This part of the guide offers an overview of what the Data Protection Act requires in terms of security, and aims to help you decide how to manage the security of the personal data you hold. We cannot provide a complete guide to all aspects of security in all circumstances and for all organisations, but this part identifies the main points. We also provide details of other sources of advice and information about security.
There is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, so you should adopt a risk-based approach to deciding what level of security you need.
In brief – what does the Data Protection Act say about information security?
The Data Protection Act says that:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:
- design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
- be clear about who in your organisation is responsible for ensuring information security;
- make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
- be ready to respond to any breach of security swiftly and effectively.
In more detail…
- Why should I worry about information security?
- What needs to be protected by information security arrangements?
- What level of security is required?
- What kind of security measures might be appropriate?
- What is the position when a data processor is involved?
- What should I do if there is a security breach?
- What other sources of information and advice are there?
Information security breaches may cause real harm and distress to the individuals they affect – lives may even be put at risk. Examples of the harm caused by the loss or abuse of personal data (sometimes linked to identity fraud) include:
- fake credit card transactions;
- witnesses at risk of physical harm or intimidation;
- offenders at risk from vigilantes;
- exposure of the addresses of service personnel, police and prison officers, and women at risk of domestic violence;
- fake applications for tax credits; and
- mortgage fraud.
Not all security breaches have such grave consequences, of course. Many cause less serious embarrassment or inconvenience to the individuals concerned. Individuals are entitled to be protected from this kind of harm as well.
Advances in technology have enabled organisations to process more and more personal data, and to share information more easily. This has obvious benefits if they are collecting and sharing personal data in accordance with the data protection principles, but it also gives rise to equally obvious security risks. The more databases that are set up and the more information that is exchanged, the greater the risk that the information will be lost, corrupted or misused.
A number of high-profile losses of large amounts of personal data have brought attention to the issue of information security. However, these incidents have also made it clear that information security is an issue of public concern as well as technical compliance. If personal data is not properly safeguarded, this can seriously damage an organisation’s reputation and prosperity and can compromise the safety of individuals.
It is important to understand that the requirements of the Data Protection Act go beyond the way information is stored or transmitted. The seventh data protection principle relates to the security of every aspect of your processing of personal data.
So the security measures you put in place should seek to ensure that:
- only authorised people can access, alter, disclose or destroy personal data;
- those people only act within the scope of their authority; and
- if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned.
The Act says you should have security that is appropriate to:
- the nature of the information in question; and
- the harm that might result from its improper use, or from its accidental loss or destruction.
The Act does not define “appropriate”. But it does say that an assessment of the appropriate security measures in a particular case should consider technological developments and the costs involved. The Act does not require you to have state-of-the-art security technology to protect the personal data you hold, but you should regularly review your security arrangements as technology advances. As we have said, there is no “one size fits all” solution to information security, and the level of security you choose should depend on the risks to your organisation.
So, before deciding what information security measures you need to take, you will need to assess your information risk: you should review the personal data you hold and the way you use it to assess how valuable, sensitive or confidential it is, and what damage or distress could be caused to individuals if there were a security breach.
An organisation holds highly sensitive or confidential personal data (such as information about individuals’ health or finances) which could cause damage or distress to those individuals if it fell into the hands of others. The organisation’s information security measures should focus on any potential threat to the information or to the organisation’s information systems.
This risk assessment should take account of factors such as:
- the nature and extent of your organisation’s premises and computer systems;
- the number of staff you have;
- the extent of their access to the personal data; and
- personal data held or used by a third party on your behalf (under the Data Protection Act you are responsible for ensuring that any data processor you employ also has appropriate security).
The Data Protection Act does not define the security measures you should have in place. However, particular security requirements that apply within particular industries may impose certain standards or require specific measures. In general terms, which security measures are appropriate will depend on your circumstances, but there are several areas you should focus on. Physical and technological security is likely to be essential, but is unlikely to be sufficient of itself. Management and organisational security measures are likely to be equally important in protecting personal data.
Management and organisational measures
Carrying out an information risk assessment is an example of an organisational security measure, but you will probably need other management and organisational measures as well. You should aim to build a culture of security and awareness within your organisation.
Perhaps most importantly, it is good practice to identify a person or department in your organisation with day-to-day responsibility for security measures. They should have the necessary authority and resources to fulfil this responsibility effectively.
The Chief Executive of a medium-sized organisation asks the Director of Resources to ensure that the organisation has appropriate information security measures, and to make regular reports on security to the organisation’s board. The Resources department takes responsibility for designing and implementing the organisation’s security policy, writing procedures for staff to follow, organising staff training, checking whether security measures are actually being adhered to and investigating security incidents.
Unless there is clear accountability in your organisation for such security measures, they will probably be overlooked and your organisation’s overall security will quickly become flawed and out of date.
Not every organisation will need a formal information security policy – this will depend on things like the size of the organisation, the amount and nature of the personal data it holds, and the way it uses the data. Whether or not these matters are written into a formal policy, all organisations will need to be clear about them, and about related matters such as the following:
- co-ordination between key people in the organisation (for example, the security manager will need to know about commissioning and disposing of any IT equipment);
- access to premises or equipment given to anyone outside the organisation (for example, for computer maintenance) and the additional security considerations this will generate;
- business continuity arrangements that identify how to protect and recover any personal data the organisation holds; and
- periodic checks to ensure that the organisation’s security measures remain appropriate and up to date.
