Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of Personal Data, and against accidental loss, destruction, or damage to Personal Data.
The Council will maintain procedures and provide training designed to ensure this principle is upheld throughout the organisation.
When deciding that security measures are “appropriate”, the Council must take account of:
(a) The state of technological development and the cost of implementing any measures, the need to ensure a level of security appropriate to the harm that may result from a breach of security and the type of data that is being protected;
(b) The reliability of staff having access to Personal Data;
(c) Where processing is carried out by an external Data Processor on behalf of the Council, the Council must:
Choose a data processor providing sufficient guarantees of the security measures they take;
Take reasonable steps to ensure compliance with these measures; and
Ensure that the processing by the external Data Processor is carried out under a written contract which requires the Data Processor to act only on the instructions of the Council and to comply with obligations equivalent to those imposed on the Council by this principle.
