BS10012:2009 Data Protection - Specification for a personal information management system







Reviewed by

Peter Wheatcroft CEng FIET FBCS CITP FCMI


3 out of 10

The Data Protection StandardWhilst the Data Protection Act (DPA) 1998 sets out rules to be followed whenever personal data is processed outside the home, there hasn’t until now been a standard to allow organisations to formally demonstrate compliance with the Act. BS10012:2009 addresses that gap - in part - by documenting a specification for a management system for the handling of personal data. 

This standard came into effect in May 2009 and is designed to help organisations maintain and improve DPA compliance.

What BS10012 does is to specify requirements for a personal information management system (PIMS), which essentially provides a framework for ensuring that all the bases are covered in respect of DPA clauses. The worry about something of this nature, which is akin to the ISMS (Information Security Management System) required to achieve ISO 27001 compliance, is that it comes across as being a separate entity needing a separate governance structure to anything else. 

The reality of corporate governance is that senior executives can only effectively be responsible for a small number of statutory accountabilities and I feel that the PIMS should be seen as part of an overall ISMS rather than as a discrete new system.

It may, however, be seen as a growing requirement in light of the additional powers recently granted to the Information Commissioner and so compliance with it could offer some defence in sensitive situations.

For organisations that need a formal approach to DPA compliance, especially in light of the recent increase in the powers of the Information Commissioner and Cabinet Office mandates to government departments, the standard may be of some use.

However, if budgets are tight and no formal approach to DPA compliance is mandatory, it might be worth investing in the companion publication (BIP 0002) together with the Data Protection Pocket Guide at £30 (both covered in different reviews), which offer a cost effective way of providing management control without requiring the overhead of formal certification to BS10012.

Further information: BSI

More like this:

December 2009