Data security under British data protection law

The seventh principle in Schedule 1 of the UK Data Protection Act (DPA) 1998 (ENG)  concerns data security and requires suitable technical and organisational measures to be taken so that personal data is protected from unauthorised access and against any other form of illegal processing of personal data.

The security measures must guarantee, in consideration

  • of all available technical options and
  • the costs that would arise due to the implementation,

a level of protection, which is appropriate to the risks posed by processing and the nature of the data to be protected.

Furthermore, the data collector must take appropriate steps to guarantee the trustworthiness of employees that have access to personal data.

In the event of a data processor carrying out the processing, the data collector must guarantee that the data processor is able to implement the necessary security measures and that the data processor in turn carries out these security measures. Furthermore, contractual procedures should be established for the contractor to take appropriate technical and organizational security measures to protect personal data from data breaches.

Reporting infringements of personal data protection

Under UK Data Protection Law, there is no legal obligation by which the data collector has an obligation to inform the data subject if there are infringements of personal data protection.


The UK Information Commissioner’s Office (ICO), has published several guides on the subject of data security:

Furthermore, additional information and instructions can be found on the ICO website: