Because good research needs good data

Information Security Management: Using BS 10012:2009 to Comply with The Data Protection Act (1998)

By Sarah Higgins, Aberystwyth University 

Published: 12 August 2009

1. Security Standards and Digital Curation

The flexibility of digital information can be regarded as a great strength. As hardware and software develop, data can be created, accessed, edited, manipulated and shared with increasing ease. The corollary is that data is vulnerable to unauthorised access, alteration or manipulation, which without periodic checks can easily go undetected, and undermine its authoritative nature, and have implications for personal privacy. Successful digital curation ensures that data is managed and protected so that its authority is maintained and retained throughout the curation lifecycle.1 To be authoritative data needs to remain authentic, reliable and useable, while retaining its integrity.2 These characteristics of data can be preserved through the implementation of an effective information management systems. Without these characteristics data cannot be confidently reused, and there may be both short-term and long-term legal repercussions for mismanaging data.

  • Authentic data is what it purports to be, and was created by the purported person at the purported time
  • Reliable data can be trusted to contain what was actually created
  • Useable data can be located, retrieved, presented and interpreted
  • Data with integrity is complete and unaltered

The policies, procedures, human and machine resources which constitute an information management system should ensure that the CIA Triad3 — Confidentiality, Integrity and Availability — is maintained across an organisation's physical, personal and organisational layers. Confidentiality ensures that data is only available to those authorised to access it. Integrity ensures that data can only be altered by authorised persons. Availability demands that authorised persons can access data when they require.

  • Confidentiality ensures that data is only available to those authorised to access it
  • Integrity ensures that data can only be altered by authorised persons
  • Availability demands that authorised persons can access data when they require

Curators who maintain personal data, that is data that relates to any identifiable living individual, have specific obligations regarding security, which have to be complied with under the Data Protection Act, 1998 [external] (the DPA). It is important that UK curators of data, which includes any personal element, is familiar with the DPA, and engages in robust curation practices to ensure they remain within the law. The newly published standard BS 10012 recommends the implementation of a Personal Information Management System (PIMS) to ensure this, as part of an overall strategy for quality information management.

Back to top

2. The Data Protection Act, 1998 and BS 10012

The Data Protection Act, 1998 implements European Directive 95/46/EC, and sets out the rights individuals have over personal data, pertaining to themselves, which is held, processed or used by organisations. Personal data is defined by the DPA as "data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller".4

It also sets out the obligations which organisations have to manage personal data correctly. An organisation must designate a data controller to ensure that personal data processing complies with the 8 Data Protection Principles of good information handling (Table 1). Any organisation that deals with personal data needs to register their activities with the Information Commissioner, who enforces the legislation.5 The DPA and its implications for digital curation are fully explained in the DCC Briefing Paper on Data Protection.

The DPA contains no framework for ensuring compliance and, until now, each organisation has had to develop their own. Recent high profile data security breaches, and the resulting prosecution for these, have highlighted the difficulty organisations have in developing the appropriately robust technological and organisational systems required to ensure that their data remains secure and is processed according to relevant legal constraints.

BS 10012:2009 Data Protection — Specification for a Personal Information Management System: an Implementation Methodology aims to address this gap by establishing a best practice framework for maintaining and improving a Personal Information Management System (PIMS), to improve compliance with the DPA, as part of an overall information management infrastructure. However, following the standard does not guarantee that all the legal obligations of the DPA are fulfilled, so implementers should also be aware of the contents of the DPA, and take guidance from the Information Commissioner. Other UK legislation regarding personal information, which is not considered by the standard, should also be considered when managing personal data, such as the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002.

Back to top

3. Functionality

BS 10012 is based on the Plan-Do-Check-Act (PDCA) model for continuous quality control and improvement.6 As such the standard is consistent with other management system standards endorsed by ISO (International Organization for Standardization)7, enabling integrated implementation and interoperation of a PIMS with systems such as an Information Security Management System (ISMS) as recommended for security by the ISO 27k series of standards (see Standards Watch 6: Information Security Management: The ISO 27000 (ISO 27k) Series). A PIMS should be regularly monitored through internal audit, and subject to management reviews, with preventive and corrective action taken to ensure continual improvement.

The standard gives a step-by-step guide to planning and documentation, implementation, maintenance and continual improvement of a PIMS, to provide direction and support compliance with the DPA.

