Requirements on Data Security
Data Protection Principle (DPP) 4(1) of Schedule 1 to the PDPO requires a data user to take “all practicable steps
” to ensure that any personal data held by it is protected against unauthorised or accidental access, processing, erasure, loss or use having particular regard to:
the kind of data and the harm that could result if any of those things should occur;
the physical location where the data is stored;
any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored;
any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and
any measures taken for ensuring the secure transmission of the data.
According to section 2(1) of the PDPO, “practicable
” is defined as “reasonably practicable
”. It is incumbent upon a data user to show that, in the event of personal data breaches, all reasonably practicable steps have already been taken to safeguard the security of personal data. What “reasonably practicable
” steps are will hinge on the facts of each case.
Other Relevant Requirements
While DPP 4 creates an explicit legal requirement on the security of personal data, other provisions of the PDPO also have a bearing on data security. On the cardinal principle of data minimisation, DPP 1(1) provides that only an adequate but not excessive amount of personal data should be collected in relation to the purpose for which data is collected. It can be generally understood that the lesser amount of data is collected or held by a data user in the first place, the lesser exposure to security risk there may be in future.
On data retention, DPP 2(2) requires a data user to take “all practicable steps
” to ensure that personal data is not kept longer than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data is or is to be used. Similarly, section 26 of the PDPO requires a data user to take “all practicable steps
” to erase such personal data when the data is no longer required (subject to prescribed exceptions). Implementing data retention policies to ensure the timely deletion of personal data that is no longer needed can help reduce the risk of data breaches. The less data held by a data user, the less exposure to attack and vulnerability.
DPP 2(3) and DPP 4(2) require data users to adopt contractual or other means to ensure that any data processor engaged by them also complies with similar requirements in respect of data security and data retention.