Keep personal information secure

What does the legislation say?

3.1 You must keep personal information secure. To do this, you must have appropriate, proportionate security measures, and update them when needed.

3.2 To decide what measures are appropriate and proportionate, you must consider the same factors you do when you are demonstrating how you comply (see Demonstrate how you comply). However, you must also consider the available technology and the cost of security measures.

3.3 You must be able to restore personal information if there is a security incident as soon as possible (eg a backup system).

3.4 You must ask anyone acting on your behalf to demonstrate they can keep personal information secure (see Be clear about roles and responsibilities).

3.5 You must keep a record of personal information breaches and tell us as soon as possible if the breach is likely to cause harm to someone.

3.6 You must tell anyone affected by the breach if there is likely to be a high risk.

How do we comply?

3.7 The code’s guidance about demonstrating how you comply is also generally applicable to security (see Demonstrate how you comply).

Managing risks

3.8 To decide what security measures are appropriate and proportionate, you should consider significant risks and factors, such as: 

• your organisation’s premises and computer systems;
• who has access to personal information; and
• any personal information a third party uses on your behalf.

3.9 In some cases, a security breach could pose a risk to someone’s physical health and safety. For example, if a breach could identify a journalist’s confidential source. In that case, you should have strong security measures, including strict measures controlling access.

3.10 Reviewing and updating your security measures should include scanning for network vulnerabilities to prevent risks developing that compromise your security.

Implementing security measures

3.11 There are a wide range of low-cost and easy to implement cyber-security solutions. You should consider common techniques such as encryption and password protection. You should also secure physical locations.

Working flexibly and travel

3.12 Journalism often relies on remote working and portable devices. You should consider how you keep your IT equipment secure, especially portable media and devices. You should consider the increased security risks if you allow employees to work remotely or use their own devices for work purposes.

3.13 If your employees are travelling with personal information, you should train them to follow fundamental security advice and be aware of common security issues.