Cardholder data

Relevant banking card details including name, account number and expiry date.

Client data

Non-public, non-personal data or information pertinent to an independent entity, such as a building or company, that may be used to undertake measurements, valuations or other calculations.


Refers to the level of conformance to a given set of standards, legislative, regulatory and other authoritative requirements.


Information collected for reference or analysis.

Data breach

The intentional or unintentional release of personal or client data into an untrusted environment.

Data handling

Any activity that relates to the storage, archiving, processing or deletion of data in a safe and secure manner.

Data handling representative

An individual responsible for ensuring that data is used appropriately and the relevant control measures have been implemented.

Data processing

A subset of data handling that comprises the series of operations carried out on data in order to present, interpret or obtain information.

Data subject

An individual who is the subject of personal data.

Insecure network

Any network containing public or untrusted devices not managed and maintained internally, or by a trusted third party.

Internal network

Any network containing devices managed and maintained by the company or a trusted third party that only directly communicates with other internal networks, secure networks and/or perimeter networks.

Perimeter network

Any network containing devices managed and maintained by the company or a trusted third party that communicates directly with devices on an insecure network, internal/secure network or other perimeter networks.

Personal data

Any information that relates to an identified, or identifiable, living individual.

Penetration testing

An authorised, simulated cyberattack on a computer system, performed to evaluate the security of the system.


A fraudulent attempt to obtain sensitive information via email or other electronic communication while disguised as a trustworthy entity.

Principal position

A role in an RICS-regulated firm that falls within the definition of a principal in the Rules for the Registration of Firms.

Secure network

Any network that is managed and maintained by a company or individual and contains devices that store, process or transmit data protected by firewalls, intrusion detection systems, antivirus software and, optimally, threat management components.

Sensitive personal data

A special category of personal data, which may include detailed information about an individual including matters such as religion, sexual orientation or genetic data, and when processed may uniquely identify an individual.

Significant data breach

A personal data breach that is deemed important enough to warrant reporting to the relevant authority under local legislation, or a data breach involving client data that is deemed important enough to warrant reporting to RICS.

Subject access request

A request allowing an individual to obtain information about data being held about them, in order to ensure its lawfulness and accuracy. This includes:

  • the personal data an organisation holds on the individual
  • confirmation it has been processed and
  • supplementary information (often detailed in an organisation's privacy policy).

System administrator

A person who is responsible for the upkeep, configuration, and reliable operation of computer systems and multi-user computers, such as servers.

Technology infrastructure

The physical and virtual resources that support the flow, storage, processing and analysis of data in its digital form.

User privileges

The rights that define user access to data and functionality on servers and applications.

Virtual Private Network (VPN)

A VPN extends an internal network across an insecure network through the using of internet tunnelling protocols, often employing encryption to secure the data being transmitted.