Depending on your business, your surveying firm may collect various types of data from different sources.
You might collect personal data from:
Personal data is any information that can identify an individual, including name, address, date of birth, etc. as well as images captured on photos or CCTV. It also includes reference numbers; for example, if you allocate case numbers to individuals you work with/represent.
Firms also collect confidential but not personal information from clients and others; for example, information that is not in the public domain about companies rather than individuals you act for, or information about individual properties or contract terms that is private or commercially sensitive. You may also have data from other sources such as valuation databases or information collected by CCTV cameras, which may or may not be personal data.
You should consider what you are using all confidential information for. It is good practice to take the following steps.
Also think about whether it is right to use information in the way you intend. Could there be damage to people, or to the reputation of your firm? Just because you can collect and use information does not mean you should. And just because you hold it for one purpose does not mean you can automatically use it for another purpose.
Think about whether there are any risks to individuals or whether you are doing something they wouldn’t reasonably expect with their information. For example, you might find that you can collect and use personal information to deliver your services under a contract, but if you want to send these people marketing information in the future, you might need to collect their consent. Different purposes may require different actions to be taken before you can use the information.
In 2020, Barclays were criticised by employees, HR professionals and privacy campaigners when it introduced computer software to monitor how long staff spent at their desks.
A source at Barclays said the tool was used to monitor the ‘effectiveness’ of people’s time. However, the bank faced a backlash from staff when the software was piloted in its investment banking division in London. According to the newspaper City AM, the system told staff to ‘avoid breaks’ and recorded activities such as toilet visits as ‘unaccounted activity’, leaving staff concerned about leaving their desk to take toilet or lunch breaks. Following media interest, Barclays said that they had always intended to listen to feedback from colleagues about the pilot and that the tracking system had been scrapped. (Sources: BBC, Barclays scraps 'Big Brother' staff tracking system and City AM, Exclusive: Barclays installs Big Brother-style spyware on employees’ computers)
Sometimes there are reasons why a firm might need to share information that would otherwise be confidential; for example, legal responsibilities, regulatory disclosures or whistleblowing duties. If you know that these could arise, give appropriate information about them to clients and other individuals. The most obvious example for an RICS-regulated firm is the obligation to provide information to RICS if it is reasonably required during a review or investigation. You should inform your clients that this is a possibility and take whatever actions are appropriate to comply with the legal requirements in your jurisdiction.
In most jurisdictions, data-protection legislation sets requirements for how you collect, use, store and share personal information, regardless of its type. You may also need to be registered with your local data-protection supervisory authority because you are responsible and accountable for the personal information you collect and use.
Some types of personal data are particularly sensitive because of the damage and distress it can cause if lost or misused (e.g. bank details). It may also require additional protection under data-protection legislation; for example, information about people’s health or race/ethnicity.
This advice provides some basic information about data-protection principles, but it doesn’t cover all the responsibilities and accountabilities you will have under relevant legislation. You need to ensure that you understand and comply with the legislation relevant to you and your jurisdiction. Legislation can also reach across borders; for example, General Data Protection Regulation (GDPR) requirements apply to the data of European Economic Area (EEA) citizens in the UK.
Many national regulators provide guidance and advice online which is kept up to date with legislative changes. See for example:
Where you collect and/or process personal data about anyone, you may be legally required to provide some information to the individuals whose data you hold. Even where it is not a requirement, it is good practice to do so. Usually, you should tell individuals:
Personal data-protection legislation generally requires that those who collect and use personal information have a specific and lawful reason for doing so, and that this reason is shared with those whose information is being used. Even where this isn’t required by law, it is good practice. The lawful reasons for which personal information can be used vary slightly depending on the legal requirements in your jurisdiction.
After the first COVID-19 lockdown in England, RICS firms began to visit homes to provide surveying services at a point when government guidance required that anyone with COVID symptoms should stay at home and that no work should be done in a home where someone was isolating.
Firms therefore needed to know:
This information is sensitive personal data about people’s health. Firms therefore needed a proper purpose to collect and use the data and to meet one of the special conditions for processing sensitive data.
After consulting with the Information Commissioner's Office, RICS provided advice for firms, which advised that different legal bases would apply for staff data and home-occupier data.
RICS also advised that firms should very carefully consider:
This demonstrates why firms need to carefully consider the bases on which they are allowed to process data. They can be different when collecting very similar data from different groups of people.
More information is available in the advice note.