On Security of Personal Data
The use of the phrase ‘reasonable and appropriate’ tells us that the law does not require absolute security. In other words, a controller or processor can suffer a security breach without being in violation of the law.
Section 20© of the DPA requires a risk-based approach to the assessment of what are or are not appropriate controls. In other words, controllers and processors are required to carry out risk assessment when making decisions about controls.
Factors to consider:
i. Nature of the personal data;
ii. Risks posed by the processing;
iii. Size of the organization and complexity of its operations;
iv. Current data privacy best practices; and
v. Cost of security implementation
Take note that access control (i.e., limiting who has access to the data within the organization) is important to reduce ‘insider threat’ or risks posed by employees and other workers. Controllers and processors alike should have robust policies that alert employees to their responsibilities in handling personal data, provide them with role-based and regular training, and make clear the consequences for violating policy dictates.
It is also to important to note that the security principle flows down from the controller to the processor to the sub-processors, if there are any, under IRR, Section 44 (b)(4).