The ICO exists to empower you through information.

Physical security

Share Download options

Pages

Format

Protect entry points using appropriate physical controls that mitigate the risk of unauthorised access to secure areas where you are processing personal and special category information.

Options to consider: 

  • Identify and risk assess areas that may require an increased level of security. 
  • Regularly test physical controls to gain assurances of their effectiveness.
  • Ensure entry points include a mixture of controls to maximise security (eg perimeter security and electronic access control systems).
  • Keep a record of the physical access rights assigned to staff. 
  • Monitor the granting of visitor and guest access.
  • Include the removal of physical access rights in the leavers’ checklist. 
  • Audit the record of physical access rights to ensure you revoke access when you should.

 

Implement controls to protect against external threats in secure areas, such as server rooms. 

Options to consider: 

  • Conduct risk assessments of secure areas and the equipment in them.
  • Implement controls such as fire detection and suppression systems, humidity sensors and physical access detection systems.
  • Maintain a log of all attempts to access secure areas to assess whether they are authorised.
  • Use additional electronic controls in secure areas, such as CCTV.

 

Position computers and devices displaying personal information in a way that reduces the risk of unauthorised access.

Options to consider: 

  • Use screen filters or privacy screens. 
  • Locate printers in a secure area to prevent unauthorised personnel accessing personal information.
  • Obstruct public facing windows to prevent unauthorised personal seeing into the office space. 
  • Conduct regular physical checks to ensure staff are adhering to the process for positioning physical assets.
  • Document clear desk and clear screen requirements in policies and procedures. 
  • Communicate clear desk and clear screen requirements to all staff. 
  • Set screens to automatically lock after an appropriate period of time. 

 

Store physical records securely and control access to them.

Options to consider: 

  • Store physical records in lockable store rooms and filing cabinets. 
  • Document who has access to physical records, including who has access to keys, key cards or access codes for secure areas. 
  • Change access codes on a regular basis.
  • Conduct audits to assess whether access is revoked where required.