The seventh data protection principle within the 1998 Data Protection Act identifies the security obligation for controllers of personal data. What actually constitutes "appropriate technical and organisational measures?"
The principle is accompanied by statutory interpretation, which addresses the use of technology, the reliability of employees who have access to personal data and the engagement of data processors. In summary, controllers of personal data are required to:
- Implement appropriate technology that will keep data safe and secure, taking into account the state of technological development, the cost of the technology, the nature of the data that is being protected and the harm that might result from a security breach.
- Hire a reliable staff and take steps throughout their employment to ensure their reliability. This will extend to pre-employment vetting and ongoing monitoring where appropriate.
- Use data processors who provide sufficient guarantees about security, who agree to work only pursuant to a contract and who agree to process data only on the controller's instruction. The controller must take appropriate steps to ensure the reliability of the processor.
Collectively these provisions address all the major themes within a comprehensive information security management system, and they dovetail nicely with the headline requirements of ISO 27001/2, an international code of practices for information security management.
ISO 27001/2 and the path to compliance
At this juncture it is worth reminding ourselves of the idea behind ISO 27001/2. In summary, these standards are designed to enable the implementation of an information security management system; ISO 27001 is designed for organisations that wish to implement an accredited ISMS, whereas 27002 provides a Code of Practice for organisations that do not wish to achieve accreditation. As a matter of law, the courts in the U.K. will take account of ISO standards when analysing whether an organisation has acted "negligently."
However, for those responsible for designing and implementing security systems, the seventh data protection principle is unfortunately lacking in detail, which raises the question of whether adherence to the ISO 27000 framework will result in a Data Protection Act-compliant environment.
The Information Commissioner's Office has provided the clearest indication that the body sees ISO 27000 as a route to compliance. For example, in its 2007 enforcement strategy, "Our Approach to Encryption," the ICO said, "personal information, which is stored, transmitted or processed in information, communication and technical infrastructures, should also be managed and protected in accordance with the organisation's security policy and using best practice methodologies such as using the International Standard 27001."
The government and the Financial Services Authority have also given their support to ISO 27000. Cabinet Secretary Gus O'Donnell's June 2008 report, "Data Handling Procedures in Government," lists a series of government departments that have embraced ISO 27001, saying "many Departments will, as now, work towards or achieve external ISO accreditation."
The FSA's April 2008 report "Data Security in Financial Services" similarly says that "there is an international quality standard for data security: the ISO 27001 Security Management Standard which was introduced in 2005," but it observes that the adoption of the ISO is not universal: "Some firms, particularly larger firms with dedicated information security officers, were aware of this code of practice and used it as a benchmark. However, it was interesting to observe that even some of the largest firms had not obtained certification to this standard."
What is 'the state of technological development?'
While the ISO 27000 framework provides a route to compliance, a particular difficulty concerns the implementation of security technologies; the statutory interpretation to the seventh data protection principle requires data controllers to have regard for "the state of technological development," but the DPA is silent on the meaning of this phrase. However, in a "good practice note" published in November 2007, the Information Commissioner said "the Act requires that organisations should take into account technological developments when they decide on security measures but it is a frequent misunderstanding that the Act requires 'state of the art' technology. This is not the case."
So, according to the ICO, the seventh data protection principle does not require the controller to implement state-of-the-art technologies. Instead, the controller must implement appropriate tools, having regard for the state of technological development, the nature of the data to be protected, the harm that might result from a security breach and associated cost. It should follow that if the information is highly sensitive and serious harm could be caused by a security breach, the controller might be required to implement "cutting-edge" technologies, which might not be necessary in cases where the information is not particularly sensitive. As such, controllers need to exercise good judgment about the nature of the security technologies they install.
Unfortunately, organisations who are looking for prescriptive guidance on the kinds of technologies they should employ will be disappointed when they examine the Data Protection Act and regulatory guidance for assistance; the Act is silent on the kinds of technologies that should be deployed and at this stage in the development of the law the regulators have identified only encryption as a specific technology. However, IT companies, including RSA, are working with the author to introduce and explain their technologies to the regulators, which may eventually lead to greater prescription in the law.
About the author:
Stewart Room, Barrister and Solicitor, is a partner in the Technology Law Group at Field Fisher Waterhouse LLP. He is named as one of the UK's leading data protection lawyers in legal directory Chambers UK and in October 2008 he was awarded the prestigious prize of "Legal Innovator of the Year" by the Financial Times, for his work with major IT companies. He is the president of the National Association of Data Protection Officers and the author of Data Protection and Compliance in Context (December 2006), Email: Law Practice and Compliance (to be published in December 2008) and Data Security Law and Practice (to be published in July 2009). He is a visiting lecturer on information law at various universities.