A guide to data security ICO
pThe ICO exists to empower you through informationpp
Search article
pp19 May 2023 we have broken the Guide to the UK GDPR down into smaller guides All the content stays the samepp We undertake an analysis of the risks presented by our processing and use this to assess the appropriate level of security we need to put in placepp When deciding what measures to implement we take account of the state of the art and costs of implementationpp We have an information security policy or equivalent and take steps to make sure the policy is implementedpp Where necessary we have additional policies and ensure that controls are in place to enforce thempp We make sure that we regularly review our information security policies and measures and where necessary improve thempp We have assessed what we need to do by considering the security outcomes we want to achievepp We have put in place basic technical controls such as those specified by established frameworks like Cyber Essentialspp We understand that we may also need to put other technical measures in place depending on our circumstances and the type of personal data we processpp We use encryption andor pseudonymisation where it is appropriate to do sopp We understand the requirements of confidentiality integrity and availability for the personal data we processpp We make sure that we can restore access to personal data in the event of any incidents such as by establishing an appropriate backup processpp We conduct regular testing and reviews of our measures to ensure they remain effective and act on the results of those tests where they highlight areas for improvementpp Where appropriate we implement measures that adhere to an approved code of conduct or certification mechanismpp We ensure that any data processor we use also implements appropriate technical and organisational measuresppArticle 51f of the UK GDPR concerns the integrity and confidentiality of personal data It says that personal data shall beppProcessed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss destruction or damage using appropriate technical or organisational measuresppYou can refer to this as the UK GDPRs security principle It concerns the broad concept of information securityppThis means that you must have appropriate security in place to prevent the personal data you hold being accidentally or deliberately compromised You should remember that while information security is sometimes considered as cybersecurity the protection of your networks and information systems from attack it also covers other things like physical and organisational security measuresppYou need to consider the security principle alongside Article 32 of the UK GDPR which provides more specifics on the security of your processing Article 321 statesppTaking into account the state of the art the costs of implementation and the nature scope context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the riskppExternal linkppPoor information security leaves your systems and services at risk and may cause real harm and distress to individuals lives may even be endangered in some extreme casesppSome examples of the harm caused by the loss or abuse of personal data includeppAlthough these consequences do not always happen you should recognise that individuals are still entitled to be protected from less serious kinds of harm for example embarrassment or inconvenienceppInformation security is important not only because it is itself a legal requirement but also because it can support good data governance and help you demonstrate your compliance with other aspects of the UK GDPRppThe ICO is also required to consider the technical and organisational measures you had in place when considering an administrative fineppThe security principle goes beyond the way you store or transmit information Every aspect of your processing of personal data is covered not just cybersecurity This means the security measures you put in place should seek to ensure thatppThese are known as confidentiality integrity and availability and under the UK GDPR they form part of your obligationsppThe UK GDPR does not define the security measures that you should have in place It requires you to have a level of security that is appropriate to the risks presented by your processing You need to consider this in relation to the state of the art and costs of implementation as well as the nature scope context and purpose of your processingppThis reflects both the UK GDPRs riskbased approach and that there is no one size fits all solution to information security It means that whats appropriate for you will depend on your own circumstances the processing youre doing and the risks it presents to your organisationppSo before deciding what measures are appropriate you need to assess your information risk You should review the personal data you hold and the way you use it in order to assess how valuable sensitive or confidential it is as well as the damage or distress that may be caused if the data was compromised You should also take account of factors such asppExternal linkppWe cannot provide a complete guide to all aspects of security in all circumstances for all organisations but this guidance is intended to identify the main points for you to considerppCarrying out an information risk assessment is one example of an organisational measure but you will need to take other measures as well You should aim to build a culture of security awareness within your organisation You should identify a person with daytoday responsibility for information security within your organisation and make sure this person has the appropriate resources and authority to do their job effectivelyppExampleppThe Chief Executive of a mediumsized organisation asks the Director of Resources to ensure that appropriate security measures are in place and that regular reports are made to the boardppThe Resources Department takes responsibility for designing and implementing the organisations security policy writing