"As part of the notification process, a data controller is required to provide a general description of the security measures taken to guard against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage. It is a requirement of the 1998 Data Protection Act but will not form part of the public register.
Do the measures taken by you include:
- Adopting an information security policy? (i.e. providing clear management direction on responsibilities and procedures in order to safeguard personal data)
- Taking steps to control physical security? (for example, locking doors of the office or building where computer equipment is held)
- Putting in place controls on access to information? (for example, introduction of password protection on files containing personal data and encryption)
- Establishing a business continuity plan? (for example, holding a backup file in the event of personal data being lost through flood, fire or other catastrophe)
- Training your staff on security systems and procedures? (for example, are staff aware of their responsibilities, are they aware that personal data should only be accessed for business purposes?)
- Detecting and investigating breaches of security when they occur? (for example, producing audit trails that log access to personal data and can be attributed to a particular person)"