Data Protection Act 1998 – Developing a Good Management System

Breda Corish (BSI) and Alan Shipman (Group 5 Training Limited) - August 2009

Introduction

It is 11 years since the publication of the Data Protection Act 1998, and eight years since it was implemented in 2001. Since that time, much has been written about how organisations should manage the personal information that they hold and use for their business purposes.

One such organisation that publishes practical guidance on implementing the Data Protection Act is BSI. Better known for the British and international standards that it publishes, BSI also publishes guidance across a wide range of market sectors in the UK and internationally. Back in 1998, BSI put together a group of experts from business, government and across the public sector who identified a need for practical guidance on the management of personal information. This led to the publication and continued development of Guide to the Practical Implementation of the Data Protection Act 1998.

In 2007, this group of experts identified a business need for a more formal document that specified a management system that could easily be adopted by organisations.  Thus, BS 10012:2009 Information Management. Specification for a Personal Information Management System was born.

Developing the Standard

Originating as the world’s first national standards body, BSI today is a leading global independent business services organization providing standard-based solutions in more than 120 countries.

BSI’s remit includes the development and sale of private, national and international standards and supporting information that promote and share best practice across a broad range of topic areas. Additionally BSI provides management systems assessment & certification, testing & certification of services and products, as well as performance management software solutions and training services in support of standards implementation and business best practice.

In its role as the UK's National Standards Body (NSB), BSI represents UK economic and social interests across all of the European and international standards organizations and through the development of business information solutions for British organizations of all sizes and sectors. BSI has a close working relationship with the UK government, primarily through the Department for Business, Innovation and Skills (BIS).

Since the mid-90s, BSI and the national committee members have been increasingly involved in the development of standards and associated guidance in support of good information governance, sometimes but not always in response to specific legislative activity or government interest.

Information Governance

The management of personal information should be seen by organisations as just one part of the overall information governance framework, a subject that is high on the agenda of most board meetings.

In recent years, the need for effective information governance has posed an ever-increasing challenge for all organisations, whether in the public, private or third sector.  It has been widely recognised that information, especially personal information, is an asset. However, it can become a liability and – to paraphrase Richard Thomas, the former UK Information Commissioner, – a toxic liability if incorrectly managed.

While advances in new technologies are making it easier for organisations to collect greater amounts of personal data and provide better services to their customers, these same advances also raise concerns about the effect on individuals’ privacy (especially regarding proportionality and retention) and there are ever-increasing challenges for all organisations, whether in the public, private or third sector, which can only be met by effective information governance.

Management System Standards

So what role do standards play in helping organisations achieve good information governance?

Perhaps the best-known example is the Information Security Management Systems (ISMS) standards now known as the ISO/IEC 27000 series. This management system is essentially a systematic approach to managing sensitive information so that it remains secure. It has more to do with managing people and processes than implementing technology, and provides guidelines and common practice so that organisations do not have to keep reinventing the wheel.

Around the same time as the ISO/IEC 27000 series were being developed, work also began in ISO on the development of the first international records management standard, ISO 15489. In this instance, the catalyst was a pioneering Australian standard for records management, developed in response to the need for “quality records” identified in ISO 9000, the international quality management systems standard.

One critical element of records management involves managing and thus reducing the risks associated with document retention and preservation, an issue of particular relevance for private sector industries such as financial services, utilities and pharmaceuticals where retention requirements are especially significant.

Fitting neatly into the management system framework used by ISO/IEC 9000 and the 27000 series (and others), the new British Standard on the management of personal information, BS 10012, uses the same business model. This enables organisations to integrate the management of personal information into their overall information governance framework.

Openness and security

The management of personal information is a challenge to many organisations, as there is a need for both openness and security. Organisations need to be open when asked by individuals about the processing of their personal information. On the other hand, good security measures can prevent the disclosure of the information to the wrong people. Such a requirement is of particularly significant importance to organisations that provide public services, as frequent media headlines point out where poor processes have lead to security breaches and data loss.

Data protection is about much more than simply locking up personal information – it’s also about ensuring that the right information is being captured, for the right purpose, for the right amount of time and is being used and shared in an appropriate way – whether that’s sharing it with other organisations or with the individuals who are the subjects of the data.

Instead of defaulting to a mindset that data protection is all about locking personal data away and imposing burdensome restrictions on an organisation, good management practice involves dealing with an asset of great value that needs to be handled with great care.

Effective management can benefit an organization not just by reducing the risk of non-compliance with their obligations under the Data Protection Act, but also by finding opportunities to deliver value to its customers as a consequence of ensuring responsible management of personal information.

