BS 10012:2009 Data Protection – Specification for a Personal Information Management System

BS 10012:2009 Data Protection – Specification for a Personal Information Management System

BS 10012:2009 Data Protection – Specification for a Personal Information Management System

Article Type: Professional resources From: Records Management Journal, Volume 20, Issue 1

British Standards InstitutionLondon2009ISBN: 978 0 580 61550 4£100 (£50 to BSI members)

Keywords: Records management, Standards organizations, Data security, Information management

High-profile data breaches in the UK over the last two years have spawned a plethora of guidance and good practice recommendations. This, however, is the first British Standard on the management of personal information. It is designed to be used in both the public and private sectors by organisations of all sizes. As an accompaniment, BSI has developed an online resource centre and self-assessment tool, BSI Data Protection Online (British Standards Institution, 2009) to help organizations implement and monitor plans and policies against the Standard.

BS 10012 is a management systems standard, following the “plan-do-check-act” cycle, thereby ensuring a degree of consistency with other BS management system standards, facilitating its integration into an organization’s overall governance framework. Rather than detailing specific operations, the Standard adopts a strategic approach for the effective management of personal information to maintain and improve compliance with data protection legislation. Managing personal information is seen as a dynamic process of continuous review and improvement.

To comply with the Standard, an organisation has to develop an information governance infrastructure, the “personal information management system” or PIMS. The principles underlying the PIMS will be familiar to those with experience of the 2008 Cabinet Office review of government data handling procedures, namely, accountability at a senior level supported by a programme of continuous assessment and improvement, and an organisational culture which values personal information (Cabinet Office, 2008).

At the centre of the PIMS sit 15 policy recommendations, followed by guidance for drafting internal procedures and processes in the key areas of data collection, processing, sharing and outsourcing. The PIMS promotes a proportionate and risk-based approach to compliance, which in some areas has led to requirements which go beyond those set out in the legislation. For example, in addition to information defined as “sensitive” by the Act, BS 10012 identifies a further five categories as high risk:

1. 1.

   financial details;

2. 2.

   information about children and vulnerable adults;

3. 3.

   sensitive negotiations;

4. 4.

   “detailed profiles of individuals” (though there is no guidance on what is meant by this); and

5. 5.

   national identifiers such as national insurance numbers.

It also sets out as mandatory a breach management process and procedures for dealing with appeals and complaints. These good practice recommendations, together with the repeated requirement for a reliable audit trail and adoption of a holistic approach, are strengths of the Standard.

The Standard might have benefited from the inclusion of a requirement for a process to manage and record the application of exemptions in the UK Data Protection Act 1998, not simply for third party data sharing, but from its subject access provisions. As the Act has no requirement for organizations to inform applicants when or for what reasons data have been withheld from disclosure, it is perhaps all the more important that internal processes are in place to ensure this is done in a proper and consistent manner. The Standard has substituted “personal information” for “personal data” – the term used in the Data Protection Act – although the same definition is applied. Similarly the terms “Data Controller” and “Data Processor” are absent from the text. Whilst the avoidance of unnecessary technical jargon is to be applauded, it does not facilitate easy cross-referencing to other guidance and, indeed, to the legislation itself.

Nevertheless BS 10012 is a welcome initiative. For many businesses operating in areas rattled by highly publicised data breaches, demonstrating compliance with the Standard is one means of gaining public confidence. It provides a logical “to do” list for organisations and a standardised benchmark for audit. Perhaps its main strength is that, by not prescribing detailed operational measures, it allows an organisation sufficient scope to select its own preferred mechanisms for building a PIMS customised to meet its own circumstances. However, organisations hoping to align with BS 10012 should not be fooled by appearances: this rather slim and accessible publication disguises a requirement for a very significant piece of work.

Notes

1. BSI Data Protection Online, BS 10012, available at: www.bsigroup.com/DPOnline

Lynn YoungThe British Library, London, UK