Data Protection Good Practice
Security of personal information
This good practice article aims to alert small and medium sized organisations to the security measures they should have in place to protect the personal information they hold. The Data Protection Act 1998 requires all organisations to have appropriate security to protect personal information against unlawful or unauthorised use or disclosure, and accidental loss, destruction or damage.
It is not intended, and cannot be, a comprehensive guide to all aspects of security in all circumstances and for all organisations. The British Standards Institute (BSI) has an information assurance standard that can be tailored to individual circumstances. The Department for Business, Innovation and Skills (BIS) have also produced guides and checklists which will help you to tailor your security measures to your needs. Their contact details are at the end of this note. However, this good practice note includes guidance on what the Data Protection Act requires in terms of security and takes into account our experience of where problems often occur.
We recognise that some organisations, particularly those of a smaller and medium size, are less likely to have available internal security expertise. This guidance aims to help them decide what approach they should take about the security of the personal information they have.
Crown Copyright © 2014