A PIMS should be established with a defined set of scope and objectives, and be backed by a robust management policy. Specifications for what should be included in this are given. An accountable and responsible manager (the data controller) should be appointed to undertake and maintain the implementation. Sufficient resources, and suitably qualified, experienced and trained personnel should be made available, and awareness of the significance of the PIMS raised across the organisation. Details of personnel's day-to-day duties, to ensure DPA compliance, are given and approaches suggested for managing these in large or complex organisations. Methods to ensure the correct classification of personal data (called personal information in BS 10012) are given as well as pointers to ensure that the PIMS is subject to risk assessment procedures, is kept up-to-date and incorporates procedures to trigger appropriate notifications to be forwarded to the Information Commissioner. The standard identifies best practice for complying with each of the 8 Data Protection Principles (detailed in Table 1) and specifies the need for: procedures to deal with disclosure of personal data to third parties; sub-contraction of processing; and ongoing technological maintenance.

Table 1: The 8 Data Protection Principles which Apply to all Personal Data
DPA's  8 Data Protection Principles8

BS 10012:2009 — Best practice for complying with the DPA’s 8 Data Protection Principles

Personal data must be:

Procedures must be in place to ensure that:

1. Fairly and lawfully processed
The data subject must be informed that:

  • their data is being collected
  • what the data will be used for
  • who holds their information
  • who the data controller is
  • given an indication of how long the data will be kept
  • given information on any disclosure to any third parties

Personal information is processed fairly and lawfully and that the legal grounds for processing of personal information have been clearly identified before processing commences, including methods for:

  • collection and processing of personal information
  • recording and retaining privacy notices and statements
  • delivery of privacy notices and statements prior to data collection
  • accessibility of privacy notices and statements
  • collection of data from third parties

2. Obtained only for specified purposes and not further processed in a manner incompatible with those purposes
The data controller:

  • needs to know what he intends to do with collected data
  • must not use data for purposes that it was not collected for

Personal information is obtained only for one or more specified purposes, and is not further processed in any manner incompatible with that purpose or those purposes, including:

  • legal grounds for processing are established
  • consent to using data for new purposes is demonstrated
  • consent for data sharing is documented
  • notification and consent is given for data matching

3. Adequate, relevant and not excessive
The data controller is obliged to ensure that the information collected is:

  • adequate and relevant to fulfil the purpose for which it was collected
  • is not excessive in relation to the proposed use at the time, irrespective of whether additional information could be useful in the future

Personal information is adequate, relevant and not excessive by:

  • undertaking regular reviews of technology and processes
  • ensuring procedures to make sure irrelevant or excessive data is not processed
4. Accurate and up-to-date
The data must be kept accurate and up-to-date. The purpose for which the data is used will be relevant in deciding whether updating of the data is necessary.

Personal information is accurate and, where necessary, kept up-to-date, including:

  • procedures and staff training to ensure accuracy
  • methods for data subjects to challenge accuracy, and have the data corrected
  • passing on corrections to third parties
  • review of new systems for accuracy

5. Not kept longer than necessary
The data controller is obliged to:

  • keep the data only for the time for which the information is necessary to perform the operation for which it was collected

Personal information is not kept for longer than is necessary by:

  • developing and implementing retention schedules
  • ensuring secure disposal procedures
6. Processed in line with the rights afforded to individuals under the legislation, including the right of subject access
The data subject has rights and data must only be processed in accordance with these rights.

The rights of individuals are respected, including:

  • time limits for dealing with requests for information
  • methodologies for complaints and appeals about the enquiry process

7. Kept secure
The data controllers must take appropriate measures (technical and organisational) against:

  • unauthorised or unlawful access to personal data
  • accidental loss or destruction of personal data.

Personal information is protected against loss or damage and unauthorized or unlawful processing by the implementation of appropriate technical and organisational security measures, including:

  • implementation of appropriate security controls with reference to BS ISO/IEC 27001
  • secure storage and handling
  • secure transmission
  • appropriate access controls
  • routine security assessments and improvements where necessary
  • management, and documentation of security incidents, and appropriate notification to the Information Commissioner.

8. Not transferred to countries outside the European Economic Area (EEA)* without adequate protection.
The transfer of personal data is limited to countries within the European Economic Area (EEA). The transfer of personal data outside the EEA is not permitted unless the country has an adequate level of protection.

