The Seventh Data Protection Principle
Security of personal data is a matter of public concern and not simply a technical compliance issue. If personal data is not properly safeguarded, this can seriously damage an organisation’s reputation and prosperity and can compromise the safety and trust of individuals.
"Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing, accidental loss or destruction of, or damage to, personal data"
This means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised.
There is no “one size fits all” solution to information security. The “appropriate” security measures will depend on an organisation’s circumstances, so a risk-based approach to deciding what level of security you need should be adopted.
In particular, you will need to:
- design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
- be clear about who in your organisation is responsible for ensuring information security;
- make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable:
- ensure that staff are reliable, aware of their responsibilities and receive regular, appropriate training, and
- be ready to respond to any breach of security swiftly and effectively.
Complying with the seventh data protection principle
It is important to understand that the requirements of the Data Protection Act go beyond the way information is stored or transmitted. The seventh data protection principle relates to the security of every aspect of your processing of personal data, including deletion and the disposal of computers and associated devices.
The security measures you put in place should seek to ensure that:
- only authorised people can access, alter, disclose or destroy personal data;
- those people only act within the scope of their authority; and
- if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned.
The security measures should be appropriate to:
- the nature of the information in question; and
- the harm that might result from its improper use, or from its accidental loss or destruction.
The Act does not define “appropriate”. But it does say that an assessment of the appropriate security measures in a particular case should consider technological developments and the costs involved. The Act does not require you to have state-of-the-art security technology to protect the personal data you hold, but you should regularly review your security arrangements as technology advances.
The level of security you choose should depend on the risks to your organisation.
What kind of security measures might be appropriate?
The Act does not define the security measures you should have in place. However, particular industries may impose certain standards or require specific security measures.
In general terms, the appropriateness of security measures will depend on your circumstances, but there are several areas you should focus on.
- Physical and technological security is likely to be essential, but is not sufficient alone.
- Management and organisational security measures are equally important in protecting personal data.
To decide what information security measures you need to take, you should assess your information risk: you should review the personal data you hold and the way you use it to assess how valuable, sensitive or confidential it is, and what damage or distress could be caused to individuals if there were a security breach.
A risk assessment should take account of factors such as:
- the nature and extent of your organisation’s premises and computer systems;
- the number of staff you have; • the extent of their access to the personal data; and
- personal data held or used by a third party on your behalf (under the Data Protection Act you are responsible for ensuring that any data processor you employ also has appropriate security).
Our “Data Protection Audit – self-assessment toolkit” contains a section on the security of personal data, which may provide further guidance.
Physical and technological security
Technical security measures to protect computerised information are of obvious importance. However, many security incidents relate to the theft or loss of equipment, or to old computers or hard-copy records being abandoned.
Physical security
Physical security includes things like the quality of doors and locks, and whether premises are protected by alarms, security lighting or CCTV. However, it also includes how you control access to premises, supervise visitors, dispose of paper waste, and keep portable equipment secure.
Technological security
Computer security is a constantly evolving, complex, technical area. Depending on how sophisticated your systems are, and the technical expertise of your staff, you may need specialist information security advice.
You should consider the following guiding principles when deciding the more technical side of information security:
- Your computer security needs to be appropriate to the size and use of your organisation’s systems;
- You should take into account technological developments, but you are also entitled to consider costs when deciding what security measures to take;
- Your security measures must be appropriate to your business practices. For example, if you have staff who work from home, you should put measures in place to ensure that this does not compromise security;
- Appropriate security measures should include the use of portable devices and media;
- The measures you take must be appropriate to the nature of the personal data you hold and to the harm that could result from a security breach.
Management and organisational security
Carrying out an information risk assessment is an example of an organisational security measure, but you will probably need other management and organisational measures as well.
Most data losses occur through human failings. You should aim to build a culture of security and awareness within your organisation.
Unless there is clear accountability in your organisation for such measures, they may be overlooked and your organisation’s overall security will quickly become flawed and out of date. Importantly, it is good practice to identify a person or department in your organisation with day-to-day responsibility for security measures. They should have the necessary authority and resources to fulfil this responsibility effectively.
To decide what information security measures you need to take, you should assess your information risk: you should review the personal data you hold and the way you use it to assess how valuable, sensitive or confidential it is, and what damage or distress could be caused to individuals if there were a security breach.
