Want to watch this video? Sign up for the course here. Or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.

The seventh data Principle states that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage, to personal data.

The seventh principle is the one which will affect most people in one way or another.  This covers the fact that data should be kept secure. Basically, this means that organisations must have appropriate security to prevent the personal data they are holding being accidentally or deliberately compromised.

An organisation needs to have adequate security systems in force to hold the data and be clear about who in the organisation is responsible for ensuring information security.  Organisations must make sure that they have physical and technical security together with robust policies and procedures and reliable well-trained staff.

Organisations must be able to be ready to respond to any breach of security swiftly and effectively. Information breaches can cause real harm and distress to individuals and lives could even be put at risk.

So why should you worry about information security?   Examples of harm caused by the loss of or the abuse of personal data, which can sometimes be linked with identity fraud include:-

  • Fake credit card transactions
  • Witnesses at risk of physical harm or intimidation
  • Offenders at risk from vigilantes
  • Exposure of the addresses of service personnel, police and prison officers, and women at risk of domestic violence
  • Fake applications for tax credits or mortgage fraud.

If personal data is not properly safeguarded, this can seriously damage an organisation’s reputation and prosperity and can compromise the safety of individuals.  For example, if an organisation holds highly sensitive or confidential personal data, such as medical records, these records could cause damage or distress to those individuals if they fell into the hands of others.

So how can we keep information secure?
Physical security includes things like the quality of doors and locks and whether the premises are protected by alarms, security lighting or CCTV.  It also includes how access to the premises is controlled, how visitors are supervised and portable equipment should be kept secure.

Organisations should have policies on the disposal of paper waste with confidential waste bins as appropriate.  Records and data should be shredded as appropriate and confidential files and documents should not be left lying around on unattended desks. It may be necessary to keep certain files locked away.

You should not write on documents and you must ensure that faxes are disposed of securely.  Depending on the computer systems and technical expertise of staff, some organisations may need to seek specialist information security advice.

You should always keep your computer password strictly secret and do not allow others to use the system under your user ID.  Switch off your workstation when you leave for the day to prevent any unauthorised access.

Ensure that any information you enter into a system is accurate and you must only use or view data in accordance with your job accountabilities.

Computers should have firewall and virus checking programmes installed.  All information held electronically, that would cause damage or distress if it were lost or stolen should be encrypted.

You should be aware of your companies policies with regard to sending emails, it may be that if you are sending personal data in an email, it should be encrypted or password protected.

Do not write any derogatory comments on the system or in a paper note, and ensure your notes are accurate and not misleading. If you need to make notes you should only make notes that relate to matters of fact and be careful of any expression of opinion, as these must be based on facts.  Remember these records may need to be released to the individual as part of a subject access request.

You should also be careful when sending information by means of a fax. It may be more appropriate to send the information by a courier service or secure email. If the information does need to be sent this way ensure that the recipient has adequate security measures in place. For example, ensure that your fax is not going to be left uncollected in an open plan office.
It would be good practice to ask the recipient if they are at the fax machine ready to receive the document.

Do not discuss information relating to your work outside with anybody and do not take work home unless you have the authority to do so.

As a member of staff, you must be well trained and aware of the data protection principles and your duties with regard to protecting personal data.

You must be familiar with your organisation's security policy and be provided with training and annual refresher training.

You should only ever access personal information that is required to do your job and will never be tempted to look up anything this is not in direct relation to your job.

It is also important that you are aware of the dangers of people trying to obtain information by deception and therefore you need to be aware of the correct procedures for identifying callers.

Your company will have written procedures for this and may include asking the caller security questions such as name:

  • Postcode
  • Address
  • Customer reference or order reference
  • Password information.

If you are asked for information by telephone be sure the caller is who they say they are. It may also be necessary to verify a person identity, again your company will have laid down procedures as to what is acceptable information which may include items such as Passport, Birth and marriage certificates, National Identity card. You can be prosecuted if you deliberately give out personal details without permission.