BS 10012:2009

The British Standard, BS 10012:2009 Data protection. Specification for a personal information management system has been developed to establish best practice and aid compliance with data protection legislation. It is the first standard for the management of personal information.

BS 10012 specifies the requirements for a personal information management system (PIMS), which provides an infrastructure for, among other things, maintaining and improving compliance with the Data Protection Act (DPA) 1998.

Rather than prescribing exactly how operations should be run, BS 10012 provides the framework which will enable effective management of personal information. It can be used by organizations of any size and sector to create a tailored management system which includes procedures in areas such as training and awareness, risk assessment, data sharing, retention and disposal of data and disclosure to third parties. 

BS 10012, was developed by a panel of experts including representatives from industry, government, academia and consumer groups. A three month public comment period produced a high number of comments all of which were considered by the panel before preparation of the final version of the standard.

BS 10012 is for use by organizations of any size, in both the public and private sectors. It is meant for use by anyone responsible for initiating, implementing and maintaining a PIMS within an organization. BS 10012 aims to provide a common ground for the management of personal information for providing confidence in its management, and for enabling an effective assessment of compliance with amongst other things the DPA by both internal and external assessors.

Users of BS 10012 should be aware that other legislation (such as the Freedom of Information Act 2000) can have an effect on decisions taken in relation to the processing of personal information. BS 10012 does not cover other legislation, which should be accounted for when processing personal information.

Personal information management system

BS 10012’s main objective is to enable organizations to put in place a personal information management system (PIMS) which provides an infrastructure for maintaining and improving compliance with amongst other things the requirements of the Data Protection Act 1998 (DPA).

The DPA implements a European Directive (95/46/EC) and applies to “personal data” which is defined in the DPA as information relating to living individuals. This British standard uses the term “personal information” in place of the term “personal data”.

The DPA is regulated and enforced by the Information Commissioner, who is responsible for promoting the protection of personal information. The Information Commissioner promotes good practice by the issue of guidance materials, rules on eligible complaints, provides information to individuals and organizations and takes appropriate action when the law is broken. The Information Commissioner has powers to investigate complaints, make assessments as to whether processing is compliant with the DPA and to issue information notices, enforcement notices and “stop now” orders.

Also Available

New edition of the popular guide for data protection

Data Protection Pocket Guide: Essential Facts at Your Fingertips (2nd edition)
Nicola McKilligan and Naomi Powell

New edition of the guide to system testing using personal data

Data Protection: Guidelines for the use of personal data in system testing (2nd Edition)
Louise Wiseman and Jenny Gordon

 Find out what the press are saying

 

Go to the Data Protection homepage