procedures for staff to follow organising staff training checking whether security measures are actually being adhered to and investigating security incidentsppClear accountability for security will ensure that you do not overlook these issues and that your overall security posture does not become flawed or out of dateppAlthough an information security policy is an example of an appropriate organisational measure you may not need a formal policy document or an associated set of policies in specific areas It depends on your size and the amount and nature of the personal data you process and the way you use that data However having a policy does enable you to demonstrate how you are taking steps to comply with the security principleppWhether or not you have such a policy you still need to consider security and other related matters such asppTechnical measures are sometimes thought of as the protection of personal data held in computers and networks Whilst these are of obvious importance many security incidents can be due to the theft or loss of equipment the abandonment of old computers or hardcopy records being lost stolen or incorrectly disposed of Technical measures therefore include both physical and computer or IT securityppWhen considering physical security you should look at factors such asppIn the IT context technical measures may sometimes be referred to as cybersecurity This is a complex technical area that is constantly evolving with new threats and vulnerabilities always emerging It may therefore be sensible to assume that your systems are vulnerable and take steps to protect themppWhen considering cybersecurity you should look at factors such asppDepending on the sophistication of your systems your usage requirements and the technical expertise of your staff you may need to obtain specialist information security advice that goes beyond the scope of this guidance However its also the case that you may not need a great deal of time and resources to secure your systems and the personal data they processppWhatever you do you should remember the followingppA good starting point is to make sure that youre in line with the requirements of Cyber Essentials a government scheme that includes a set of basic technical controls you can put in place relatively easilyppYou should however be aware that you may have to go beyond these requirements depending on your processing activities Cyber Essentials is only intended to provide a base set of controls and wont address the circumstances of every organisation or the risks posed by every processing operationppA list of helpful sources of information about cybersecurity is provided belowppFurther reading ICONCSC security outcomesppWe have worked closely with the NCSC to develop a set of security outcomes that you can use to determine the measures appropriate for your circumstancesppThe Accountability Framework looks at the ICOs expectations in relation to securitypp ppFurther reading ICO guidanceppUnder the 1998 Act the ICO published a number of more detailed guidance pieces on different aspects of IT security Where appropriate we will be updating each of these to reflect the UK GDPRs requirements in due course However until that time they may still provide you with assistance or things to considerpp ppOther resourcesppHomepage of the Cyber Essentials schemeppSome industries have specific security requirements or require you to adhere to certain frameworks or standards These may be set collectively for example by industry bodies or trade associations or could be set by other regulators If you operate in these sectors you need to be aware of their requirements particularly if specific technical measures are specifiedppAlthough following these requirements will not necessarily equate to compliance with the UK GDPRs security principle the ICO will nevertheless consider these carefully in any considerations of regulatory action It can be the case that they specify certain measures that you should have and that those measures contribute to your overall security postureppExampleppIf you are processing payment card data you are obliged to comply with the Payment Card Industry Data Security Standard The PCIDSS outlines a number of specific technical and organisational measures that the payment card industry considers applicable whenever such data is being processedppAlthough compliance with the PCIDSS is not necessarily equivalent to compliance with the UK GDPRs security principle if you process card data and suffer a personal data breach the ICO will consider the extent to which you have put in place measures that PCIDSS requires particularly if the breach related to a lack of a particular control or process mandated by the standardppIf one or more organisations process personal data on your behalf then these are data processors under the UK GDPR This can have the potential to cause security problems as a data controller you are responsible for ensuring compliance with the UK GDPR and this includes what the processor does with the data However in addition to this the UK GDPRs security requirements also apply to any processor you useppThis means thatppAt the same time your processor can assist you in ensuring compliance with your security obligations For example if you lack the resource or technical expertise to implement certain measures engaging a processor that has these resources can assist you in making sure personal data is processed securely provided that your contractual arrangements are appropriateppExternal linkppFurther readingpp ppPseudonymisation and encryption are specified in the UK GDPR as two examples of measures that may be appropriate for you to implement This does not mean that you are obliged to use these measures It depends on the nature scope context and purposes of your processing and the risks posed to individualsppHowever there are a wide range of solutions that allow you to implement both without great cost or difficulty For example for a number of years the ICO has considered