Security of Personal Data
"appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing"
- section 2(1)(d) of the Act
The security of personal information is all-important. It will be more significant in some situations than in others, depending on such matters as confidentiality and sensitivity. High standards of security are, nevertheless, essential for all personal information. Both "data controllers" and "data processors" must meet the requirement to keep data secure.
Appropriate security measures
In determining what security measures should be put in place in order to satisfy the requirements of section 2(1)(d) a number of factors may be taken into consideration;
- The state of technological development - Measures must be reviewed over time.
- The cost of implementing the measures. - Larger organisations with greater resources can be expected to implement more advanced measures, or update measures more regularly, than smaller bodies.
- The harm that might result from unlawful processing. - Might someone be at a financial loss or be at risk of suffering injury as a result of disclosure or destruction of data?
- The nature of the data concerned. - There is a greater duty of care relating to the processing of sensitive personal data.
A data controller or a data processor shall also ensure that staff are aware of the security measures. This requirement may be satisfied by having appropriate training in place.
They are also responsible for ensuring that staff comply with these measures. This requirement may be satisfied by the automatic generation of audit trails or logs, combined with some form of internal audit or review procedure.
The use of Data Processors
If a data controller uses a third party to process data, the processing of such data should be covered by contract. This contract should stipulate at least the following:
- the conditions under which data may be processed;
- the minimum security measures that the data processors must have in place;
- some mechanism or provision that will enable the data controller to ensure that the data processor is compliant with the security requirement. (This might include a right of inspection or independent audit.)
For more information on security requirements.
Keeping Personal Data Secure: Test Yourself
As a minimum standard, you should be able to answer YES to the following questions:-
- Is access to your computers and manual files restricted to authorised staff only?
- Is access to the information restricted on a "need-to-know" basis in accordance with a defined policy?
- Are your computer systems password protected?
- Is information on screens kept hidden from callers to your offices?
- Have you a back-up procedure in operation, including off-site back-up?
- Are all waste papers, printouts, etc. disposed of carefully?
Compile a checklist of security measures for your own systems.
Some Case Studies relevant to this topic:
The following Case Studies, which have appeared in Annual reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.
CASE STUDY 3/01 - Employee performance ratings disclosed to other staff - inadequate security
CASE STUDY 6/00 - Financial institutions - Laser card - printing of home address on receipts - incompatible disclosure - adequate security
CASE STUDY 2/99 — life insurance company - retention by ex-employee of customer data - unauthorised access - obligation to take appropriate security measures
CASE STUDY 1/98 — employee data - appropriate security measures - disclosure
CASE STUDY 6/96 — inadequate security - position of computer screen in public area
|MENU||Select Page No.||<- Previous Next ->|
» Permanent Link