On 2 June 2009 the British Standards Institution (BSI) published the first British Standard on the management of personal data. BSI 10012:2009 Data Protection Specification for a Personal Information Management System was developed by experts from industry, government, academia and consumer groups with the aim of establishing best practice and aiding compliance with data protection legislation. The Standard provides a framework designed to help businesses establish effective personal data management systems. It is designed for use by organisations of any size and in any sector to establish tailored procedures in areas such as training and awareness, risk assessment, data sharing, retention and disposal of data and disclosure to third parties.

THE NEW STANDARD

Organisations can use the new Standard to develop a personal information management system (PIMS) as a data protection compliance and good practice framework. This will involve allocating responsibility to a senior management team for issuing and maintaining the compliance policy and commitment to managing compliance. The Standard lists 15 policy commitments. These include commitments to process personal data only where “strictly necessary for legitimate organisational purposes” and providing “clear information to individuals about how their personal information will be used and by whom”. The Standard also requires organisations to ensure that the member of senior management is accountable for managing personal information. Additionally one or more people should be designated as responsible for compliance with the policy on a day to day basis. Their duties will include maintaining an inventory for all categories of personal information processed, demonstrating competence in understanding data protection legislation and good practice and reviewing the PIMS in light of changes to the organisation’s requirements and/or technology. The Standard calls for an ongoing education and awareness programme for all workers within an organisation along with a process for evaluating its effectiveness.

Other elements that should be covered by an organisation’s PIMS include:

  • Procedures for maintaining records of privacy notices and online privacy statements
  • Provision of any privacy notice or online privacy statement required to be given to the individual to be made available to the individual prior to any personal information being collected
  • An audit programme which monitors and reviews data handling
  • Complaints procedures and an appeal process

Larger organisations and those processing high-risk personal data will also be expected to implement regular audits by external parties.

COMMENT

To promote the new Standard the BSI on the same day published the results of a survey of over 500 small and medium sized businesses which revealed that almost 20 per cent had unwittingly breached the Data Protection Act 1998 (DPA). The survey also found that 65 per cent of businesses provide no data protection training for their staff and nearly half of those surveyed had no-one in their business with specific responsibility for data protection.

As the Information Commissioner’s Office (ICO) looks forward to greater enforcement powers, in particular the power to fine organisations directly under new section 55A of the DPA, organisations would do well to implement a best practice framework of a kind described in the new Standard. The ICO has already suggested that an organisation’s implementation of best practice procedures, and particularly those derived from ICO guidance, will be taken into account when it exercises its powers under section 55A. Businesses should therefore take note of how the ICO responds to initiatives such as the new Standard and the Personal Data Guardianship Code recently published by the Information Security Awareness Forum and the British Computer Society which also reviews and promotes best practice and provides guidance on the handling of personal data.