BS10012:2009 - Data Protection: Specification for a Personal Information Management System

The British Standards Institute has today published the first version of its BS10012:2009 – Data Protection: Specification for a Personal Information Management System. Is this the panacea that privacy professionals have been seeking?

One of the key challenges for any organisation attempting to implement a privacy compliance and management framework is that of trying to establish a standard against which to work. Standards are important in any governance framework: we need them to understand what needs to be achieved; to set common governance goals across and between organisations; to understand whether the responsible managers are competent to implement those controls; and to audit whether those controls have been properly established and maintained.

Without standards, every organisation has to go through the expense and hassle of inventing its own standards from scratch, and risks the possibility that the implemented home-grown controls, and the individuals responsible for managing and auditing them, simply aren’t up to scratch. In the current climate of greater scrutiny of standards that’s a big risk to take.

To date, we have yet to establish a practical, globally accepted standard for privacy or data protection that any organisation can adopt. Sure, there are some excellent sector-specific or solution-specific standards out there, but nothing that is universally recognised in the way that ISO 9001 for Quality Management, or BS27001 for Information Security are. This is largely because of the rapidly-evolving and globally diverse nature of data protection law – there are simply too many different objectives for a standard to hit.

The BSI has therefore stepped in with an approach which rather than trying to address all the requirements of the law, instead develops a ‘Personal Information Management System’ – a set of processes that provide a framework for personal data governance.Quoting BSI’s website on the standard:

The British Standard, BS10012 Data protection. Specification for a personal information management system has been developed to establish best practice and aid compliance with data protection legislation. It is the first standard for the management of personal information.

BS 10012 specifies the requirements for a personal information management system (PIMS), which provides an infrastructure for, among other things, maintaining and improving compliance with the Data Protection Act (DPA) 1998.

Rather than prescribing exactly how operations should be run, BS 10012 provides the framework which will enable effective management of personal information. It can be used by organizations of any size and sector to create a tailored management system which includes procedures in areas such as training and awareness, risk assessment, data sharing, retention and disposal of data and disclosure to third parties.

This is a valuable first step in defining a privacy standard, and the team behind it are to be congratulated on their work, but it’s far from a panacea, and I suspect that it will gain little support from industry in its current form – I certainly doubt that we’ll see organisations attempting to ‘comply’ with it. Our problem is one of creating and maturing an acceptable standard: despite the consultation period, the standard needs to be released into the wild to see what a broad audience makes of it. BS7799 – which became ISO27001 – took a lot of criticism in its first release, and it needed several iterations of revision before it received widespread acceptance.

If I were to offer just one particular criticism of the current approach, it would be that it does not incorporate any form of Privacy Impact Assessment or similar risk analysis. This means that the specified controls are highly prescriptive without necessarily addressing the organisation’s real needs, and we’re likely to see a lot of complaints that as a result the controls are onerous and top-heavy for a lot of potential users. Future revisions must incorporate a risk-driven approach if they are to be scaleable and proportionate for user organisations.

BS10012:2009 a welcome first step towards privacy standardisation – but don’t mistake it for a panacea.

[Declaration of Interest: I am a BSI Committee Member (which is an unpaid role) and was part of the BS10012 group, although I was unable to attend the development meetings because of other commitments]