Data Protection Act 2018

Security of automated processing

77. A controller or processor, prior to carrying out automated processing, shall—

(a) evaluate the risks to the rights and freedoms of individuals arising from the processing concerned, and

(b) implement measures designed to—

(i) deny access to the processing equipment used for the processing to any person other than the persons authorised in that regard by the controller or processor, as the case may be,

(ii) prevent the reading, copying, modification or removal of the data media concerned, other than in so far as is authorised by the controller or processor, as the case may be,

(iii) prevent the input of personal data other than in so far as is authorised by the controller or processor, as the case may be,

(iv) prevent the inspection, modification or deletion of the data other than in so far as is authorised by the controller or processor, as the case may be,

(v) prevent the use of the automated processing system by persons using data communication equipment who are not authorised to do so by the controller or processor, as the case may be,

(vi) ensure that where a person is authorised to use the automated processing system concerned, he or she has access to personal data on the system only in so far as he or she is so authorised by the controller or processor, as the case may be,

(vii) ensure that it is possible to verify or establish the persons to whom personal data have been or may be transmitted or made available using data communication equipment,

(viii) ensure that it is possible to verify or establish which personal data have been input into an automated processing system, and in relation to such data, to verify and establish the person who input the data and when the data were input,

(ix) prevent the reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media, other than in so far as is authorised by the controller or processor, as the case may be,

(x) ensure that an installed automated system may be restored in the event of an interruption in the service of the system,

(xi) ensure that the automated processing system properly performs its function and the appearance of a fault in the automated processing system is reported to the controller or processor, as the case may be, and

(xii) ensure that personal data that are stored on the automated processing system cannot be corrupted by means of a malfunctioning of the system.