Seventh Principle - measures against misuse and loss of data

"Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing, accidental loss or destruction of, or damage to, personal data"

Security of personal data is a matter of public concern and not simply a technical compliance issue.

If personal data is not properly safeguarded, this can seriously damage an organisation’s reputation and prosperity and can compromise the safety and trust of individuals.

Data controllers must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised.

There is no “one size fits all” solution to information security. The “appropriate” security measures will depend on an organisation’s circumstances, so a risk-based approach to deciding what level of security you need should be adopted.

In particular, you will need to:

  • design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
  • be clear about who in your organisation is responsible for ensuring information security;
  • make sure you have the right physical and technical security, backed up by robust policies and procedures:
  • ensure that staff are reliable, aware of their responsibilities and receive regular, appropriate training, and
  • be ready to respond to any breach of security swiftly and effectively.

Complying with the seventh data protection principle

The requirements of the seventh principle go beyond the way information is stored or transmitted and relates to the security of every aspect of your processing of personal data, including deletion and the disposal of equipment and devices. It also applies to the method of supplying personal data in response to a subject access request.

The security measures you put in place should seek to ensure that:

  • only authorised people can access, alter, disclose or destroy personal data;
  • those people only act within the scope of their authority; and
  • if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned.

The security measures should be appropriate to:

  • the nature of the information in question; and
  • the harm that might result from its improper use, or from its accidental loss or destruction.

The Act does not define “appropriate”. But it does say that an assessment of the appropriate security measures in a particular case should consider technological developments and the costs involved. The Act does not require  state-of-the-art security technology to protect the personal data you hold, but security arrangements should be regularly reviewed, particularly in light of technology advances or change in business practices, such as introducing 'bring your own device' (BYOD).

The level of security depends on the risks to the individuals and the organisation. 

What is the position when a data processor is involved?

Organisations may use third party “data processors” to process personal data on their behalf. This often causes security problems.

Particular care is needed because the organisation (and not the data processor) will be held responsible under the Data Protection Act for what the data processor does with the personal data.

The Act contains special provisions that apply in these circumstances. It says that, where you use a data processor:

  • you must choose a data processor that provides sufficient guarantees about its security measures to protect the processing it will do for you;
  • you must take reasonable steps to check that those security measures are being put into practice; and
  • there must be a written contract setting out what the data processor is allowed to do with the personal data. The contract must also require the data processor to take the same security measures you would have to take if you were processing the data yourself.

What should I do if there is a security breach?

If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important that you deal with the security breach effectively.