RICS draft professional statement - Data handling and prevention of cybercrime

2 Mandatory requirements

This professional statement has been developed to raise the standards expected of the modern surveyor in a data-driven world.

1 RICS regulated firms must conduct and document an assessment of the risks to personal and client data associated with their work and processes, review this assessment at least annually, and set and document data controls to mitigate the risks they have identified.

2 RICS regulated firms must define, maintain and adhere to a data retention policy detailing the length of time for which data is stored.

3 RICS regulated firms must ensure that the purpose for which the data is being kept is recorded, including information as to whether the information would be considered personal data, sensitive personal data or client data.

3 RICS regulated firms must ensure that a record of data processing activities involving the use of client data is kept, along with any records of documented activities involving personal data and/or sensitive personal data.

4 RICS regulated firms must have knowledge of the location of any data and the relevant jurisdictional regulations governing that location. This is particularly relevant for any personal data or client data that is stored offsite or that is replicated in data centres in distant locations.

5 RICS regulated firms must take reasonable steps to ensure all suppliers that will process personal data or client data conform to national legislation concerning data handling in both the originating region and the region in which the supplier is located.

6 RICS regulated firms must demonstrate the appointment of a person responsible for enquiries and controls pertaining to data handling.

7 RICS members must follow controls and protections put in place by an employer.

8 RICS regulated firms must use passwords to control access to computers and/or mobile devices used for work purposes.

9 RICS regulated firms must ensure the storage of online data and the provision of online services are protected by a firewall at all times.

10 RICS regulated firms must use antimalware and antivirus software at all times.

11 RICS regulated firms must enforce the use of data encryption when processing sensitive personal data, and must use strong encryption (128-bit or above) and/or security protocols such as SSL/TLS, SSH or IPsec to safeguard sensitive personal data or cardholder data during transmission over insecure networks.

12 RICS regulated firms must put controls in place to protect against fraud and cyberattacks when the data involved relates to payment details, by having accounting or work procedures in place requiring authentication of payment details through a second, different, method of contact with the client or supplier.

13 RICS regulated firms must ensure that all personal data, sensitive data or client data, however held, is inaccessible to those who should not have access to it at any time. If in written form, it must be kept separate and secure, in locked storage, to the satisfaction of the data handling representative or another senior independent person. This policy contributes to the separation of information required by Conflicts of interest (1st edition), RICS professional statement, Part 1, section 3.

14 RICS regulated firms must create regular data backups.

15 RICS members must consider whether they or their employer has appropriate IT security protections in place for the personal data and client data that they handle as part of their work, and if necessary take additional reasonable steps to protect that data.

16 RICS regulated firms must ensure that the use of any client data is acceptable through appropriate contractual clauses, or that any such data used in the act of performing a measurement, calculation or valuation is owned or licensed for such use.

17 RICS regulated firms must obtain consent to store and process personal data, sensitive personal data and client data through following the correct procedures in all instances.

18 RICS regulated firms must be able to demonstrate this consent, and data pertaining to individuals must only be held for as long as is necessary (documented in a data retention policy) unless other contractual or legal obligations apply.

19 RICS regulated firms must ensure an appropriate record of any necessary consent by the respective data subjects is maintained for data handling and data processing, and that policies relating to personal or private data also apply to any use of client data.

20 RICS regulated firms must ensure that appropriate data handling regulators (see appendix A) are notified in the event of a significant data breach within specified timescales, where required by legislation.

21 21 RICS regulated firms must consider whether RICS and/or affected data subjects should be notified of a significant data breach, either because it is required by legislation or because of the risks arising from the breach. Where notification is necessary, this must be done promptly, and usually within 72 hours of becoming aware of the breach.

22 An RICS regulated firm must keep records of any data breach alongside a documented data breach policy. These records must include a detailed consideration of whether any notifications were necessary and confirmation of any notifications made, and must be made available for subsequent review on request by RICS.

23 In the event of any data breach, RICS members must adhere to any legislation and policies set by their employers. They must ensure that the relevant data handling representative has been notified and that the breach is reported as soon as is practicable, where this is required by legislation or policies, or the member considers it is necessary.

24 An RICS member must report a significant data breach to the appropriate data handling regulator and/or to RICS if the firm in which they work has failed to make a report that the RICS member believes is necessary due to a legislative requirement or the level of risk arising from the data breach.

25 RICS members must report concerns about appropriate controls on data handling to senior staff members.

These mandatory requirements represent what is considered to be an acceptable standard of performance for RICS members and regulated firms.