to send these people marketing information in the future, you might need to collect their consent. Different purposes may require different actions to be taken before you can use the information.

Case study: employee data

In 2020, Barclays were criticised by employees, HR professionals and privacy campaigners when it introduced computer software to monitor how long staff spent at their desks.

A source at Barclays said the tool was used to monitor the ‘effectiveness’ of people’s time. However, the bank faced a backlash from staff when the software was piloted in its investment banking division in London. According to the newspaper City AM, the system told staff to ‘avoid breaks’ and recorded activities such as toilet visits as ‘unaccounted activity’, leaving staff concerned about leaving their desk to take toilet or lunch breaks. Following media interest, Barclays said that they had always intended to listen to feedback from colleagues about the pilot and that the tracking system had been scrapped. (Sources: BBC, Barclays scraps 'Big Brother' staff tracking system and City AM, Exclusive: Barclays installs Big Brother-style spyware on employees’ computers)

Sometimes there are reasons why a firm might need to share information that would otherwise be confidential; for example, legal responsibilities, regulatory disclosures or whistleblowing duties. If you know that these could arise, give appropriate information about them to clients and other individuals. The most obvious example for an RICS-regulated firm is the obligation to provide information to RICS if it is reasonably required during a review or investigation. You should inform your clients that this is a possibility and take whatever actions are appropriate to comply with the legal requirements in your jurisdiction.

Personal data protection

In most jurisdictions, data-protection legislation sets requirements for how you collect, use, store and share personal information, regardless of its type. You may also need to be registered with your local data-protection supervisory authority because you are responsible and accountable for the personal information you collect and use.

Some types of personal data are particularly sensitive because of the damage and distress it can cause if lost or misused (e.g. bank details). It may also require additional protection under data-protection legislation; for example, information about people’s health or race/ethnicity.

This advice provides some basic information about data-protection principles, but it doesn’t cover all the responsibilities and accountabilities you will have under relevant legislation. You need to ensure that you understand and comply with the legislation relevant to you and your jurisdiction. Legislation can also reach across borders; for example, General Data Protection Regulation (GDPR) requirements apply to the data of European Economic Area (EEA) citizens in the UK.

Many national regulators provide guidance and advice online which is kept up to date with legislative changes. See for example:

Privacy notices

Where you collect and/or process personal data about anyone, you may be legally required to provide some information to the individuals whose data you hold. Even where it is not a requirement, it is good practice to do so. Usually, you should tell individuals:

  • what information you have
  • what the information will be used for
  • which third parties you might share the information with (and why)
  • how long you will keep the information for and
  • what legal rights they have.

This is generally achieved by writing a privacy notice or privacy policy, and making it easily accessible, for example on your website. But don’t just rely on a privacy notice: consider if it would be helpful to give more specific and timely information, such as when someone registers with you or signs a contract. 

You can find instances of privacy policies on many organisations’ websites. See the RICS privacy policy as an example.

Using data for proper purposes

Personal data-protection legislation generally requires that those who collect and use personal information have a specific and lawful reason for doing so, and that this reason is shared with those whose information is being used. Even where this isn’t required by law, it is good practice. The lawful reasons for which personal information can be used vary slightly depending on the legal requirements in your jurisdiction.

Case study: different rules for different purposes

After the first COVID-19 lockdown in England, RICS firms began to visit homes to provide surveying services at a point when government guidance required that anyone with COVID symptoms should stay at home and that no work should be done in a home where someone was isolating.

Firms therefore needed to know:

  • whether any of their staff that might visit a house had COVID symptoms and
  • whether anyone in that house was isolating.

This information is sensitive personal data about people’s health. Firms therefore needed a proper purpose to collect and use the data and to meet one of the special conditions for processing sensitive data.

After consulting with the Information Commissioner's Office, RICS provided advice for firms, which advised that different legal bases would apply for staff data and home-occupier data.

  • For data about employees, firms were likely to be able to rely on their legitimate interests and the employment condition (though they needed to carry out a legitimate interests risk assessment before starting).
  • However, for data about home occupiers, the appropriate basis was explicit consent.

RICS also advised that firms should very carefully consider:

  • what information they needed to record about this health data
  • who should have access to the data and
  • how long the data needed to be kept for.

This demonstrates why firms need to carefully consider the bases on which they are allowed to process data. They can be different when collecting very similar data from different groups of people.

More information is available in the advice note.