Information Commissioner’s Office

Before development work started on the British Standard BS 10012, it was important for BSI and the national committee that the UK Information Commissioner’s Office (ICO) was aware of and supportive of the proposal to develop a formal standard.

BSI were very pleased when the ICO confirmed their support for the development of the standard on data protection on the basis of its fit with the statutory duties of the Information Commissioner under section 51 of the DPA to promote good practice by data controllers. The ICO also has a duty to arrange for the expedient dissemination of appropriate information about the operation of the DPA and good practice in the field of data protection.

Expert panel

In order to ensure that the widest possible representation of experts oversaw the development of the British Standard, the UK’s leading data protection group, the Data Protection Forum  was asked to help identify an expert panel and panel Chairman. Gordon Wanless, Head of Information Governance at NHS Business Services Authority, who was the Chairman of the Forum at the time, agreed to chair the panel. The panel consisted of experts from Government, including the National Archives, from the healthcare and legal sector, insurers, telecoms, banking, pharmaceutical, local authorities, academia, privacy groups and consumer groups. At key stages during the drafting process, the panel welcomed valuable input from ICO.

Transparency

A vital part of the development process of the British Standard was the public comment phase. This is a very important stage of the development process for any standard, as it gives the opportunity to any interested parties to make comments on the draft and so effectively allows the draft document to have a “test drive” with a wider community.

Once the panel were happy that a suitable draft had been produced, the draft was made available online for public comment on 2nd January 2009 for three months.

A significant number of comments were received which the panel resolved in preparation of the final text for publication. BS 10012 was published on 2nd June 2009.

The British Standard BS 10012

The objective of BS 10012:2009 is to provide common ground and confidence in the management of personal information. It enables organisations to show a commitment to responsible data management, by enabling an effective assessment of compliance with data protection legislation and good practice whether that’s done by internal or external assessors.

To quote from the introduction of the standard, “The objective of this British Standard is to enable organizations to put in place, as part of the overall information governance infrastructure, a personal information management system (PIMS) which provides a framework for maintaining and improving compliance with data protection legislation and good practice”.

BS 10012 is designed for use by organisations of any size and sector, and is intended to be used by those responsible for initiating, implementing and maintaining the management of personal information within an organization.

BS 10012:2009 applies the tried and tested “Plan-Do-Check-Act” (PDCA) model as the basis of the personal information management framework, enabling a fit with an organisation’s existing information governance framework. Like other management system standards, BS 10012 is not prescriptive. Rather than stipulating exactly how operations should be run, it provides the framework which will enable the organisation to effectively manage personal information. For example, the standard focuses on ensuring that an organisation provides sufficient guidance and resources (e.g. staffing), and creates a positive culture within which data processing can occur.

An organisation which chooses to work to the framework laid down in BS 10012 has the scope to determine how best to meet those framework requirements in its own specific circumstances. For example, the organisation will need to carry out its own risk assessment and in doing so, can choose to use their own in-house risk assessment methodology or other tools they find useful for this task, such as the privacy impact assessment guidelines issued by the ICO.

Recognising that people, policies and technology are all critical parts of the information management solution, the new British Standard will assist organisations with putting in place a management framework that will help compliance with obligations in relation to data protection legislation and good practice guidance.

Contents

As commented above, the British Standard specifies the establishment of a Personal Information Management System (PIMS). This system is a framework that consists of a number of elements:

  • Development and approval of a Personal Information Management policy
  • Allocation of accountability and responsibilities for the PIMS
  • Provision of resources necessary to operate the PIMS
  • Identification of personal information (including high risk information) managed by the organisation;
  • Training and awareness of all workers who handle personal information
  • Risk assessment in relation to the management of personal information
  • Requirement to notify the ICO of processing
  • Fair and lawful processing
  • Adequacy, relevance, accuracy and retention
  • Rights of the individual
  • Security of personal information
  • Overseas transfers
  • Use of sub-contracted processing
  • Monitoring and improving the PIMS.

It should be noted that an organisation could have one or multiple PIMS, depending upon the size and complexity of the organisation. For further information about BS 10012:2009, visit www.bsigroup.com/bs10012

About the Authors
Breda Corish is Head of Market Development – Materials & Healthcare, ICT and Electronics at BSI Standards www.bsigroup.com
Alan Shipman is Managing Director of Group 5 Training Limited www.group5.co.uk

 

Return to the Data Protection Homepage

 Your basket
Your basket is empty