You are here
Information Security Management: Using BS 10012:2009 to Comply with The Data Protection Act (1998)
By Sarah Higgins, Aberystwyth University
Published: 12 August 2009
- Security Standards and Digital Curation
- The Data Protection Act, 1998 and BS 10012
- Additional Resources
The flexibility of digital information can be regarded as a great strength. As hardware and software develop, data can be created, accessed, edited, manipulated and shared with increasing ease. The corollary is that data is vulnerable to unauthorised access, alteration or manipulation, which without periodic checks can easily go undetected, and undermine its authoritative nature, and have implications for personal privacy. Successful digital curation ensures that data is managed and protected so that its authority is maintained and retained throughout the curation lifecycle.1 To be authoritative data needs to remain authentic, reliable and useable, while retaining its integrity.2 These characteristics of data can be preserved through the implementation of an effective information management systems. Without these characteristics data cannot be confidently reused, and there may be both short-term and long-term legal repercussions for mismanaging data.
- Authentic data is what it purports to be, and was created by the purported person at the purported time
- Reliable data can be trusted to contain what was actually created
- Useable data can be located, retrieved, presented and interpreted
- Data with integrity is complete and unaltered
The policies, procedures, human and machine resources which constitute an information management system should ensure that the CIA Triad3 — Confidentiality, Integrity and Availability — is maintained across an organisation's physical, personal and organisational layers. Confidentiality ensures that data is only available to those authorised to access it. Integrity ensures that data can only be altered by authorised persons. Availability demands that authorised persons can access data when they require.
- Confidentiality ensures that data is only available to those authorised to access it
- Integrity ensures that data can only be altered by authorised persons
- Availability demands that authorised persons can access data when they require
Curators who maintain personal data, that is data that relates to any identifiable living individual, have specific obligations regarding security, which have to be complied with under the Data Protection Act, 1998 [external] (the DPA). It is important that UK curators of data, which includes any personal element, is familiar with the DPA, and engages in robust curation practices to ensure they remain within the law. The newly published standard BS 10012 recommends the implementation of a Personal Information Management System (PIMS) to ensure this, as part of an overall strategy for quality information management.
The Data Protection Act, 1998 implements European Directive 95/46/EC, and sets out the rights individuals have over personal data, pertaining to themselves, which is held, processed or used by organisations. Personal data is defined by the DPA as "data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller".4
It also sets out the obligations which organisations have to manage personal data correctly. An organisation must designate a data controller to ensure that personal data processing complies with the 8 Data Protection Principles of good information handling (Table 1). Any organisation that deals with personal data needs to register their activities with the Information Commissioner, who enforces the legislation.5 The DPA and its implications for digital curation are fully explained in the DCC Briefing Paper on Data Protection.
The DPA contains no framework for ensuring compliance and, until now, each organisation has had to develop their own. Recent high profile data security breaches, and the resulting prosecution for these, have highlighted the difficulty organisations have in developing the appropriately robust technological and organisational systems required to ensure that their data remains secure and is processed according to relevant legal constraints.
BS 10012:2009 Data Protection — Specification for a Personal Information Management System: an Implementation Methodology aims to address this gap by establishing a best practice framework for maintaining and improving a Personal Information Management System (PIMS), to improve compliance with the DPA, as part of an overall information management infrastructure. However, following the standard does not guarantee that all the legal obligations of the DPA are fulfilled, so implementers should also be aware of the contents of the DPA, and take guidance from the Information Commissioner. Other UK legislation regarding personal information, which is not considered by the standard, should also be considered when managing personal data, such as the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002.
BS 10012 is based on the Plan-Do-Check-Act (PDCA) model for continuous quality control and improvement.6 As such the standard is consistent with other management system standards endorsed by ISO (International Organization for Standardization)7, enabling integrated implementation and interoperation of a PIMS with systems such as an Information Security Management System (ISMS) as recommended for security by the ISO 27k series of standards (see Standards Watch 6: Information Security Management: The ISO 27000 (ISO 27k) Series). A PIMS should be regularly monitored through internal audit, and subject to management reviews, with preventive and corrective action taken to ensure continual improvement.
The standard gives a step-by-step guide to planning and documentation, implementation, maintenance and continual improvement of a PIMS, to provide direction and support compliance with the DPA.
A PIMS should be established with a defined set of scope and objectives, and be backed by a robust management policy. Specifications for what should be included in this are given. An accountable and responsible manager (the data controller) should be appointed to undertake and maintain the implementation. Sufficient resources, and suitably qualified, experienced and trained personnel should be made available, and awareness of the significance of the PIMS raised across the organisation. Details of personnel's day-to-day duties, to ensure DPA compliance, are given and approaches suggested for managing these in large or complex organisations. Methods to ensure the correct classification of personal data (called personal information in BS 10012) are given as well as pointers to ensure that the PIMS is subject to risk assessment procedures, is kept up-to-date and incorporates procedures to trigger appropriate notifications to be forwarded to the Information Commissioner. The standard identifies best practice for complying with each of the 8 Data Protection Principles (detailed in Table 1) and specifies the need for: procedures to deal with disclosure of personal data to third parties; sub-contraction of processing; and ongoing technological maintenance.
|Table 1: The 8 Data Protection Principles which Apply to all Personal Data|
|DPA's 8 Data Protection Principles8||
BS 10012:2009 — Best practice for complying with the DPA’s 8 Data Protection Principles
|Personal data must be:||
Procedures must be in place to ensure that:
1. Fairly and lawfully processed
Personal information is processed fairly and lawfully and that the legal grounds for processing of personal information have been clearly identified before processing commences, including methods for:
2. Obtained only for specified purposes and not further processed in a manner incompatible with those purposes
Personal information is obtained only for one or more specified purposes, and is not further processed in any manner incompatible with that purpose or those purposes, including:
3. Adequate, relevant and not excessive
Personal information is adequate, relevant and not excessive by:
|4. Accurate and up-to-date
The data must be kept accurate and up-to-date. The purpose for which the data is used will be relevant in deciding whether updating of the data is necessary.
