Principle Seven

What is Data Protection Principle Seven, and what does it mean for you?

The 1998 Data Protection Act sets the rules for how UK businesses can gather, store and use people’s confidential data.

The Act is organised around eight principles of data protection. They include the idea that personal data should be obtained and processed fairly and lawfully, that only the right data should be used, that data should be accurate and so on.

Principle Seven covers data security. It states:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Basically, this means that firms must do what they can to stop data falling into the wrong hands, and to protect it from being lost, damaged or destroyed. Since every business has different data and business processes, each one needs to decide its own approach to information security. However, it’s definitely worth considering who will take responsibility for security issues and making a contingency plan for how you’ll react if your security is breached.

With so many high-profile hacks and digital security breaches in the headlines these days, it’s easy to focus on the importance of keeping ‘live’ data safe. But it’s equally important to safeguard data that has fulfilled its purpose – particularly when you consider Principle Five of the Data Protection Act, which says that personal data must be disposed of when no longer needed, not held indefinitely.

To guard against ‘accidental loss’, as Principle Seven stipulates, any firm handling personal data should have a contract with a company who can handle confidential waste and guarantee that collection and destruction are fully secure and compliant. That means meeting European Standard BS EN 15713:2009for security shredding and also BS 7858 for staff vetting.

The standards cover every aspect of data destruction providers’ business, from the security of premises through to hiring the right personnel. It also extends to any subcontracting arrangements, the security of vehicles used for transport and the use of written contracts.

When you hear the word ‘shredding’, it’s natural to think of paper records. But shredding is also the best way todispose of digital data. Simply deleting a file doesn’t guarantee that it can’t be recovered in the future. The only completely secure way to dispose of old hard drives, data tapes, CDs or microform media is to put them beyond use by physically destroying them – and a shredding company can help here too.

Even items that don’t contain personal data, such as branded products and uniforms, could cause real problems in the wrong hands. Fortunately, they can all go in the shredder too, guaranteeing they can’t be used to endanger an organisation’s reputation in the future.