encryption to be an appropriate technical measure given its widespread availability and relatively low cost of implementation This position has not altered due to the UK GDPR if you are storing personal data or transmitting it over the internet we recommend that you use encryption and have a suitable policy in place taking account of the residual risks involvedppWhen considering what to put in place you should undertake a risk analysis and document your findingsppExternal linkppIn more detail ICO guidanceppDetailed guidance on encryption ppCollectively known as the CIA triad confidentiality integrity and availability are the three key elements of information security If any of the three elements is compromised then there can be serious consequences both for you as a data controller and for the individuals whose data you processppThe information security measures you implement should seek to guarantee all three both for the systems themselves and any data they processppThe CIA triad has existed for a number of years and its concepts are wellknown to security professionalsppYou are also required to have the ability to ensure the resilience of your processing systems and services Resilience refers toppThis refers to things like business continuity plans disaster recovery and cyber resilience Again there is a wide range of solutions available here and what is appropriate for you depends on your circumstances ppExternal linkppYou must have the ability to restore the availability and access to personal data in the event of a physical or technical incident in a timely mannerppThe UK GDPR does not define what a timely manner should be This therefore depends onppThe key point is that you have taken this into account during your information risk assessment and selection of security measures For example by ensuring that you have an appropriate backup process in place you will have some level of assurance that if your systems do suffer a physical or technical incident you can restore them and therefore the personal data they hold as soon as reasonably possibleppExampleppAn organisation takes regular backups of its systems and the personal data held within them It follows the wellknown 321 backup strategy three copies with two stored on different devices and one stored offsiteppThe organisation is targeted by a ransomware attack that results in the data being encrypted This means that it is no longer able to access the personal data it holdsppDepending on the nature of the organisation and the data it processes this lack of availability can have significant consequences on individuals and would therefore be a personal data breach under the UK GDPRppThe ransomware has spread throughout the organisations systems meaning that two of the backups are also unavailable However the third backup being stored offsite allows the organisation to restore its systems in a timely manner There may still be a loss of personal data depending on when the offsite backup was taken but having the ability to restore the systems means that whilst there will be some disruption to the service the organisation are nevertheless able to comply with this requirement of the UK GDPRppExternal linkppYes the UK GDPR specifically requires you to have a process for regularly testing assessing and evaluating the effectiveness of any measures you put in place What these tests look like and how regularly you do them will depend on your own circumstances However its important to note that the requirement in the UK GDPR concerns your measures in their entirety therefore whatever scope you choose for this testing should be appropriate to what you are doing how you are doing it and the data that you are processingppTechnically you can undertake this through a number of techniques such as vulnerability scanning and penetration testing These are essentially stress tests of your network and information systems which are designed to reveal areas of potential risk and things that you can improveppIn some industries you are required to undertake tests of security measures on a regular basis The UK GDPR now makes this an obligation for all organisations Importantly it does not specify the type of testing nor how regularly you should undertake it It depends on your organisation and the personal data you are processingppYou can undertake testing internally or externally In some cases it is recommended that both take placeppWhatever form of testing you undertake you should document the results and make sure that you act upon any recommendations or have a valid reason for not doing so and implement appropriate safeguards This is particularly important if your testing reveals potential critical flaws that could result in a personal data breachppExternal linkppIf your security measures include a product or service that adheres to a UK GDPR code of conduct or certification scheme you may be able to use this as an element to demonstrate your compliance with the security principle It is important that you check carefully that the code or certification scheme has been approved by the ICOppExternal linkpp ppFurther readingppThe GDPR requires you to ensure that anyone acting under your authority with access to personal data does not process that data unless you have instructed them to do so It is therefore vital that your staff understand the importance of protecting personal data are familiar with your security policy and put its procedures into practiceppYou should provide appropriate initial and refresher training includingppYour staff training will only be effective if the individuals delivering it are themselves reliable and knowledgeableppExternal linkppOther resourcesppThe NCSC has detailed technical guidance in a number of areas that will be relevant to you whenever you process personal data Some examples includeppThe government has produced relevant guidance on cybersecurityppTechnical guidance produced by the European Union Agency for Network and Information Security ENISA may also assist youpp pp ppThe ICO exists to empower you through informationp
