The Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014

Security of processing

47.—(1) A UK competent authority must implement appropriate technical and organisational measures to protect personal data against—

(a)accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves transmission of that data over a network or making it available by granting direct automated access; and

(b)all other unlawful forms of processing.

(2) In doing so, that authority must take into account, in particular, the risks represented by the processing and the nature of the data to be protected.

(3) Such measures must ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, having regard to the state of the art and the cost of their implementation.

(4) A UK competent authority must in respect of automated data processing adopt measures, policies and practices designed to—

(a)deny unauthorised persons access to data-processing equipment used for processing personal data (equipment access control);

(b)prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(c)prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(d)prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(e)ensure that persons authorised to use an automated data-processing system only have access to the data covered by their access authorisation (data access control);

(f)ensure that it is possible to verify and establish the bodies to which personal data have been or may be transmitted or made available using data communication equipment (communication control);

(g)ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data were input (input control);

(h)prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media (transport control);

(i)ensure that installed systems may, in case of interruption, be restored (recovery);

(j)ensure that the functions of the system perform, that the appearance of faults in the functions is reported (reliability) and that stored data cannot be corrupted by means of a malfunctioning of the system (integrity).

(5) Where a UK competent authority wishes to designate a data processor to carry out processing on its behalf, the authority—

(a)may do so only if the processor guarantees that it will—

(i)observe the requisite technical and organisational measures required by virtue of paragraph (1); and

(ii)comply with instructions given by that competent authority; and

(b)must monitor the processor in those respects.

(6) Personal data may be processed by a processor only on the basis of a legal act or a written contract.