Chapter 8

Data Protection Principle 4

The main questions:

• What are the general requirements regarding security of personal data under DPP4

and how are they applied?

• What is the Commissioner’s practical advice to data users on data security in

particular situations?

• What are the data security issues for a data user when outsourcing the processing of

personal data to a data processor?

The questions of security of personal data discussed in this Chapter concerning DPP4 have

been selected on the basis of their practical importance in light of the Commissioner’s own

experience. Before reading this Chapter, readers should read paragraphs 1.7 to 1.11 in

Chapter 1—

Introduction, which contain important general information on using this Book.

The General Requirements of DPP4

8.1

Data Protection Principle 4(1) provides as follows:

Principle 4 – security of personal data

(1) All practicable steps shall be taken to ensure that personal data (including data in a

form in which access to or processing of the data is not practicable) held by a data

user are protected against unauthorised or accidental access, processing, erasure, loss

or use having particular regard to –

(a) the kind of data and the harm that could result if any of those things should occur;

(b) the physical location where the data is stored;

(c) any security measures incorporated (whether by automated means or otherwise)

into any equipment in which the data is stored;

(d) any measures taken for ensuring the integrity, prudence and competence of

persons having access to the data; and

(e) any measures taken for ensuring the secure transmission of the data.

8.2

“Practicable” is defined in section 2(1) to mean “reasonably practicable”. It follows that

DPP4(1) does not require a data user to provide an absolute guarantee for the security

of personal data held by it, but rather, only to take such steps as may be reasonably

practicable in the circumstances, having regard to the matters mentioned in