Below is a extract from the ICO Data Protection Act notification form. One important point is point three. ICO advises encryption on data, especially data that is stored on a mobile device (USB/Laptop). In most cases password protection is not enough, suitable high strength encryption should be used for emails, laptops, USB devices, memory cards and more. "Without properly implemented encryption, a password is just a polite request for an attacker to not access data.", a quote by Dr. Hugh Thompson sums up the need for data encryption.

"As part of the notification process, a data controller is required to provide a general description of the security measures taken to guard against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage. It is a requirement of the 1998 Data Protection Act but will not form part of the public register.

Do the measures taken by you include:
  1. Adopting an information security policy? (i.e. providing clear management direction on responsibilities and procedures in order to safeguard personal data)
  2. Taking steps to control physical security? (for example, locking doors of the office or building where computer equipment is held)
  3. Putting in place controls on access to information? (for example, introduction of password protection on files containing personal data and encryption)
  4. Establishing a business continuity plan? (for example, holding a backup file in the event of personal data being lost through flood, fire or other catastrophe)
  5. Training your staff on security systems and procedures? (for example, are staff aware of their responsibilities, are they aware that personal data should only be accessed for business purposes?)
  6. Detecting and investigating breaches of security when they occur? (for example, producing audit trails that log access to personal data and can be attributed to a particular person)"