One of the key problems faced by organisations that want to comply with the Data Protection Act is that the DPA doesn’t contain any detailed guidance on compliance – in essence, it is just a set of 8 principles. And the worst principle from a compliance perspective is Principle 7, which requires organisations to make appropriate technical and administrative arrangements to protect personal information. What is appropriate? And how would you prove it? For some years, ISO/IEC 27001 certification has been the most effective way of demonstrating DPA compliance, but the read across between the two standards is not that precise.
BS10012 (Data Protection: Specification for a Personal Information Management System), on the other hand, is a standard that is specifically written to meet DPA compliance needs. It is written as a specification (in other words, audits can be conducted against the standard and there is talk of a certification scheme) and it deals specifically and completely with the requirements of the DPA. It has just been published and every organisation that has personal information to protect should
- Buy a copy, and compare actual practices with those described in the standard and,
- Consider improving actual practices so that they conform to those described in the standard.
Here’s a link where you can get your own copy: http://www.itgovernance.co.uk/products/2542