Data Protection Commissioner
Data Protection Commissioner

Security Measures for Personal Data:

A Guide to the New Data Protection Rules

European Communities (Data Protection) Regulations, 2001 

Data controllers – i.e. organisations keeping information on computer about individuals – are already bound by a number of data protection rules.  One of these rules is that data controllers must take 'appropriate security measures' for personal data, to guard against unauthorised access, loss, or disclosure. 

LINK»  more about the main data protection rules
  more about the existing obligation to keep personal data secure

The new European Communities (Data Protection) Regulations, 2001 introduce new rules – effective from 1 April 2002 – which will clarify and build upon the existing obligation to keep personal data secure.  In particular, the new rules clarify what is meant by 'appropriate security measures'.  In addition, the Regulations require that an organisation must have contractual safeguards in place, when dealing with agents who process personal data on its behalf (more about this below).  The new security rules can be summarised as follows. 

  • In deciding what level of security is appropriate, data controllers must have regard to the nature of the personal data in question, and the harm that might result from unauthorised use, disclosure or loss of the personal data. 

    Comment:  Organisations dealing with personal data of a private or sensitive nature – such as people's medical files, personnel files, or private telecommunications – naturally need to have very robust standards of security in place.  Organisations that hold personal data with a lower privacy value – such as name, address, or membership of a local drama group – do not need to go to such great lengths, but must still have reasonable security measures in place. 

  • Data controllers may also have regard to the state of technological development, and the cost of implementing security measures.

    Comment:  Security measures need to be reviewed on a regular basis to ensure that they are up-to-date and effective.  An obvious example is anti-virus software:  such software is a routine safeguard to prevent malicious damage to your computers, but needs to be updated regularly if it is to continue to be effective against newly-emerging computer viruses.  Likewise, if sensitive files need to be encrypted, then a data controller should ensure that the standard of encryption is sufficiently robust to withstand attacks from newly-developed decryption software.

    On the other hand, it is reasonable for organisations to weigh up the costs of security measures against the other factors.  If the risks of security breaches are low, and the likely harm that would arise is trivial or minor, then a data controller might justifiably decide not to invest a great deal of money in state-of-the-art security measures.  Conversely, if the risks of security breaches (or attempted breaches) are high, and/or the likely harm to an individual would be high, then a data controller should invest in robust security measures, and indeed should regard such investment as a budget priority. 

  • The new security rules apply in particular to the transmission of personal data over a network.

    Comment:  While the new security rules apply to all data controllers, the Regulations make specific reference to cases involving the transmission of personal data over a network. This is understandable, since this type of transmission involves particular security risks that must be guarded against.  Most obviously, there is the danger that the transmission could be intercepted by a third party. Other risks include corruption or loss of the data, or its accidental disclosure to third parties.

    Each data controller must make its own judgement, based upon its own particular circumstances, about the most suitable security measures to implement.  However, in general terms, the transmission of personal data within an internal network, such as a corporate 'intranet', should at minimum be subject to clear access controls, so that the personal data are available only to those people within the organisation who have a business requirement for such access.  Transmission over external networks, such as the internet, should normally be subject to robust encryption. This requirement will be of particular relevance to e-commerce businesses which record customer details on-line, e.g. via on-line booking forms.  Similarly, telecommunications service providers, which transmit personal data over their networks, must take whatever technical measures are necessary to keep such data secure from unauthorised interception.

  • An organisation should take all reasonable steps to ensure that its staff are made aware of the security measures, and comply with them.

    Comment:  There is no point in preparing an elaborate security scheme, which works well in theory, if the measures are not applied in practice. The Regulations therefore require data controllers and data processors to take all reasonable steps (i) to develop an appropriate level of staff awareness, and (ii) to ensure compliance by staff with the security measures.  This requirement applies for employees, and for other persons at the place of work. 
Dealing with Data Processors

Sometimes, an organisation will need to engage the services of a sub-contractor or agent to process personal data on its behalf.  Such an agent is termed a 'data processor' under the Data Protection Act.  An example would be a payroll company, or a telemarketing company retained by a data controller to conduct a customer-satisfaction survey.  The new Regulations specify that, where a data controller engages the services of a data processor, it must take certain steps to ensure that data protection standards are maintained.  The key points are as follows:  

  • A data controller can do business with a data processor only on the basis of a written contract (or a contract in equivalent form) which includes appropriate security and other data protection safeguards.  Informal and ad-hoc arrangements will not be acceptable, where personal data are involved.
  • In particular, the contract must specifically provide that the data processor will process personal data only on the basis of the authorisation and instructions received from the data controller.  This provision ensures that personal data passed on to a data processor may not be retained or used by the data processor for its own purposes.
  • The contract must commit the data processor to apply appropriate security measures.  This provision ensures that the standard of security must be maintained when the personal data are passed from the data controller to its agent. 
  • Finally, at a practical level, the data controller must satisfy itself that the data processor has suitable technical security measures, and organisational measures, in place.  The data controller must also take reasonable steps to ensure that these measures are being complied with

For most responsible organisations in Ireland, the new security rules should involve little, if any, practical changes – because appropriate security measures of this nature should already be in place.  The clarifications provided in the Regulations simply re-state common sense guidelines:  that security measures should be suitable to all of the circumstances involved, including the sensitivity of the personal data, the state of technological development, and the cost of implementing the provisions.  In addition, where an agent is being retained to process personal data, there should be a sound contractual basis for this, with appropriate security safeguards in place. 

The Regulations should, however, be seen as underlining the importance of security measures, particularly in an environment where more and more personal data are being transmitted over the internet, and via telecommunications and other networks. 

Related links 

LINK»  general summary of the new Regulations
  more about transferring personal data to 'third countries'
  more about 'model contracts' and other approved arrangements for transferring personal data to third countries
  full text of the new Regulations
  full text of Data Protection Directive, 95/46/EC