09-30175848-DC.pdf

a Date: 2 January 2009 Origin: National Latest date for receipt of comments: 31 MARCH 2009 Project no.: 2008/00043 Responsible committee: IDT/1, Document management applications Interested committees: IDT/1/-/4, Data protection Title: Draft BS 10012 Specification for the management of personal information in compliance with the Data Protection Act 1998 Supersession information: If this document is published as a standard, the UK implementation of it will supersede NONE and partially supersede NONE. If you are aware of a current national standard which may be affected, please notify the secretary (contact details below). WARNING: THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT IS NOT CURRENT BEYOND 31 MARCH 2009. This draft is issued to allow comments from interested parties; all comments will be given consideration prior to publication. No acknowledgement will normally be sent. See overleaf for information on commenting. No copying is allowed, in any form, without prior written permission from BSI except as permitted under the Copyright, Designs and Patent Act 1988 or for circulation within a nominating organization for briefing purposes. Electronic circulation is limited to dissemination by e-mail within such an organization by committee members. Further copies of this draft may be purchased from BSI Customer Services, Tel: +44(0) 20 8996 9001 or email cservicesbsigroup.com. British, International and foreign standards are also available from BSI Customer Services. Information on the co-operating organizations represented on the committees referenced above may be obtained from the responsible committee secretary. Cross-references The British Standards which implement International or European publications referred to in this draft may be found via the British Standards Online Service on the BSI web site http:/www.bsigroup.com. Direct tel: 020 8996 7492 Responsible Committee Secretary: Mr K Laverty (BSI) E-mail: kevin.lavertybsigroup.com Draft for Public Comment Head Office 389 Chiswick High Road London W4 4AL Telephone: +44(0)20 8996 9000 Fax: +44(0)20 8996 7001 Form 36 Version 8.0 DPC: 09/30175848 DC Licensed Copy: London South Bank University, South Bank University, 02/02/2009 05:23, Uncontrolled Copy, (c) BSI b Introduction Your comments on this draft are invited and will assist in the preparation of the resulting British Standard. If no comments are received to the contrary, this draft may be implemented unchanged as a British Standard. Please note that this is a draft and not a typeset document. Editorial comments are welcomed, but you are advised not to comment on detailed matters of typography and layout. Submission of comments The guidance given below is intended to ensure that all comments receive efficient and appropriate attention by the responsible BSI committee. This draft British Standard is available for review and comment online via the BSI British Standards Draft Review system at http:/drafts.bsigroup.com. Registration is free and takes less than a minute. Once you have registered on the Draft Review system you will be able to review all current draft British Standards of national origin and submit comments on them. You will also be able to see comments made on current draft standards by other interested parties. When submitting comments on a draft you will be asked to provide both a comment (i.e. justification for change) and a proposed change. All comments will be checked by a moderator before they are made public on the site. This is to ensure that improper language or marketing is not placed on the site the technical content of your comment will not be judged or modified; similarly, your grammar or spelling will not be corrected. A link to the BSI British Standards Draft Review system, or to a specific draft hosted on the system, may be distributed to other interested parties so that they may register and submit comments. It is not necessary to purchase a copy of the draft in order to review or comment on it; however, additional copies of this draft may be purchased from BSI, Tel: +44(0) 20 8996 9001 or email: cservicesbsigroup.com. Drafts and standards are also available in PDF format for immediate download from the BSI Shop http:/www.bsigroup.com/Shop. Licensed Copy: London South Bank University, South Bank University, 02/02/2009 05:23, Uncontrolled Copy, (c) BSI WARNING. THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT IS NOT CURRENT BEYOND 31 MARCH 2009. 1 Specification for the management of personal information in compliance with the Data Protection Act 1998 Licensed Copy: London South Bank University, South Bank University, 02/02/2009 05:23, Uncontrolled Copy, (c) BSI WARNING. THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT IS NOT CURRENT BEYOND 31 MARCH 2009. 2 Contents Introduction 4 1 Scope 6 2 Terms and definitions 6 3 Planning for a personal information management system (PIMS) 7 4 Implementing the PIMS 9 5 Monitoring and reviewing the PIMS 20 6 Improving the PIMS 22 Annexes Annex A (informative) The Plan-Do-Check-Act (PDCA) cycle 24 Bibliography 25 List of figures Figure A.1 PDCA cycle applied to the management of personal information 24 Licensed Copy: London South Bank University, South Bank University, 02/02/2009 05:23, Uncontrolled Copy, (c) BSI WARNING. THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT IS NOT CURRENT BEYOND 31 MARCH 2009. 3 Foreword Publishing information This British Standard is published by BSI and came into effect on XX Month 200X. It was prepared by Subcommittee IDT/1/-/4, Data protection, under the authority of Technical Committee IDT/1, Document management applications. A list of organizations represented on this committee can be obtained on request to its secretary. Presentational conventions The provisions of this standard are presented in roman (i.e. upright) type. Requirements are expressed in sentences in which the principal auxiliary verb is “shall”. Where optional recommendations are included, they are expressed in sentences in which the principal auxiliary verb is “should“. Commentary, explanation and general informative material is presented in smaller italic type, and does not constitute a normative element. Contractual and legal considerations This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance with a British Standard cannot confer immunity from legal obligations. Licensed Copy: London South Bank University, South Bank University, 02/02/2009 05:23, Uncontrolled Copy, (c) BSI WARNING. THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT IS NOT CURRENT BEYOND 31 MARCH 2009. 