Error message

Deprecated function: The each() function is deprecated. This message will be suppressed on further calls in menu_set_active_trail() (line 2405 of /homepages/3/d274688683/htdocs/devdrupalseven/includes/menu.inc).

Data security

The seventh data protection principle places an obligation on data controllers to ensure that there are adequate security measures in place to protect personal data.

The requirements of the DPA go beyond merely the physical way in which data is stored, they relate to the security of every aspect of your data processing.

Security measures must address the two risks identified in the seventh data protection principle:

  1. Unauthorised or unlawful processing of personal data, and
  2. Accidental loss or destruction of, or damage to, personal data.

What level of security is required?

According to the DPA, you should have security that is appropriate to:

  • The nature of the data;
  • The harm that might result from the improper use of the data; and
  • The harm that might result from the accidental loss or destruction of the data.

This means that sensitive personal data are likely to require greater security arrangements than mundane personal data.

It should be remembered that the security measures that are appropriate for an organisation will vary depending on the circumstances, therefore you must consider your information risk before deciding what level of security you need. This risk assessment should take account of factors such as:

  • The nature and extent of your organisation’s premises’ and computer systems;
  • The number of personnel who work at your organisation’s premises;
  • The extent of their access to the data; and
  • Any personal data held by a third party on your behalf.

What kind of security measures might be appropriate?

The DPA does not specify the particular security measures that you should have in place. You must decide what measures are appropriate depending on your circumstances. You should ensure that you have both physical and technological security and management and organisational security.

When determining what security measures are ‘appropriate’  technological developments and the costs involved can and should be considered. While state-of-the-art security technology is not needed, you should review your security arrangements in view of technological advances.

Physical and technological security

Measures could include:

  • Ue of a SHIP Safe Haven to acces and process data;
  • Technical security measures to protect computerised information;
  • Ensuring the quality of doors and locks and protecting your premises with alarms and CCTV;
  • Secure waste disposal;
  • Keeping portable equipment secure;
  • Supervising any visitors to the premises;
  • Encrypting electronic personal data.

Management and organisational security

Measures could include:

  • Use of a SHIP Safe Haven to acces and process data;
  • Building a culture of security and awareness in your organisation;
  • Identifying an individual who is responsible on a day-to-day basis for data security;
  • Establishing a clear process of accountability;
  • Periodic checks to ensure that your organisation’s security measures remain appropriate and up to date;
  • Training staff to ensure they are familiar with the security measures in place and aware of their responsibilities;
  • minimising the number or personnel who have access to personal data.

What to do if there is a security breach

The ICO recommends a four point breach management plan:

  1. Containment and recovery- the response should include a recovery plan and procedures for damage limitation.
  2. Assessing the risks- you should assess any risks associated with the breach, in particular you should assess the possible adverse consequences for individuals, how serious these are, and how they are likely to happen.
  3. Notification of breaches- you must be clear about who needs to be notified about the breach and why. You should consider notifying any individuals concerned, the ICO or Scottish ICO, other regulatory bodies, or third parties such as the police.
  4. Evaluation and response- it is important that you investigate the causes of the breach and evaluate the effectiveness of your response to it.

For more information on the ICO’s security breach management plan, please click here.

Data security and SHIP

When accessing data through SHIP you will either use a Safe Haven or you will have the data transferred directly to you. If you are using a Safe Haven then the Safe Haven will be responsible for keeping the data secure. Indeed one of the primary advantages of accessing data in a Safe Haven is the enhanced security that this provides for the data, and as such data controllers will often be more willing to give you access to their data if you agree to use a Safe Haven. Please use the liknnk above to the information page on SHIP Safe Havens to view specific information on information security relating to accessing data via a Safe Haven.

However, if you have data transferred directly to you, you will be responsible for ensuring the security of that data, and ensuring that the security measures you have in place are sufficient to comply with the seventh data protection principles.

For additional guidance from the ICO on the seventh data protection principle and data security, please click here.

Return to top of page