Consulting Ian Tighe Change Management Programme Advice

Adding Value Through Technology

Programme and Project Advice



Making Things Work Better

 Data Protection

This series of articles has been about security for your PC or network of PCs. Much of the emphasis has been about making sure you protect your data because your customers and your business are important to you. There is another significant reason to protect certain types of data of course; the Data Protection Act (DPA).

If your business collects or stores or uses personal data of any description, whether it is yours or whether you process it for someone else, then you are in all probability under an obligation under the Data Protection Act 1998 to have in place security measures that will enable you to properly care for that data. Whilst it is always useful to have a reminder about DPA provisons the purpose of this article is primarily to remind people about principle 7 which says proper security is a legal requirement. Principal 7 says:

   "7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

This does not need much translation but to assist in the Interpretation of this principle the Act goes on to say:

The Seventh Principle      9. Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to-
 
 

    (a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
 

    (b) the nature of the data to be protected.
      10. The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.
 
      11. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle-
 
 

    (a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
 

    (b) take reasonable steps to ensure compliance with those measures.
      12. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless-
 
 

    (a) the processing is carried out under a contract-

 

      (i) which is made or evidenced in writing, and
 

      (ii) under which the data processor is to act only on instructions from the data controller, and
 

    (b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

Crown Copyright.

The technologies, processes and procedures referred to in these articles will help a small business achieve compliance with the Act. If you cannot put a tick in every box then perhaps you need to arrange a DPA audit to understand where the shortfalls might be so that you can go on to make good and achieve compliance.

If any help is needed in bringing this about then we would be pleased to provide the necessary assistance. Just click the contact link and get in touch.

The full set of DPA principles taken from the Act.

SCHEDULE 1
 
  THE DATA PROTECTION PRINCIPLES
  PART I
  THE PRINCIPLES
      1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
 
 

    (a) at least one of the conditions in Schedule 2 is met, and
 

    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
      2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
 
      3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
 
      4. Personal data shall be accurate and, where necessary, kept up to date.
 
      5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
 
      6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
 
      7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
 
      8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
 

Crown Copyright.

Return to Home Page


Copyright © Consulting Ian Tighe 2005-20010.