An expert in privacy law has welcomed the Standard, saying that it provides a lot of useful guidance and that its focus is "exactly right."
The Standard is called BS 10012:2009 Data Protection – Specification for a personal information management system. Its stated objective is to enable organisations to put in place a personal information management system, or PIMS.
An organisation seeking compliance with the Standard will need to develop a PIMS which will become its framework for maintaining and improving compliance with data protection legislation and good practice.
The Standard requires that "a senior management team is tasked with issuing and maintaining a policy which sets a clear framework and demonstrates support for, and commitment to, managing compliance" with law and good practice. It lists 15 commitments that should be made in the policy, including commitments to process personal data "only where this is strictly necessary for legitimate organizational purposes"; and to provide "clear information to individuals about how their personal information will be used and by whom".
A member of senior management shall be accountable for the management of personal information within the organisation, the Standard says. One or more people should also be designated as responsible for compliance with the policy on a day-to-day basis. Their duties will include maintaining an inventory of all categories of personal information processed. The organisation should also be able to demonstrate their competence in understanding data protection legislation and good practice, it says. These people should also review the PIMS "where changes in the organization's requirements and/or technology occur."
Organisations should "raise, enhance and maintain awareness of the PIMS through an ongoing education and awareness programme for all workers" and establish a process for evaluating its effectiveness, according to the Standard.
The PIMS must set out "procedures for maintaining records of privacy notices and online privacy statements," it says. When personal information is collected from individuals, procedures in the PIMS should ensure that "any privacy notice or online privacy statement required to be given to the individual is provided or made available to the individual prior to any personal information being collected."
The Standard calls for a complaints procedure and an appeals process. It also calls for an audit programme which monitors and reviews the organisation's data handling. It notes that "regular audits by external parties should be considered by larger organizations and those processing high-risk personal information".
William Malcolm, a data protection specialist at Pinsent Masons, the law firm behind OUT-LAW.COM, welcomed the new Standard.
"There's a lot of good stuff in the Standard, much of which many organisations will already be doing," he said. "However, putting some uniformity and consistent process around information governance standards is to be welcomed."
"The focus on organisational culture, audit, and continuous improvement is exactly right," said Malcolm. "Organisations will welcome the focus on risk assessment rather than a focus simply on compliance."
The list of day-to-day duties is also helpful, according to Malcolm.
"The fact that day to day accountabilities are set out and have to be allocated means that anyone following the Standard should always have a named individual responsible for each critical area," he said. "Chief Executives of organisations following the Standard will know where the buck stops."
Malcolm warned, though, that Government departments will have to map the language and approach of the British Standard with the approach recently published in the Data handling in Government review. "That will be a particular challenge," he said.
The Data Handling Procedures in Government report was published last June after a number of highly-publicised security lapses in which personal data was lost by Government departments. Its recommendations included the need for accountability for secure data.
"All in all, the British Standard sets out a sound set of processes for maintaining and improving compliance," said Malcolm. "But the Standard is very much a framework. The challenge for organisations is to translate that framework into effective day to day compliance."
BS 10012, Data protection – Specification for a personal information management system can be purchased and downloaded from BSI. It costs £50 for BSI members, £100 for non-members.