How do we ensure the security of personal information?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Data protection law requires you to process personal information securely, using appropriate technical and organisational measures but it does not define what measures to use. This is the ‘security principle’.
You must put in place technical and organisational measures to ensure your level of security is appropriate to the risk of using personal information. You must consider:
- the state of the art;
- costs of implementation; and
- the nature, scope, context and purpose of your processing.
If you plan to use a third-party moderation provider, acting as a data processor, you must choose one that provides sufficient guarantees about its security measures.