If storing, retaining and disposing of data, the surveyor should refer to the contract and should:
01. If the contract stipulates that the surveyor can keep a copy of the data for warranty or professional indemnity purposes, follow the storage security requirements in the contract (for example, maintaining Cyber Essentials, Cyber Essentials Plus or ISO 27001 certification). Retain the data securely for the contract period plus the length of the warranty - no longer. Once this period is reached, securely dispose of all data connected to the contract.
02. If the contract stipulates that the surveyor cannot retain a copy of the survey data, prepare a manifest of the data for the client to verify and consider using a secure digital signature to verify the manifest against data delivery.
03. Be conscious of staff changes and remain alert to any risks that new staff coming into the company could pose with open access to archived sensitive data.
04. If using an escrow holding arrangement for third-party data, appraise the validity of this arrangement annually.
05. If the contract allows for any data to be shared by the surveyor with a third party, consider how this data will be managed by other users and be mindful that it can be sold onwards. Ensure all personally identifiable or potentially commercially or security-sensitive data is obfuscated or removed before being received by any third party.
06. If the contract allows for the data to be used by the survey company for internal audit or training purposes, ensure all personally identifiable or potentially commercially or security-sensitive data is obfuscated or removed before being used in this way.
07. Maintain a security-minded culture throughout the survey company:
■ Make the management of security risks a key part of all surveying activity and decision-making.
■ Keep abreast of legal requirements relating to privacy and data protection, and other security-related laws, codes and standards.
■ Keep security procedures and processes simple and appropriate, and not inhibitive of appropriately controlled data sharing.
■ Enable workers at all levels to challenge and report potential vulnerabilities and suggest opportunities for increased security.
Prepared by the Utilities and Subsurface Mapping Panel of the Chartered Institution of Civil Engineering Surveyors
Lead authors: Janos Dobsi FCInstCES MBA and Dr Neil Brammall CEng MIGEM FCInstCES FRGS
Advice from Alexandra Luck CEng FICE FCIHT MCSFS, Hugh Boyes CEng FIET CISSP and the Centre for the Protection of National Infrastructure
Thanks to members of the Utilities and Subsurface Mapping Panel and Ian Levens for their oversight