Personal information has an adequate level of protection where is transferred or processed outside the EEA, for example:

  • writing conditions into contracts
  • ensuring the credentials of organisations e.g. that a US organisation has certified its compliance with the US Federal Trade Commission as being compliant with the Safe Harbor principles
  • establishing whether the country or territory has been assessed by the European Commission as providing adequate protection
  • carrying out due diligence on the transfer organisation develop procedures to ensure knowledge of the law and initiatives are up to date
  • develop procedures for ensuring sub-contractors work to model contracts.

*The EEA (at the time of publication of BS 10012:2009) consists of the Member States of the European Union plus Norway, Iceland and Liechtenstein.

Back to top

4. Benefits

Using BS 10012 to help curate personal data can bring a number of benefits to an organisation:

  • Compliance with the standard can help to ensure that an organisation is not negligent regarding the DPA, and thus open to action by the Information Commissioner's Office
  • Compliance with the standard will enable an organisation to ensure that their PIMS is fit for purpose
  • Appropriate processes and procedures for personal data management will be defined, documented and embedded in practice
  • Personal data security issues, and mitigation of associated risks, will be identified, managed monitored and improved in a planned manner
  • Demonstration of organisational commitment to personal data security, will assist in adequate allocation of resources, identification of roles and responsibilities and appropriate training
  • Long-term planning will minimise the risk of unauthorised access, security breaches or data leaks, ensuring the rights of data subjects are not compromised
  • Appropriate responses to any unauthorised access, security breaches or data leaks will be planned to minimise their impact
  • There will be increased confidence that an organisation is managing personal data appropriately as they will be able to demonstrate that they are using recognised best practice
  • An awareness of the extent and content of personal data holdings is needed to ensure compliance with the DPA. Such awareness will improve long-term curation. The Data Asset Framework tool can be used to audit personal data, or data with a personal element before preparing for compliance with the standard.
  • Compliance with the standard can help to ensure that procedures and activities for managing personal data are developed and documented as a pre-cursor to external certification activities based on risk management. These include ISO 27001 certification of an Information Security Management System; self-audit of a repository against DRAMBORA (Digital Repository Audit Method Based on Risk Assessment); and possible future repository certification against the forthcoming "Metrics for Digital Repository Audit and Certification" [external] document.

Back to top

5. Implementations

BS 10012 is applicable to any organisation, whatever the size, in both the public and private sectors. It is meant for use by anyone within an organisation responsible for initiating, implementing or maintaining a PIMS. The standard was published in May 2009, so is not yet being embedded in UK practice, but with data security currently high profile, take up is likely to be good. The standard went through a rigorous comments process before publication, but like the related standard ISO 27001, it is possible that further iterations will be necessary before it is widely accepted by the community. Currently organisations handling health information must adhere to the Caldicott Principles, which are based on the DPA's 8 Data Protection Principles. Other organisations can sign up to the Information Commissioner's Personal Information Promise, a voluntary charter which enables them to demonstrate their commitment to data protection at senior management level. It is possible that, in the future, an organisation will be able to certify against BS 10012 to achieve accreditation, demonstrating not only commitment to, but compliance with, the DPA.

Back to top

6. Additional Resources

Back to top

1 See the DCC Curation Lifecycle Model (accessed 12 March 2009).
2 The characteristics of an authoritative record as defined by ISO 15489: Information and Documentation - Records Management.
3 More information in the Wikipedia entry on Information Security (accessed 14 August 2009).
4 Data Protection Act, 1998, Part 1 — Preliminary: Basic Interpretative Provisions.
5 The Information Commissioner has offices in England, Wales, Scotland and Northern Ireland to enable differences in relevant legislation across the United Kingdom to be addressed. Further information on the work of the Information Commissioner can be found at: http://www.ico.gov.uk/
6 Also known as the Deming Cycle or Shewhart Cycle. See more information on Wikipedia [external] (accessed 12 March 2009).
7 These include ISO 9001 (Quality Management Systems); ISO 14001 (Environmental Management Systems); ISO/IEC 27001 (Information Security Management Systems); ISO/IEC 20000 (IT Service Management).
8 This column is paraphrased from: Madhavan, M (2007), Data Protection Overview, JISC Legal Information.

Back to top