Data Protection Good Practice

Recommended good practice

The following information is intended to act as a guide or prompt to consider what action is appropriate in the circumstances of the organisation concerned to protect the personal information they hold.

1 What have you got? How valuable or sensitive is it?

One of the first things any organisation will need to do is to review what personal information they control, whether they actually process the information, or whether this is carried out by someone acting on their behalf.

  • How valuable, sensitive or confidential is the information?

  • What damage or distress could be caused to individuals if there was a security breach?

  • What effect would a security breach have on your organisation? In cost? To your reputation? To the trust of your customers or clients?

This will help you assess what security measures you need to have in place.

For example:

If you only have information that is publicly available then your security measures will focus more on protecting your premises, equipment, and any interruption of business a security breach could cause. If you have highly sensitive or confidential personal information, for example, about people’s health or finances that could cause them damage or distress if this information fell into the hands of others, you will need to concentrate on any potential threat to the information and the vulnerabilities of your security measures.

2 Who is in charge?

Someone in an organisation has to have day-to-day responsibility for security measures, whether this is discussing with senior colleagues what measures should be adopted, writing procedures for staff to follow, organising training for staff, checking whether they are following procedures and that the measures work, monitoring change or investigating a security incident. Otherwise it will not get done and your security will quickly become flawed and out of date.

3 Security measures

What security you need will depend on your own circumstances. This will include the personal information you have and how you need to use it for your business, your premises, computer systems, how many staff you have and what access they have to personal information and so on. You will need to consider the following subjects in the light of this.

Crown Copyright © 2014

1 2 3 4 5 6 7

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>