Secure areas
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Secure areas
You secure physical business locations to prevent unauthorised access, damage and interference to personal data.
Ways to meet our expectations:
- You protect secure areas (areas that contain either sensitive or critical information) by appropriate entry controls such as doors and locks, alarms, security lighting or CCTV.
- You have visitor protocols in place such as signing-in procedures, name badges and escorted access.
- You implement additional protection against external and environmental threats in secure areas such as server rooms.
- Office equipment is appropriately placed and protected to reduce the risks from environmental threats and opportunities for unauthorised access.
- You securely store paper records and control access to them.
- You operate a clear desk policy across your organisation where personal data is processed.
- You have regular clear desk 'sweeps' or checks and issues are fed back appropriately
- You operate a 'clear screen' policy across your organisation where personal data is processed.
Can you answer yes to the following questions?
- Are printer/fax areas secure?
- Do staff follow protocols and are they clearly communicated?
- Would we see appropriate environmental controls in your secure areas?
- Would a tour of your offices reveal an effective clear desk policy?
- Are screens left unlocked?