A consumer’s guide to protecting personal information British Standard BS 10012:2009 Data protection – specification for a personal information management system Every time you use your supermarket reward card, contact your bank, use NHS services or buy something online, organisations collect and store certain information about you – this might be your name, address, date of birth, medical history, bank details, credit card number or even your shopping habits. Used correctly this information can make your life easier. But, if it is used incorrectly, or falls into the wrong hands, you could become a victim of identity theft or fraud. This is where criminals use your personal information to get credit cards, open bank accounts, claim benefits, and even get new passports in your name. This could cost you dearly and take a lot of time and effort to sort out. According to the Home Office, identity theft costs UK consumers around £1.2 billion each year.¹ You can protect your personal data by keeping information in a safe place and being careful who you give your details to. But how can you be sure that organisations, such as councils, GPs, hospitals, banks, insurers, online stores and supermarkets are using your personal information correctly and keeping it safe? The law The Data Protection Act 1998 is there to make sure that organisations collect only relevant and accurate information, store it safely and use it correctly. The Act also gives you the right to find out what information an organisation holds about you on paper and on computer records. But the Act doesn’t guarantee the safe-keeping of your personal data. A 2009 survey conducted by the British Standards Institution found that 1 in 5 businesses admitted to unwittingly breaching the Data Protection Act. Of these, nearly half said they had breached the Act more than once and an additional 18% said they were not sure whether they had or not. The Data Protection Act sets out eight principles that organisations must adhere to, but it doesn’t give them any guidance on what to do or how to manage personal information effectively and lawfully. So, even organisations that want to comply with the Act can find it confusing and difficult. British Standard BS 10012 helps to fill that gap. It has been specifically written to help organisations meet the requirements of the Data Protection Act and gives companies step by step guidance on how to manage the information they hold about their customers. BS 10012 – The basics The British Standard for data protection was first published in June 2009. It is the first standard of its kind in the area of data protection. The standard can be used by organisations of any size, and in any sector. It provides a clear framework for UK organisations that want to comply with data protection law, helping them to create a tailored management system for personal data. The standard gives detailed guidance in areas such as training and awareness, risk assessment, data sharing, retention and disposal of data and disclosure to third parties. However, the standard is voluntary so organisations do not have to sign up to it. ¹ Survey by The Identity Fraud Steering Committee (IFSC) published

1. A consumer’s guide to protecting personal information 01
www.bsigroup.com/ConsumerStandards
A consumer’s guide to protecting
personal information
British Standard BS 10012:2009 Data protection – specification for
a personal information management system
Every time you use your supermarket reward card, contact your bank, use NHS services or buy
something online, organisations collect and store certain information about you – this might
be your name, address, date of birth, medical history, bank details, credit card number or even
your shopping habits.
Used correctly this information can make your life easier. But, if it is the Act more than once and an additional 18% said they were not
used incorrectly, or falls into the wrong hands, you could become a sure whether they had or not.
victim of identity theft or fraud. This is where criminals use your
The Data Protection Act sets out eight principles that organisations
personal information to get credit cards, open bank accounts, claim
must adhere to, but it doesn’t give them any guidance on what to
benefits, and even get new passports in your name. This could cost
do or how to manage personal information effectively and lawfully.
you dearly and take a lot of time and effort to sort out. According
So, even organisations that want to comply with the Act can find it
to the Home Office, identity theft costs UK consumers around
confusing and difficult.
£1.2 billion each year.¹
British Standard BS 10012 helps to fill that gap. It has been specifically
You can protect your personal data by keeping information in a safe
written to help organisations meet the requirements of the Data
place and being careful who you give your details to. But how can you
Protection Act and gives companies step by step guidance on how
be sure that organisations, such as councils, GPs, hospitals, banks,
to manage the information they hold about their customers.
insurers, online stores and supermarkets are using your personal
information correctly and keeping it safe?
BS 10012 – The basics
The law The British Standard for data protection was first published in
June 2009. It is the first standard of its kind in the area of data
The Data Protection Act 1998 is there to make sure that
protection. The standard can be used by organisations of any size,
organisations collect only relevant and accurate information, store
and in any sector. It provides a clear framework for UK organisations
it safely and use it correctly. The Act also gives you the right to find
that want to comply with data protection law, helping them to create
out what information an organisation holds about you on paper
a tailored management system for personal data.
and on computer records.
But the Act doesn’t guarantee the safe-keeping of your personal The standard gives detailed guidance in areas such as training and
data. A 2009 survey conducted by the British Standards Institution awareness, risk assessment, data sharing, retention and disposal of
found that 1 in 5 businesses admitted to unwittingly breaching the data and disclosure to third parties. However, the standard is
Data Protection Act. Of these, nearly half said they had breached voluntary so organisations do not have to sign up to it.
¹ Survey by The Identity Fraud Steering Committee (IFSC) published October 2008
What are British Standards?
The British Standards Institution (BSI) has been
developing standards for over 100 years to
make products and services safer for
consumers. Standards set out good practice
and guidelines for organisations to follow.
It’s not compulsory for organisations to
sign up to a standard, so you can feel
confident that those that choose to comply
with British Standards take safety and customer
service seriously.