Search article
pp19 May 2023 we have broken the Guide to the UK GDPR down into smaller guides All the content stays the samepp We undertake an analysis of the risks presented by our processing and use this to assess the appropriate level of security we need to put in placepp When deciding what measures to implement we take account of the state of the art and costs of implementationpp We have an information security policy or equivalent and take steps to make sure the policy is implementedpp Where necessary we have additional policies and ensure that controls are in place to enforce thempp We make sure that we regularly review our information security policies and measures and where necessary improve thempp We have assessed what we need to do by considering the security outcomes we want to achievepp We have put in place basic technical controls such as those specified by established frameworks like Cyber Essentialspp We understand that we may also need to put other technical measures in place depending on our circumstances and the type of personal data we processpp We use encryption andor pseudonymisation where it is appropriate to do sopp We understand the requirements of confidentiality integrity and availability for the personal data we processpp We make sure that we can restore access to personal data in the event of any incidents such as by establishing an appropriate backup processpp We conduct regular testing and reviews of our measures to ensure they remain effective and act on the results of those tests where they highlight areas for improvementpp Where appropriate we implement measures that adhere to an approved code of conduct or certification mechanismpp We ensure that any data processor we use also implements appropriate technical and organisational measuresppArticle 51f of the UK GDPR concerns the integrity and confidentiality of personal data It says that personal data shall beppProcessed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss destruction or damage using appropriate technical or organisational measuresppYou can refer to this as the UK GDPRs security principle It concerns the broad concept of information securityppThis means that you must have appropriate security in place to prevent the personal data you hold being accidentally or deliberately compromised You should remember that while information security is sometimes considered as cybersecurity the protection of your networks and information systems from attack it also covers other things like physical and organisational security measuresppYou need to consider the security principle alongside Article 32 of the UK GDPR which provides more specifics on the security of your processing Article 321 statesppTaking into account the state of the art the costs of implementation and the nature scope context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the riskppExternal linkppPoor information security leaves your systems and services at risk and may cause real harm and distress to individuals lives may even be endangered in some extreme casesppSome examples of the harm caused by the loss or abuse of personal data includeppAlthough these consequences do not always happen you should recognise that individuals are still entitled to be protected from less serious kinds of harm for example embarrassment or inconvenienceppInformation security is important not only because it is itself a legal requirement but also because it can support good data governance and help you demonstrate your compliance with other aspects of the UK GDPRppThe ICO is also required to consider the technical and organisational measures you had in place when considering an administrative fineppThe security principle goes beyond the way you store or transmit information Every aspect of your processing of personal data is covered not just cybersecurity This means the security measures you put in place should seek to ensure thatppThese are known as confidentiality integrity and availability and under the UK GDPR they form part of your obligationsppThe UK GDPR does not define the security measures that you should have in place It requires you to have a level of security that is appropriate to the risks presented by your processing You need to consider this in relation to the state of the art and costs of implementation as well as the nature scope context and purpose of your processingppThis reflects both the UK GDPRs riskbased approach and that there is no one size fits all solution to information security It means that whats appropriate for you will depend on your own circumstances the processing youre doing and the risks it presents to your organisationppSo before deciding what measures are appropriate you need to assess your information risk You should review the personal data you hold and the way you use it in order to assess how valuable sensitive or confidential it is as well as the damage or distress that may be caused if the data was compromised You should also take account of factors such asppExternal linkppWe cannot provide a complete guide to all aspects of security in all circumstances for all organisations but this guidance is intended to identify the main points for you to considerppCarrying out an information risk assessment is one example of an organisational measure but you will need to take other measures as well You should aim to build a culture of security awareness within your organisation You should identify a person with daytoday responsibility for information security within your organisation and make sure this person has the appropriate resources and authority to do their job effectivelyppExampleppThe Chief Executive of a mediumsized organisation asks the Director of Resources to ensure that appropriate security measures are in place and that regular reports are made to the boardppThe Resources Department takes responsibility for designing and implementing the organisations security policy writing procedures for staff to follow organising