The Data Protection Act imposes a legal obligation to keep personal data secure...
But there's very little guidance on how secure.
Partly, that's a good idea: detailed guidance would go out of date very quickly, and this law dates from 1998. So phrases like 'appropriate to the sensitivity of the data' and 'best practice' and 'reasonable precautions' are necessary.
But I think it's time to start grading the data:
● 'Private' - identifying data, names and addresses.
● 'Confidential' - personal conversations and correspondence, purchasing habits, etc.
● 'Under legal privilege'
● 'Places individual at risk of violence'
● 'Places individual at an increased risk of fraud'
● 'Would immediately allow transfers of funds and assets'
● 'Medical information'
● 'Child Protection'
I'm sure that you could think of others: but you wouldn't want to flag up any individual as having information of interest to blackmailers - say, a juvenile arrest for prostitution and subsequent referral to social services - as that 'flag' would be a magnet for criminals and journalists. And, in these times, for officials of the state.
What would the flags do? Well, we'd need general security standards; starting with a minimum standard for private data specifying 'Encrypted data store', 'No passwords ever stored or sent in clear text' and 'Secure sessions'.
Any information at a higher level than 'private' would need a security review of the host system every two years; and the ICO might consider issuing security alerts for high-profile exploits that require confirmation - 'yes, we've patched that' - within ten working days from the registered owner.
The most sensitive data stores would need a yearly audit, to published standards, and a record of patches - with pen-test results - for all security alerts and vulns listed by, er... let me think... some public body that doesn't yet exist. There's probably a group within the Home Office that does this internally for the Civil Service - like the sysadmins at every bank - but I'm not aware that there is a state-sponsored *public* service, in any country.
That's a gap in the law, and an obvious case for the statutory provision of a service, rather than everyone relying on purchasing a service from competing private enterprises.
...There is, of course, a gap between what *should* happen, and what actually does.
The legal framework? This would probably be enacted as 'enabling legislation', in which regulations are 'Laid before Parliament' by the minister - in practice, it's handled by a regulatory agency that maintains and updates a book of regulations having statutory force. Look up the HSE and the Control of Substances Hazardous to Health regulations as the best example of this process.
The Information Commissioner's Office *may* actually have the power to do this already - I'd be grateful if someone here is legally qualified to offer an opinion on that.
Useful Link: The Information Commissioner's Office:
http://ico.org.uk/for_organisations/data_protection
That's the statutory body enforcing the Data Protection Act