Protecting data with
BS 10012
Businesses need to be alert to the proper management of personal information. and explain how BS 10012 will help
In recent years, the need for effective information governance has posed an ever-increasing challenge for all organizations. It’s been widely recognized that information, especially personal information, is an asset. However, it can become a liability and – to paraphrase Richard Thomas, the former UK information commissioner – a toxic liability if incorrectly managed.
While advances in new technologies are making it easier for organizations to collect greater amounts of personal data and provide better services to their customers, these same advances also raise concerns about the effect on individuals’ privacy (especially regarding proportionality and retention) and there are ever-increasing challenges for all organizations that can only be met by effective information governance.
In the UK, the need for organizations to protect personal data has been enforced legally through the Data Protection Act 1998. One organization that publishes practical guidance on implementing the act is BSI. In 1998, BSI put together a group of experts from business, government and the public sector who identified a need for practical guidance on the management of personal information. This led to the publication and continued development of BIP 0012, a guide to the implementation of the UK’s Data Protection Act.
In 2007, this group of experts identified a business need for a more formal document that specified a management system that could easily be adopted by organizations. As a result, BS 10012, Information Management – Specification for a Personal Information Management System, was born.
BS 10012
The objective of BS 10012 is to provide common ground and confidence in the management of personal information. It allows organizations to show a commitment to responsible data management by enabling an effective assessment of compliance with data protection legislation and good practice, whether that’s done by internal or external assessors.
To quote from the introduction of the standard, its objective is to 'enable organizations to put in place, as part of the overall information governance infrastructure, a personal information management system that provides a framework for maintaining and improving compliance with data protection legislation and good practice'.
BS 10012 is designed for use by organizations of any size and sector, and is intended to be used by those responsible for initiating, implementing and maintaining the management of personal information within an organization. It applies the tried and tested plan-do-check-act model as the basis of the personal information management framework, enabling a fit with an organization’s existing information governance framework.
The management system presented in the standard surrounds a framework that consists of a number of elements:
- development and approval of a personal information management policy
- allocation of accountability and responsibilities for the system
- provision of resources necessary to operate the system
- identification of personal information, including high risk information, managed by the organization
- training and awareness of all workers who handle personal information
- risk assessment in relation to the management of personal information
- requirement to notify the Information Commissioner's Office of processing
- fair and lawful processing
- adequacy, relevance, accuracy and retention
- rights of the individual
- security of personal information
- overseas transfers
- use of sub-contracted processing
- monitoring and improving the system
It should be noted that an organization can have one or multiple personal information management systems, depending upon its size and complexity.
Like other such standards, BS 10012 is not prescriptive. Rather than stipulating exactly how operations should be run, it provides the framework that will enable the organization to effectively manage personal information. For example, the standard focuses on ensuring that an organization provides sufficient guidance and resources, staffing for example, and creates a positive culture within which data processing can occur.
An organization that chooses to work to the framework presented in BS 10012 has the scope to determine how best to meet those framework requirements. For example, the organization will need to carry out its own risk assessment and, in doing so, can choose to use its own in-house risk assessment methodology or other tools that are useful for this task, such as the privacy impact assessment guidelines issued by the Information Commissioner’s Office.
Recognising that people, policies and technology are all critical parts of the information management solution, the new standard will assist organizations with putting in place a management framework that will help compliance with obligations in relation to data protection legislation and good practice guidance.
About the author
Breda Corish is head of market development – materials & healthcare, ICT and Electronics at BSI. Alan Shipman is managing director of Group 5 Training Limited
 |
 Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums. |