It is vital that your staff understand the importance of protecting personal data; that they are familiar with your organisation’s security policy; and that they put its security procedures into practice. So you must provide appropriate initial and refresher training, and this should cover:
- your organisation’s duties under the Data Protection Act and restrictions on the use of personal data;
- the responsibilities of individual staff members for protecting personal data, including the possibility that they may commit criminal offences if they deliberately try to access, or to disclose, information without authority;
- the proper procedures to use to identify callers;
- the dangers of people trying to obtain personal data by deception (for example, by pretending to be the person whom the information is about or by making “phishing” attacks) or by persuading you to alter information when you should not do so; and
- any restrictions your organisation places on the personal use of its computers by staff (to avoid, for example, virus infection or spam).
The effectiveness of staff training is dependent on the individuals concerned being reliable in the first place. The Data Protection Act requires you to take reasonable steps to ensure the reliability of any staff who have access to personal data.
An organisation verifies the identity of its employees when they are recruited by asking to see passports or driving licences before they start work. It also obtains appropriate references to confirm their reliability. The organisation’s standard contract of employment sets out what staff can and cannot do with the personal data they have access to.
Technical security measures to protect computerised information are of obvious importance. However, many security incidents relate to the theft or loss of equipment, or to old computers or hard-copy records being abandoned.
Physical security includes things like the quality of doors and locks, and whether premises are protected by alarms, security lighting or CCTV. However, it also includes how you control access to premises, supervise visitors, dispose of paper waste, and keep portable equipment secure.
As part of its security measures, an organisation ensures that information on laptop computers issued to staff is protected by encryption, and that desk-top computer screens in its offices are positioned so that they cannot be viewed by casual passers-by. Paper waste is collected in secure bins and is shredded on site at the end of each week.
Computer security is constantly evolving, and is a complex technical area. Depending on how sophisticated your systems are and the technical expertise of your staff, you may need specialist information-security advice that goes beyond the scope of this guide. A list of helpful sources of information about security is provided at the end of this chapter. You should consider the following guiding principles when deciding the more technical side of information security.
- Your computer security needs to be appropriate to the size and use of your organisation’s systems.
- As noted above, you should take into account technological developments, but you are also entitled to consider costs when deciding what security measures to take.
- Your security measures must be appropriate to your business practices. For example, if you have staff who work from home, you should put measures in place to ensure that this does not compromise security.
- The measures you take must be appropriate to the nature of the personal data you hold and to the harm that could result from a security breach.
For further information, see our IT security top tips or read our more detailed guidance:
- IT asset disposal for organisations (pdf) – Guidance to help organisations securely dispose of old computers and other IT equipment; and
- A practical guide to IT security: ideal for the small business (pdf)
- Bring your own device (BYOD) (pdf) – guidance for organisations who want to allow staff to use personal devices to process personal data that they are responsible for.
- Guidance on the use of cloud computing (pdf) – this guidance covers how the security requirements of the DPA apply to personal data processed in the cloud.
Encryption – Advice on the use of encryption to protect personal data.
Organisations may use third party data processors to process personal data on their behalf (see Key definitions of the Data Protection Act – Who has rights and obligations under the Data Protection Act?) for the definition of this term). This often causes security problems. Particular care is needed because the organisation (and not the data processor) will be held responsible under the Data Protection Act for what the data processor does with the personal data.
The Act contains special provisions that apply in these circumstances. It says that, where you use a data processor:
- you must choose a data processor that provides sufficient guarantees about its security measures to protect the processing it will do for you;
- you must take reasonable steps to check that those security measures are being put into practice; and
- there must be a written contract setting out what the data processor is allowed to do with the personal data. The contract must also require the data processor to take the same security measures you would have to take if you were processing the data yourself. A model data processing contract has been published by the European Committee for Standardization.
If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important that you deal with the security breach effectively. The breach may arise from a theft, a deliberate attack on your systems, from the unauthorised use of personal data by a member of staff, or from accidental loss or equipment failure. However the breach occurs, you must respond to and manage the incident appropriately. Having a policy on dealing with information security breaches is another example of an organisational security measure you may have to take to comply with the seventh data protection principle.
There are four important elements to any breach-management plan:
1. Containment and recovery – the response to the incident should include a recovery plan and, where necessary, procedures for damage limitation.
2. Assessing the risks – you should assess any risks associated with the breach, as these are likely to affect what you do once the breach has been contained. In particular, you should assess the potential adverse consequences for individuals; how serious or substantial these are; and how likely they are to happen.
3. Notification of breaches – informing people about an information security breach can be an important part of managing the incident, but it is not an end in itself. You should be clear about who needs to be notified and why. You should, for example, consider notifying the individuals concerned; the ICO; other regulatory bodies; other third parties such as the police and the banks; or the media.
4. Evaluation and response – it is important that you investigate the causes of the breach and also evaluate the effectiveness of your response to it. If necessary, you should then update your policies and procedures accordingly.
These issues are considered in greater detail in our guidance on data security breach management (pdf). We have also produced Notification of data security breaches to the ICO (pdf) and Notification of PECR security breaches (pdf). These provide guidance on:
- the circumstances in which we expect organisations to notify us of security breaches;
- the information we need in those circumstances; and
- what organisations can expect us to do after they notify us.