Personal information is accurate and, where necessary, kept up-to-date, including:
5. Not kept longer than necessary
Personal information is not kept for longer than is necessary by:
|6. Processed in line with the rights afforded to individuals under the legislation, including the right of subject access
The data subject has rights and data must only be processed in accordance with these rights.
The rights of individuals are respected, including:
7. Kept secure
Personal information is protected against loss or damage and unauthorized or unlawful processing by the implementation of appropriate technical and organisational security measures, including:
8. Not transferred to countries outside the European Economic Area (EEA)* without adequate protection.
Personal information has an adequate level of protection where is transferred or processed outside the EEA, for example:
*The EEA (at the time of publication of BS 10012:2009) consists of the Member States of the European Union plus Norway, Iceland and Liechtenstein.
Using BS 10012 to help curate personal data can bring a number of benefits to an organisation:
- Compliance with the standard can help to ensure that an organisation is not negligent regarding the DPA, and thus open to action by the Information Commissioner's Office
- Compliance with the standard will enable an organisation to ensure that their PIMS is fit for purpose
- Appropriate processes and procedures for personal data management will be defined, documented and embedded in practice
- Personal data security issues, and mitigation of associated risks, will be identified, managed monitored and improved in a planned manner
- Demonstration of organisational commitment to personal data security, will assist in adequate allocation of resources, identification of roles and responsibilities and appropriate training
- Long-term planning will minimise the risk of unauthorised access, security breaches or data leaks, ensuring the rights of data subjects are not compromised
- Appropriate responses to any unauthorised access, security breaches or data leaks will be planned to minimise their impact
- There will be increased confidence that an organisation is managing personal data appropriately as they will be able to demonstrate that they are using recognised best practice
- An awareness of the extent and content of personal data holdings is needed to ensure compliance with the DPA. Such awareness will improve long-term curation. The Data Asset Framework tool can be used to audit personal data, or data with a personal element before preparing for compliance with the standard.
- Compliance with the standard can help to ensure that procedures and activities for managing personal data are developed and documented as a pre-cursor to external certification activities based on risk management. These include ISO 27001 certification of an Information Security Management System; self-audit of a repository against DRAMBORA (Digital Repository Audit Method Based on Risk Assessment); and possible future repository certification against the forthcoming "Metrics for Digital Repository Audit and Certification" [external] document.
BS 10012 is applicable to any organisation, whatever the size, in both the public and private sectors. It is meant for use by anyone within an organisation responsible for initiating, implementing or maintaining a PIMS. The standard was published in May 2009, so is not yet being embedded in UK practice, but with data security currently high profile, take up is likely to be good. The standard went through a rigorous comments process before publication, but like the related standard ISO 27001, it is possible that further iterations will be necessary before it is widely accepted by the community. Currently organisations handling health information must adhere to the Caldicott Principles, which are based on the DPA's 8 Data Protection Principles. Other organisations can sign up to the Information Commissioner's Personal Information Promise, a voluntary charter which enables them to demonstrate their commitment to data protection at senior management level. It is possible that, in the future, an organisation will be able to certify against BS 10012 to achieve accreditation, demonstrating not only commitment to, but compliance with, the DPA.
- The full text for BS 10012 and is available for purchase online from the British Standards Institute (BSI) [external]. ISO 27001 is available from both BSI and the International Organization for Standardization [external]. Research libraries may have a subscription which will enable registered users to download copies free. See appropriate staff at your institution or library.
- Consultative Committee for Space Data Systems (CCSDS), Metrics for Digital Repository Audit and Certification [external], draft White Book, May 2008
- Data Asset Framework
- Data Protection Act 1998 [external]
- DCC Briefing Paper on Data Protection
- DCC Standards Watch Paper, Information Security Management: The ISO 27000 (ISO 27K) Series
- DRAMBORA (Digital Repository Audit Method Based on Risk Assessment) [external]
- Caldicott Committee (1997), Report on the review of patient-identifiable information: the Caldicott Report [external], Department of Health
- Graham, N and Elliot, S (2009) BSI — A Standards Approach to Preventing Security Breaches, Privacy and Data Protection (April/May, 2009)
- Information Commissioner's Personal Information Promise [external]
- Wiseman, L and Gordon, J (Forthcoming publication) Data Protection: Guidelines For the Use of Personal Data in System Testing [external] (2nd Edition) — a new edition of this publication to align it with BS 10012
1 See the DCC Curation Lifecycle Model (accessed 12 March 2009).
2 The characteristics of an authoritative record as defined by ISO 15489: Information and Documentation - Records Management.
3 More information in the Wikipedia entry on Information Security (accessed 14 August 2009).
4 Data Protection Act, 1998, Part 1 — Preliminary: Basic Interpretative Provisions.
5 The Information Commissioner has offices in England, Wales, Scotland and Northern Ireland to enable differences in relevant legislation across the United Kingdom to be addressed. Further information on the work of the Information Commissioner can be found at: http://www.ico.gov.uk/
6 Also known as the Deming Cycle or Shewhart Cycle. See more information on Wikipedia [external] (accessed 12 March 2009).
7 These include ISO 9001 (Quality Management Systems); ISO 14001 (Environmental Management Systems); ISO/IEC 27001 (Information Security Management Systems); ISO/IEC 20000 (IT Service Management).
8 This column is paraphrased from: Madhavan, M (2007), Data Protection Overview, JISC Legal Information.