Data Protection Policy

10. Data security

10.1 The sixth data protection principle requires that we keep secure any personal data that we hold.


10.2 We are required to put in place procedures to keep the personal data that we hold secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.


10.3 When we are dealing with sensitive personal data, more rigorous security measures are likely to be needed, for instance, if sensitive personal data (such as details of an individual’s health, race or sexuality) is held, it should always be securely encrypted in transit, or “at rest”, i.e., in a data repository, including backed up data and portable devices such as laptops or memory sticks.


10.4 When deciding what level of security is needed, the IAP makes an assessment to determine whether the information is sensitive or highly confidential and how much damage could be caused if it fell into the wrong hands.


10.5 Appropriate security policies, procedures and monitoring processes must be followed in relation to all personal data held and processed by the IAP. This includes physical, network and information technology management policies designed to secure personal data and provide reasonable measures to protect from disclosure; business continuity and disaster recovery measures to restore availability and access to data in a timely manner in event of physical or technical incident; and a process to review and update IAP security measures according to industry best practices.