staff training checking whether security measures are actually being adhered to and investigating security incidentsppClear accountability for security will ensure that you do not overlook these issues and that your overall security posture does not become flawed or out of dateppAlthough an information security policy is an example of an appropriate organisational measure you may not need a formal policy document or an associated set of policies in specific areas It depends on your size and the amount and nature of the personal data you process and the way you use that data However having a policy does enable you to demonstrate how you are taking steps to comply with the security principleppWhether or not you have such a policy you still need to consider security and other related matters such asppTechnical measures are sometimes thought of as the protection of personal data held in computers and networks Whilst these are of obvious importance many security incidents can be due to the theft or loss of equipment the abandonment of old computers or hardcopy records being lost stolen or incorrectly disposed of Technical measures therefore include both physical and computer or IT securityppWhen considering physical security you should look at factors such asppIn the IT context technical measures may sometimes be referred to as cybersecurity This is a complex technical area that is constantly evolving with new threats and vulnerabilities always emerging It may therefore be sensible to assume that your systems are vulnerable and take steps to protect themppWhen considering cybersecurity you should look at factors such asppDepending on the sophistication of your systems your usage requirements and the technical expertise of your staff you may need to obtain specialist information security advice that goes beyond the scope of this guidance However its also the case that you may not need a great deal of time and resources to secure your systems and the personal data they processppWhatever you do you should remember the followingppA good starting point is to make sure that youre in line with the requirements of Cyber Essentials a government scheme that includes a set of basic technical controls you can put in place relatively easilyppYou should however be aware that you may have to go beyond these requirements depending on your processing activities Cyber Essentials is only intended to provide a base set of controls and wont address the circumstances of every organisation or the risks posed by every processing operationppA list of helpful sources of information about cybersecurity is provided belowppFurther reading ICONCSC security outcomesppWe have worked closely with the NCSC to develop a set of security outcomes that you can use to determine the measures appropriate for your circumstancesppThe Accountability Framework looks at the ICOs expectations in relation to securitypp ppFurther reading ICO guidanceppUnder the 1998 Act the ICO published a number of more detailed guidance pieces on different aspects of IT security Where appropriate we will be updating each of these to reflect the UK GDPRs requirements in due course However until that time they may still provide you with assistance or things to considerpp ppOther resourcesppHomepage of the Cyber Essentials schemeppSome industries have specific security requirements or require you to adhere to certain frameworks or standards These may be set collectively for example by industry bodies or trade associations or could be set by other regulators If you operate in these sectors you need to be aware of their requirements particularly if specific technical measures are specifiedppAlthough following these requirements will not necessarily equate to compliance with the UK GDPRs security principle the ICO will nevertheless consider these carefully in any considerations of regulatory action It can be the case that they specify certain measures that you should have and that those measures contribute to your overall security postureppExampleppIf you are processing payment card data you are obliged to comply with the Payment Card Industry Data Security Standard The PCIDSS outlines a number of specific technical and organisational measures that the payment card industry considers applicable whenever such data is being processedppAlthough compliance with the PCIDSS is not necessarily equivalent to compliance with the UK GDPRs security principle if you process card data and suffer a personal data breach the ICO will consider the extent to which you have put in place measures that PCIDSS requires particularly if the breach related to a lack of a particular control or process mandated by the standardppIf one or more organisations process personal data on your behalf then these are data processors under the UK GDPR This can have the potential to cause security problems as a data controller you are responsible for ensuring compliance with the UK GDPR and this includes what the processor does with the data However in addition to this the UK GDPRs security requirements also apply to any processor you useppThis means thatppAt the same time your processor can assist you in ensuring compliance with your security obligations For example if you lack the resource or technical expertise to implement certain measures engaging a processor that has these resources can assist you in making sure personal data is processed securely provided that your contractual arrangements are appropriateppExternal linkppFurther readingpp ppPseudonymisation and encryption are specified in the UK GDPR as two examples of measures that may be appropriate for you to implement This does not mean that you are obliged to use these measures It depends on the nature scope context and purposes of your processing and the risks posed to individualsppHowever there are a wide range of solutions that allow you to implement both without great cost or difficulty For example for a number of years the ICO has considered encryption to be an appropriate technical