4 Introduction Personal information management system The objective of this British Standard is to enable organizations to put in place a personal information management system (PIMS) which provides an infrastructure for maintaining and improving compliance with amongst other things the requirements of the Data Protection Act 1998 (DPA). The DPA implements a European Directive (95/46/EC) and applies to “personal data” which is defined in the DPA as information relating to living individuals. This British Standard uses the term “personal information“ in place of the term “personal data”. The DPA is regulated and enforced by the Information Commissioner, who is responsible for promoting the protection of personal information. The Information Commissioner promotes good practice by the issue of guidance materials, rules on eligible complaints, provides information to individuals and organizations and takes appropriate action when the law is broken. The Information Commissioner has powers to investigate complaints, make assessments as to whether processing is compliant with the DPA and to issue information notices, enforcement notices and “stop now“ orders. Data protection principles The DPA requires businesses and individuals who are “data controllers” to comply with eight data protection principles which state that personal information has to be1: 1st principle fairly and lawfully processed; 2nd principle processed for compatible and specified purposes; 3rd principle adequate, relevant and not excessive; 4th principle accurate and up-to-date; 5th principle not kept for longer than is necessary; 6th principle processed in line with the rights afforded to individuals under the legislation, including the right of subject access; 7th principle kept secure; 8th principle not transferred to countries outside the European Economic Area (EEA)2 without adequate protection. A number of exemptions from these data protection principles are permitted by the DPA. The majority of these exemptions fall into the following categories: exemptions from the non-disclosure principles; exemptions from the subject information provisions; exemptions relating to processing for historical and/or research purposes; miscellaneous exemptions. Reference should be made to the DPA, to guidance from the Information Commissioner and to other guidance for further details. 1 The text given here is a summary of Schedule 1 of the Data Protection Act 1998. For the full text, see the DPA. 2 The European Economic Area (at the time of publication of this British Standard) consists of the 25 Member States of the European Union plus Norway, Iceland and Liechtenstein. Licensed Copy: London South Bank University, South Bank University, 02/02/2009 05:23, Uncontrolled Copy, (c) BSI WARNING. THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT IS NOT CURRENT BEYOND 31 MARCH 2009. 5 Notification The DPA also requires organizations to notify the Information Commissioner of their processing to ensure openness, unless an exemption to notification is applicable. Licensed Copy: London South Bank University, South Bank University, 02/02/2009 05:23, Uncontrolled Copy, (c) BSI WARNING. THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT IS NOT CURRENT BEYOND 31 MARCH 2009. 6 1 Scope This British Standard specifies requirements for a personal information management system (PIMS), which provides an infrastructure for among other things maintaining and improving compliance with the Data Protection Act 1998. This British Standard is for use by organizations of any size, in both the public and private sectors. It is intended to be used by those responsible for initiating, implementing and maintaining a PIMS within an organization. It is intended to provide a common ground for the management of personal information for providing confidence in its management, and for enabling an effective assessment of compliance with amongst other things the DPA by both internal and external assessors. NOTE Users of this British Standard should be aware that other legislation (such as the Freedom of Information Act 2000) can have an effect on decisions taken in relation to the processing of personal information. Such legislation is not covered by this British Standard, but needs to be taken into account when processing personal information. 2 Terms and definitions For the purposes of this British Standard the following terms and definitions apply. 2.1 personal information management system (PIMS) part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves the management of personal information 2.2 nonconformity non-fulfilment of a requirement BS EN ISO 9000:2005, 3.6.3; BS EN ISO 14001:2004, 3.15 2.3 organization legal person or group of persons that is identified by a particular name and that acts, or can act, as an entity NOTE This definition excludes any person or group of persons operating solely for domestic purposes. In this document, “organization” means the data controller of the personal information. 2.4 personal information personal data relating to a living individual NOTE The definition of personal data can be found in the DPA, section 1 (1), along with qualifiers related to the identification of the individual. The DPA definition was modified by the Freedom of Information Act 2000, section 68(1). Sensitive personal data is also defined in section 2 of the DPA and is a sub-category of personal data and includes personal information relating to an individuals ethnic origin; physical or mental health or well being: sexual life: religious or similar philosophical beliefs; political opinions; trade union membership or criminal record or involvement in (or alleged involvement in) criminal proceedings against the individual. The Information Commissioners Office (the ICO) has issued guidance entitled “Determining what is personal data“ which is available from www.ico.gov.uk Licensed Copy: London South Bank University, South Bank University, 02/02/2009 05:23, Uncontrolled Copy, (c) BSI WARNING. THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT IS NOT CURRENT BEYOND 31 MARCH 2009. 7 2.5 procedure documented set of actions which is the official or accepted way of doing something 2.6 process series of actions taken in order to achieve a result 2.7 processing obtaining, recording or holding personal information or carrying out any operation or set of operations on personal information NOTE This includes collecting, organizing, adapting, altering, disclosing, disseminating, aligning, combining, blocking, erasing and destroying personal information. 2.8 workers individuals working under the control of an organization NOTE This includes employees, temporary staff, contractors, volunteers and consultants. 2.9 audit systematic examination to determine whether activities and related results conform to planned arrangements and whether these arrangements are implemented effectively and are suitable for achieving the organizations policy and objectives BS EN ISO 9000:2005 NOTE An audit may be conducted internally by, or on behalf of, the organization itself for management review and other internal purposes. 3 Planning for a personal information management system (PIMS) Objective: To plan for the implementation of a personal information management system that will provide direction and support for compliance with amongst other things the Data Protection Act 1998. 3.1 Establishing and managing the PIMS The organization shall develop, implement, maintain and continually improve a documented PIMS in accordance with 3.2 to 3.7. 3.2 Scope and objectives of the PIMS The organization shall define the scope of the PIMS and set personal information management objectives, with due regard to the: a) requirements for the management of personal information; b) organizational objectives and obligations; c) organization's acceptable level of risk; Licensed Copy: London South Bank University, South Ban