2. A consumer’s guide to protecting personal information 02
BS 10012 – What should you expect?
A clear policy • All customers providing information to the organisation should
• A senior management team should be responsible for creating and be given a ‘privacy notice’ or online privacy statement before
maintaining a data protection policy that sets a clear framework they hand over any details, clearly telling them how their
for good practice and for complying with the law. personal information will be used.
• The policy should follow the 15 commitments set out in the • Information should only be used for the purposes specified
standard. – if companies want to use it for something else they should
let you know beforehand.
Clear responsibility
• Information can only be passed to third parties if customers
• A member of senior management should be accountable agree. Third parties can only use personal information for
for the management of personal information within the reasons specified to the customer.
organisation.
• Organisations must make sure that personal information is
• One or more people should be responsible for making sure that protected against loss, damage or theft by using appropriate
the company complies with the policy on a day-to-day basis and security measures.
that the Personal Information Management System (PIMS) is
updated when changes happen within the company. • Access to personal information should be restricted to those
members of staff that actually need it.
• The organisation should be able to demonstrate their
competence in understanding data protection legislation • All staff handling data should know what to do if security is
and good practice. breached in any way.
• Adequate resources should be allocated to the PIMS. • All consumers should be sent copies of their personal data held
by the organisation, on request.
Education and training
• The details and importance of the data protection policy should
Regular checks
be clearly communicated to all members of staff that handle • Audits should be carried out at planned intervals to make sure
data. that the PIMS is operating in accordance with policy and
procedures.
• Relevant staff should be made aware of the PIMS and receive
ongoing training. • Any problems should be flagged up to management so that they
can be resolved as quickly as possible.
Use of personal information
• There should be regular management reviews to make sure that
• Information collected should be relevant and not excessive
the system remains effective and is updated when needed.
to needs.
• Information should be accurate and kept up to date.
Complaints
• The organisation should create a complaints and appeals
• Information should not be kept any longer than necessary procedure to make it easy for customers that have complaints
and should be disposed of safely. about the processing of their personal information.
• To identify any potential problems organisations should make an
inventory of the types of data they collect and how it is used.
• Organisations should have procedures in place to ensure that
personal information is used fairly and lawfully.
USEFUL INFORMATION
British Standards Institution (BSI) 020 8996 9001 www.bsigroup.com
Information Commissioner’s Office (ICO) 0303 123 1113 (helpline) 9am to 5pm, Monday to Friday www.ico.gov.uk
CIFAS (UK Fraud Prevention Service) www.cifas.org.uk
www.identitytheft.org.uk
www.actionfraud.org.uk

3. A consumer’s guide to protecting personal information 03
Checklist
✓ At home keep your personal information safe
✓ Think carefully before supplying your personal information to any organisation.
✓ Does the organisation you’re dealing with use BS 10012? If you’re not sure then ask.
✓ When asked for personal information you should receive a clear statement of what the organisation
is collecting it for and be asked to agree to it.
✓ If you have concerns, ask for a copy of the personal information that the organisation holds about you.
Frequently asked questions
Q. Do all organisations have to follow BS 10012?
A. No, the standard is voluntary and it is up to individual organisations to sign up to the standard if they choose. Those
that do should follow the guidelines it lays out. In the event of a major data breach, the Information Commissioner’s
Office will look for evidence that compliance with data protection legislation was being taken seriously, and
application of BS 10012 could be considered an example of this.
Q. Who do I complain to if I think that my personal information has not been handled according to the eight
principles of the Data Protection Act?
A. Contact the Information Commissioner's Office for help. Complaints are usually dealt with informally but, if this isn't
possible, enforcement action can be taken.
BSI Group Headquarters
389 Chiswick High Road London W4 4AL UK
Tel +44 (0)20 8996 9001
Fax +44 (0)20 8996 7001
www.bsigroup.com
© BSI copyright
raising standards worldwide™