Data Protection Principle 7 - Security measures

This Principle is developed further in the DPA, requiring data controllers to balance

• the "state of technological development", and
• the cost of implementing any security measures against
• the "harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage", and
• "the nature of the data to be protected".

The measures that data controller take, therefore, must be appropriate to their individual circumstances. During the notification process, data controllers are required to confirm that they have put in place security measures to protect the personal data that they are processing. The checklist asks whether the data controller has

• adopted an information security policy, to give clear management direction on responsibilities and procedures
• taken steps to control physical security, e.g. to prevent theft of computers
• put in place controls on access to information, e.g. password protection and encryption
• established a business continuity plan, e.g. backup files
• trained staff on security systems and procedures
• detected and investigated breaches of security when they occur
• adopted the British Standard on Information Security Management BS7799.

Adoption of this British Standard Code of Practice BS7799 is not a statutory requirement but promotes best practice on information security management.

This Principle also applies to "data processors", i.e. organisations that process personal data on behalf of data controllers. In the context of payroll, these would be

• accountants, payroll bureaux and bookkeepers providing a payroll service
• an employer that processes payroll for other companies in the same group
• an employer that processes a pensions payroll on behalf of the pension trustees.

Further DPA provisions linked to Principle 7 requires data controllers, when engaging the services of a data processor, to:

• choose a data processor that can guarantee the application of technical and organisational security measures to the processing to be carried out, and
• take reasonable steps to ensure that the data processor complies with those measures.
• enter into a written contract with the data processor that requires the data processor to
  • act only on instructions from the data controller, and
  • comply with obligations equivalent to those imposed on the data controller by Principle 7.

An employer taking on the services of a payroll service provider must, therefore, be reassured that the service provider will apply the same information security standards that is expected of the employer as the data controller. A payroll service provider should be able to demonstrate compliance with all aspects of the checklist above, including implementation of the BS7799 Code of Practice.