On 2 June 2009, following several months of consultation and debate, the British Standards Industry (BSI), published the BS10012 (the Standard) for the management of personal information within organisations, aimed at assisting compliance with the UK Data Protection Act 1998 (the Act).
The Standard is a framework to aid both public and private organisations with establishing best practice rules and compliance with the Act. Rather than provide prescriptive measures, the Standard captures agreed good practice whilst allowing organisations the ability to innovate and gain a competitive advantage en route to creating a tailored management system.
What does BS10012 do?
The draft Standard was criticised for merely echoing the Data Protection Principles and the Act. However, the published framework does more than simply recast the Act; it provides a governance framework targeted at an organisation's management. Pursuing a top down approach ensures long-term planning to minimise the risk of non-compliance, rather than solely plugging the existing shortfalls in compliance. In effect, it is a useful prompt for organisations to conduct a root and branch review of their data mapping and risk assessment structures. Given the recent spate of high profile public data protection breaches, simply leaving organisations to formulate their own structures seems to have been less effective. The launch of the Standard is therefore timely.
The Standard was presented to the Data Protection Forum on launch day by Shirley Bailey-Wood, the Operations Director at BSI, where these concerns were highlighted. Ms Bailey-Wood explained that the Standard provides a framework for assessing, maintaining and improving compliance with legislation and good practice. This should allow organisations to demonstrate they handle data in a structured and responsible way.
With technology advancing at a rapid pace, new challenges regarding the handling of personal information frequently open up entirely new ways of making information more available to third parties. Coupled with the fragmented patchwork of European data privacy laws - which in itself has led to associated compliance inefficiencies within organisations - the systematic, standardised approach provided by the Standard seems worthwhile.