(a) take appropriate security and organisational measures for the
prevention of unauthorised access to, alteration of, disclosure of,
accidental loss, and destruction of the data in his control; and
(b)
ensure that the measures provide a level of security appropriate to
–
(i)
the harm that might result from the unauthorised
access to, alteration of, disclosure of, destruction of the
data and its accidental loss; and
(ii)
(2)
the nature of the data concerned.
A data controller or a data processor shall take all reasonable
steps to ensure that any person employed by him is aware of and
complies with the relevant security measures.
(3)
Where a data controller is using the services of a data processor,
he shall choose a data processor providing sufficient guarantees in
respect of security and organisational measures for the purposes of
complying with subsection (1).
(4)
Where the data controller is using the services of a data processor
under subsection (3) the data controller and the data processor shall
enter into a written contract which shall provide that (a) the data processor shall act only on instructions received from the
data controller; and
(b) the data processor shall be bound by obligations devolving on the
data controller under subsection (1).
(5)
Without prejudice to subsection (1), in determining the appropriate
security measures, in particular, where the processing involves the
transmission of data over an information and communication network, a
data controller shall have regard to –
(a) the state of technological development available;