Data Protection Good Practice

Organisational measures

You will need to decide what organisational changes you need to make, if any.

  • Has a risk assessment been carried out that takes account of what it is you need to protect, the type of security problems that could occur, the effectiveness of your current security measures? This should then inform what changes you are going to make.

  • Does the person with responsibility for security have the standing and resources to make sure the job gets done? Any security manager needs backing from the top.

  • Do you have an overall security policy?

  • Are there security procedures in place for staff to follow?

  • Is there co-ordination between key people in the organisation? For example, the security manager will certainly need to know about the commissioning and disposal of any new IT equipment.

  • Are checks made that people are taking their security responsibilities seriously?

  • Is there a procedure to make sure security incidents are investigated and lessons are learned?

  • Is access given to anyone outside the organisation, for example, for computer maintenance? Are you clear about what they need access to and why, and what security you need to have in place to oversee what they do?

  • Using another organisation to process personal information is a situation that often causes security problems. You need to be very careful about this because you take the legal responsibility for what they do with the personal information they handle for you. For example, you could receive claims for compensation under the Data Protection Act from someone who has suffered damage as a result of their lack of security. And if you use another organisation to process personal information for you there are steps laid down in the Data Protection Act which you must take.

    • You must choose an organisation that offers you guarantees about the security of the processing they will do for you.

    • You must have a written contract with them that sets out what you allow them to do with the information. At a minimum you would expect the contract to be clear about their use and disclosure of the information. The contract must also require them to have in place security measures that are the equivalent of those you would need if you were doing the job for yourself.

    • You must take reasonable steps to check that the organisation is taking those security measures.

  • Have you made business continuity arrangements that identify how to protect and recover the personal information you hold?

  • Do you check your compliance with legal obligations such as copyright or licensing requirements?

  • Do you do periodic checks of your security arrangements to make sure that they are still appropriate and up to date?

Crown Copyright © 2014

1 2 3 4 5 6 7

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>