I recently took the opportunity to attend a seminar on the newly released BS10012 standard, which was hosted by URM and BSI.
Basically this standard is a mechanism / process for an organisation to implement to ensure they have a routine and measurable process meeting the Data Protection Act (DPA) requirements. There isn’t currently a certification for this standard, but this may change with demand. However the BS standard does provide the plan, do, check, act framework to help meet obligations and improve the process over time.
I am not a big fan of certification just for the sake of it, I instead believe the standards can be used to form a baseline, as they are essentially documented best practice.
The standard isn’t UK specific so can be of value to any organisation struggling to meet their DPA requirements. Apparently 65% of organisations in the UK are not meeting the obligations. I guess at the moment the ICO doesn’t have the resource to go looking, and just have to wait for someone to slip up. They are increasing the costs associated with DPA notification from £35 to £500, so this is a serious increase, so perhaps we can expect a more proactive approach to seeking out non compliance.
The conference had some benefit, and cleared up some DPA obligations to me, and showed how this new standard could fit in with ISO27001. Just thought I would share its existence, as its only about 7 weeks old.
So whats this BSI10012 standard all about? Its basically a standard that specifies the requirements for a personal information management system (PIMS), which provides an infrastructure to maintain and improve compliance to the DPA requirements. It follows the Plan, Do, Check, Act cycle that people will be familiar with if you have worked with other BS, ISO and ITIL standards.
Many organisations in the UK are failing in their DPA obligations, and perhaps this new standard will provide a baseline worth adopting. Obviously is optional, but its early days. I do feel that the ICO are really going to start taking a much deeper in organisations compliance, so if your organisation works best following a predefined baseline structure, BS10012 might be worth considering.
Nice write up Dale,
I’d kept an eye on the standard whilst it was in draft but somehow manage to miss it’s official release. Looks like I’ve got some light reading to do today playing catch up.
[...] BS10012 The Data Protection Act Personal Information Management System (PIMS) | Security Active Blog blog.securityactive.co.uk/2009/08/28/bs10012-the-data-protection-act-personal-information-management-system-pims – view page – cached I recently took the opportunity to attend a seminar on the newly released BS10012 standard, which was hosted by URM and BSI. Basically this standard is a — From the page [...]