Chapter 8
Data Protection Principle 4
The main questions:
• What are the general requirements regarding security of personal data under DPP4
and how are they applied?
• What is the Commissioner’s practical advice to data users on data security in
particular situations?
• What are the data security issues for a data user when outsourcing the processing of
personal data to a data processor?
The questions of security of personal data discussed in this Chapter concerning DPP4 have
been selected on the basis of their practical importance in light of the Commissioner’s own
experience. Before reading this Chapter, readers should read paragraphs 1.7 to 1.11 in
Chapter 1—
Introduction, which contain important general information on using this Book.
The General Requirements of DPP4
8.1
Data Protection Principle 4(1) provides as follows:
Principle 4 – security of personal data
(1) All practicable steps shall be taken to ensure that personal data (including data in a
form in which access to or processing of the data is not practicable) held by a data
user are protected against unauthorised or accidental access, processing, erasure, loss
or use having particular regard to –
(a) the kind of data and the harm that could result if any of those things should occur;
(b) the physical location where the data is stored;
(c) any security measures incorporated (whether by automated means or otherwise)
into any equipment in which the data is stored;
(d) any measures taken for ensuring the integrity, prudence and competence of
persons having access to the data; and
(e) any measures taken for ensuring the secure transmission of the data.
8.2
“Practicable” is defined in section 2(1) to mean “reasonably practicable”. It follows that
DPP4(1) does not require a data user to provide an absolute guarantee for the security
of personal data held by it, but rather, only to take such steps as may be reasonably
practicable in the circumstances, having regard to the matters mentioned in