A data controller, data collector or data processor is required under section 20 of the Data Protection and Privacy Act to secure the integrity of personal data in its control or possession by adopting appropriate measures to prevent loss, unauthorised destruction, unauthorised processing of or unlawful access to personal data. This includes observation of generally accepted information security practices and procedures, and specific industry or professional rules and regulations.

The data controller is specifically required to use measures that:

• identify reasonable risks to personal data in its possession or control;
• establish and maintain appropriate precautions against the risks identified;
• regularly verify the effective implementation of the precautions; and
• ensure that the safeguards are continually updated.

In instances where personal data is processed by a third party, the entity must ensure that the data processor applies the security safeguards provided under the Act. The Act specifically requires that the contract between a data controller and processor relating to the processing of personal data oblige the data processor to maintain the confidentiality and security measures necessary to protect the integrity of the personal data.