A risk assessment should take account of factors such as:
- the nature and extent of your organisation’s premises and computer systems;
- the number of staff you have;
- the extent of their access to the personal data; and
- personal data held or used by a third party on your behalf (under the Data Protection Act you are responsible for ensuring that any data processor you employ also has appropriate security).
Not every organisation will need a formal information security policy – this will depend on things like the size of the organisation, the amount and nature of the personal data it holds, and the way it uses the data.
Whether or not these matters are written into a formal policy, all organisations will need to be clear about them, and about related matters such as the following:
- co-ordination between key people in the organisation (for example, the security manager will need to know about commissioning and disposing of any IT equipment);
- access to premises or equipment given to anyone outside the organisation (for example, for computer maintenance) and the additional security considerations this will generate;
- business continuity arrangements that identify how to protect and recover any personal data the organisation holds; and
- periodic checks to ensure that the organisation’s security measures remain appropriate and up to date.
- understand the importance of protecting personal data;
- are familiar with the organisation’s security policy; and
- put the security procedures into practice.
You should provide staff with appropriate initial and refresher training that should include:
- your organisation’s duties under the Act and restrictions on the use of personal data;
- the responsibilities of individual staff members for protecting personal data, including the possibility that they may commit criminal offences if they deliberately try to access, or to disclose, information without authority;
- the proper procedures to use to identify callers;
- the dangers of people trying to obtain personal data by deception (for example, by pretending to be the person whom the information is about or by making “phishing” attacks) or by persuading you to alter information when you should not do so; and
- any restrictions your organisation places on the personal use of its computers by staff (to avoid, for example, virus infection or spam).
What is the position when a data processor is involved?
Organisations may use third party “data processors” to process personal data on their behalf. This often causes security problems.
Particular care is needed because the organisation (and not the data processor) will be held responsible under the Data Protection Act for what the data processor does with the personal data.
The Act contains special provisions that apply in these circumstances. It says that, where you use a data processor:
- you must choose a data processor that provides sufficient guarantees about its security measures to protect the processing it will do for you;
- you must take reasonable steps to check that those security measures are being put into practice; and
- there must be a written contract setting out what the data processor is allowed to do with the personal data. The contract must also require the data processor to take the same security measures you would have to take if you were processing the data yourself.
What should I do if there is a security breach?
If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important that you deal with the security breach effectively.
The breach may arise from a theft, a deliberate attack on your systems, from the unauthorised use of personal data by a member of staff, or from accidental loss or equipment failure.
However the breach occurs, you must respond swiftly and manage the incident appropriately. Having a policy on dealing with information security breaches is another example of an organisational security measure you may have to take to comply with the seventh data protection principle.
There are four important elements to any breach-management plan:
- Containment and recovery – the response to the incident should include a recovery plan and, where necessary, procedures for damage limitation.
- Assessing the risks – you should assess any risks associated with the breach, as these are likely to affect what you do once the breach has been contained. In particular, you should assess the potential adverse consequences for individuals; how serious or substantial these are; and how likely they are to happen.
- Notification of breaches – informing people about an information security breach can be an important part of managing the incident, but it is not an end in itself. You should be clear about who needs to be notified and why. You should, for example, consider notifying the individuals concerned; the ICO; other regulatory bodies; other third parties such as the police and the banks; or the media.
- Evaluation and response – it is important that you investigate the causes of the breach and also evaluate the effectiveness of your response to it. If necessary, you should then update your policies and procedures accordingly.
For further information, please see our guidance on managing a data security breach.
For a print version of this page, please click here.
To download these documents you will need the Adobe Acrobat Reader. This is available free of charge from Adobe by using the following link:
| Title | File Size | Format | Document Title |
|---|---|---|---|
| Basic information security measures | (43 kb) | Acrobat PDF File | Basic information security measures |
| Cloud Computing | (43 kb) | Acrobat PDF File | Cloud Computing |
| Data Protection Audit - self-assessment toolkit | (410 kb) | Acrobat PDF File | Data Protection Audit - self-assessment toolkit |
| Managing a data security breach | (65 kb) | Acrobat PDF File | Managing a data security breach |
Material on the Data Protection Supervisor's site is independent of that hosted by the Isle of Man Government and is protected by copyright. The copyright owner is the Isle of Man Data Protection Supervisor. You may not make alterations or additions to the material on this site, or sell it or misappropriate it. Material may be downloaded or copied for personal use. However, appropriate acknowledgement of the copyright owner is required if material is re-published in any format.
