Security
With regard to the security of personal and sensitive personal data,
the seventh data protection principle requires that:
(a) ‘Appropriate technical and organisational measures
shall be taken against unauthorised or unlawful processing of personal data and against accidental loss
or destruction of, or damage to, personal data’.
The Act further states that “Having regard to the state of technological
development and the cost of implementing any measures, the measures must ensure a level of security
appropriate to the harm that might result from such unauthorised or unlawful processing or accidental
loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.”
Organisations should be aware of the potential risk to personal
data that they hold and ensure that:
- Measures taken are appropriate in proportion to the detriment that could be caused to the data subjects and the nature of the information involved if their personal data were to be compromised;
- All staff and particularly those who have responsibility for the management and retention of information are trained on all relevant aspects of Data Protection to ensure that their information management is well targeted and effective.
This
will help with the early identification and classification of personal data for retention or destruction.
