Definition

Data management legislation is the body of law that regulates how organisations collect, hold, use, share and dispose of information, with particular emphasis on personal data. In the UK, the primary framework is the Data Protection Act 2018, which implements and supplements the UK General Data Protection Regulation (UK GDPR). The Information Commissioner's Office (ICO) is the independent supervisory authority responsible for enforcing data protection law in the UK.

Why this matters for Data Management

  • Level 1 knowledge: you must be able to name the key UK statutes and explain their relevance to a surveying practice.
  • Failure to comply with data protection law can result in ICO enforcement action, civil claims from data subjects and reputational damage.
  • Surveyors regularly handle personal data — client details, tenant records, employee information — and cannot avoid these obligations.
  • The Freedom of Information Act 2000 applies to public authority clients; surveyors working for local authorities or government bodies must understand its implications.
  • The Building Safety Act 2023 has introduced new information obligations for higher-risk buildings that all surveyors in those sectors must understand.

Key principles

UK GDPR and the Data Protection Act 2018

UK GDPR is built around six data protection principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality. Organisations must have a lawful basis for processing — consent, contract, legal obligation, vital interests, public task or legitimate interests — and must demonstrate which applies. Fines for serious breaches can reach £17.5 million or 4% of global annual turnover.

Freedom of Information Act 2000

The Freedom of Information Act 2000 (FOIA) gives the public a right of access to information held by public authorities. Surveyors advising public bodies must understand that project information and correspondence may be disclosable unless an exemption applies. Commercial sensitivity is a qualified exemption that may protect tender prices, but the public interest test must be applied. The Environmental Information Regulations 2004 operate similarly for environmental information.

Building Safety Act 2023 — the golden thread

The Building Safety Act 2023 introduced the "golden thread of information" for higher-risk buildings (principally residential buildings above 18 metres). The accountable person must maintain a digital record of structural and fire safety information throughout the building's operational life. For surveyors involved in the design, construction or management of higher-risk buildings, maintaining and handing over the golden thread is a statutory obligation.

Relevant RICS guidance and legislation

  • Data Protection Act 2018 / UK GDPR — the primary framework for personal data; applies to all surveying organisations regardless of size.
  • Freedom of Information Act 2000 — governs access to information held by public authorities; relevant to surveyors advising or employed by public bodies.
  • Environmental Information Regulations 2004 — parallel access regime for environmental information held by public authorities.
  • Building Safety Act 2023 — introduces the golden thread obligation for higher-risk buildings.
  • RICS Rules of Conduct (effective 2 February 2022) — Rule 5 and Rule 4 together require members to handle data lawfully and with care for the interests of those to whom it relates.

Ethics and Rules of Conduct angle

Compliance with data management legislation is an expression of the Responsibility and Respect rules. A surveyor who handles client or third-party data carelessly — retaining it longer than necessary, sharing it without authority, or failing to secure it — is showing disrespect for the individuals to whom that data relates, and is failing their duty of responsibility to act in accordance with the law. The ICO has made clear that accountability is not passive: organisations must be able to demonstrate their compliance. For RICS members, regulatory compliance is part of what it means to act with integrity.

APC-style Q&As

Q (Level 1)What are the six data protection principles under UK GDPR?

Lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality. A seventh overarching principle — accountability — requires the organisation to be able to demonstrate compliance with the other six.

Q (Level 1)Which regulatory body enforces data protection law in the UK?

The Information Commissioner's Office (ICO) is the independent supervisory authority responsible for enforcing the Data Protection Act 2018 and UK GDPR. It can issue enforcement notices, conduct investigations and impose fines of up to £17.5 million or 4% of global annual turnover for the most serious breaches.

Q (Level 2)How does the Freedom of Information Act 2000 affect a surveyor advising a local authority client?

Any information held by the local authority — including advice, reports and correspondence provided by the surveyor — may be subject to a freedom of information request. The authority must respond within 20 working days. Commercially sensitive information such as tender prices may be exempt under the commercial interests exemption, but the public interest test must be applied. I would flag any commercially sensitive documents at the outset and advise the client how to handle a potential FOI request.

Q (Level 2)What is the golden thread of information and who is responsible for maintaining it?

The golden thread is the digital record of structural and fire safety information for a higher-risk building, introduced by the Building Safety Act 2023. It must be maintained throughout the building's operational life by the accountable person — typically the building owner or principal leaseholder — and must include design and construction information, change records and any information necessary to understand and manage the building's safety.

Q (Level 3)You discover that a colleague has been emailing a spreadsheet of tenant personal data to a third-party agent without checking whether the firm has a lawful basis for doing so. What steps do you take?

This is a potential personal data breach. I would first speak to the colleague and establish the facts: what data was shared, with whom, on what dates and in what context. I would then escalate immediately to the data protection officer or senior management. If confirmed as a breach without a lawful basis, the firm must assess reportability — if there is a risk to individuals' rights and freedoms, it must be reported to the ICO within 72 hours. The third-party agent should be asked to confirm deletion of the data. The incident must be recorded in the firm's data breach register regardless of whether it is reportable.