measure given its widespread availability and relatively low cost of implementation This position has not altered due to the UK GDPR if you are storing personal data or transmitting it over the internet we recommend that you use encryption and have a suitable policy in place taking account of the residual risks involvedppWhen considering what to put in place you should undertake a risk analysis and document your findingsppExternal linkppIn more detail ICO guidanceppDetailed guidance on encryption ppCollectively known as the CIA triad confidentiality integrity and availability are the three key elements of information security If any of the three elements is compromised then there can be serious consequences both for you as a data controller and for the individuals whose data you processppThe information security measures you implement should seek to guarantee all three both for the systems themselves and any data they processppThe CIA triad has existed for a number of years and its concepts are wellknown to security professionalsppYou are also required to have the ability to ensure the resilience of your processing systems and services Resilience refers toppThis refers to things like business continuity plans disaster recovery and cyber resilience Again there is a wide range of solutions available here and what is appropriate for you depends on your circumstances ppExternal linkppYou must have the ability to restore the availability and access to personal data in the event of a physical or technical incident in a timely mannerppThe UK GDPR does not define what a timely manner should be This therefore depends onppThe key point is that you have taken this into account during your information risk assessment and selection of security measures For example by ensuring that you have an appropriate backup process in place you will have some level of assurance that if your systems do suffer a physical or technical incident you can restore them and therefore the personal data they hold as soon as reasonably possibleppExampleppAn organisation takes regular backups of its systems and the personal data held within them It follows the wellknown 321 backup strategy three copies with two stored on different devices and one stored offsiteppThe organisation is targeted by a ransomware attack that results in the data being encrypted This means that it is no longer able to access the personal data it holdsppDepending on the nature of the organisation and the data it processes this lack of availability can have significant consequences on individuals and would therefore be a personal data breach under the UK GDPRppThe ransomware has spread throughout the organisations systems meaning that two of the backups are also unavailable However the third backup being stored offsite allows the organisation to restore its systems in a timely manner There may still be a loss of personal data depending on when the offsite backup was taken but having the ability to restore the systems means that whilst there will be some disruption to the service the organisation are nevertheless able to comply with this requirement of the UK GDPRppExternal linkppYes the UK GDPR specifically requires you to have a process for regularly testing assessing and evaluating the effectiveness of any measures you put in place What these tests look like and how regularly you do them will depend on your own circumstances However its important to note that the requirement in the UK GDPR concerns your measures in their entirety therefore whatever scope you choose for this testing should be appropriate to what you are doing how you are doing it and the data that you are processingppTechnically you can undertake this through a number of techniques such as vulnerability scanning and penetration testing These are essentially stress tests of your network and information systems which are designed to reveal areas of potential risk and things that you can improveppIn some industries you are required to undertake tests of security measures on a regular basis The UK GDPR now makes this an obligation for all organisations Importantly it does not specify the type of testing nor how regularly you should undertake it It depends on your organisation and the personal data you are processingppYou can undertake testing internally or externally In some cases it is recommended that both take placeppWhatever form of testing you undertake you should document the results and make sure that you act upon any recommendations or have a valid reason for not doing so and implement appropriate safeguards This is particularly important if your testing reveals potential critical flaws that could result in a personal data breachppExternal linkppIf your security measures include a product or service that adheres to a UK GDPR code of conduct or certification scheme you may be able to use this as an element to demonstrate your compliance with the security principle It is important that you check carefully that the code or certification scheme has been approved by the ICOppExternal linkpp ppFurther readingppThe GDPR requires you to ensure that anyone acting under your authority with access to personal data does not process that data unless you have instructed them to do so It is therefore vital that your staff understand the importance of protecting personal data are familiar with your security policy and put its procedures into practiceppYou should provide appropriate initial and refresher training includingppYour staff training will only be effective if the individuals delivering it are themselves reliable and knowledgeableppExternal linkppOther resourcesppThe NCSC has detailed technical guidance in a number of areas that will be relevant to you whenever you process personal data Some examples includeppThe government has produced relevant guidance on cybersecurityppTechnical guidance produced by the European Union Agency for Network and Information Security ENISA may also assist youpp pp ppThe ICO exists to empower you through informationp
