Data Protection Policy
10. Data security
10. Data security
10.1 The sixth data protection principle requires that we keep secure any personal data that we hold.
10.1 The sixth data protection principle requires that we keep secure any personal data that we hold.
10.2 We are required to put in place procedures to keep the personal data that we hold secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
10.2 We are required to put in place procedures to keep the personal data that we hold secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
10.3 When we are dealing with sensitive personal data, more rigorous security measures are likely to be needed, for instance, if sensitive personal data (such as details of an individual’s health, race or sexuality) is held, it should always be securely encrypted in transit, or “at rest”, i.e., in a data repository, including backed up data and portable devices such as laptops or memory sticks.
10.3 When we are dealing with sensitive personal data, more rigorous security measures are likely to be needed, for instance, if sensitive personal data (such as details of an individual’s health, race or sexuality) is held, it should always be securely encrypted in transit, or “at rest”, i.e., in a data repository, including backed up data and portable devices such as laptops or memory sticks.
10.4 When deciding what level of security is needed, the IAP makes an assessment to determine whether the information is sensitive or highly confidential and how much damage could be caused if it fell into the wrong hands.
10.4 When deciding what level of security is needed, the IAP makes an assessment to determine whether the information is sensitive or highly confidential and how much damage could be caused if it fell into the wrong hands.
10.5 Appropriate security policies, procedures and monitoring processes must be followed in relation to all personal data held and processed by the IAP. This includes physical, network and information technology management policies designed to secure personal data and provide reasonable measures to protect from disclosure; business continuity and disaster recovery measures to restore availability and access to data in a timely manner in event of physical or technical incident; and a process to review and update IAP security measures according to industry best practices.
10.5 Appropriate security policies, procedures and monitoring processes must be followed in relation to all personal data held and processed by the IAP. This includes physical, network and information technology management policies designed to secure personal data and provide reasonable measures to protect from disclosure; business continuity and disaster recovery measures to restore availability and access to data in a timely manner in event of physical or technical incident; and a process to review and update IAP security measures according to industry best practices.
Click on the links below for other sections of the IAP Data Protection Policy:
Click on the links below for other sections of the IAP Data Protection Policy:
3. Definitions of data protection terms
5. Processing data fairly and lawfully
6. Processing data for the original purpose
7. Personal data should be adequate and accurate
8. Not retaining data longer than necessary
9. Rights of individuals under the GDPR
11. Transferring Data Outside the EEA