At a glance
Data protection law requires you to process personal data securely, with appropriate organisational and technical measures in place.
The security measures must be “appropriate” to the nature, scope, context and purpose of the processing and the risks posed to the rights and freedoms of individuals.
You must also take into account the various security measures available and the costs of implementation when determining what measures are appropriate for your circumstances.
In more detail
- What does data protection law say about security?
- Are we still responsible after we’ve shared the data?
What does data protection law say about security?
Data protection law requires you to process personal data securely, with appropriate organisational and technical measures in place. The security measures must be “appropriate” to the nature, scope, context and purpose of the processing and the risks posed to the rights and freedoms of individuals.
This section applies to processing both under the UK GDPR/Part 2 of the DPA 2018 and Part 3 of the DPA 2018.
You must also take into account the various security measures available and the costs of implementation when deciding what measures are appropriate for your circumstances. The “data protection by design and default” approach described in the section on accountability will help you to consider the security measures to put in place.
As stated earlier, you should aim to build a culture of compliance and good practice throughout your organisation to help you to share data securely. This must apply from board level, through to all employees and contractors.
For more details, please see the guidance on security on the ICO website.
Are we still responsible after we’ve shared the data?
Organisations that you share data with take on their own legal responsibilities for the data, including its security. However you should still take reasonable steps to ensure that the data you share will continue to be protected with adequate security by the recipient organisation. You should:
- ensure that the recipient understands the nature and sensitivity of the information;
- take reasonable steps to be certain that security measures are in place, particularly to ensure that you have incorporated an agreed set of security standards into your data sharing agreement, where you have one; and
- resolve any difficulties before you share the personal data in cases where you and the recipient organisation have different standards of security, different IT systems and procedures, different protective marking systems etc.
Undertaking a DPIA for any data sharing operation can be an effective means of considering these issues and implementing appropriate mitigating measures.
You should also note that in certain circumstances you are required to do a DPIA when sharing data, and we recommend that you always do so when planning to share data. Please refer to the section in this code on Deciding to share data.
Further reading
- Guidance on security
- Guidance on data protection by design and default
- The ICO has also worked closely with the National Cyber Security Centre (NCSC) to develop a set of security outcomes that you can use to help determine what’s appropriate for you. The security outcomes can also help you when considering any data sharing arrangements.