People often use the term data protection interchangeably with information security, however, both of them are not the same.
Information security and data protection were both established by different Acts. The Data Protection Act (DPA) which established data protection rules to a large extent also included information security in the lists of its 8 principles of data protection.
The principles of data protection
- Personal data shall be processed fairly and within the law.
- Personal data can only be held for specific and lawful purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data shall not be kept for longer than is necessary.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organizational security measures shall be taken against unauthorized access to data.
- Personal data must not be transferred to a country outside the European Union unless that country or territory has similar legislation to the Data Protection Act that protects data.
Information security (InfoSec) is also called cybersecurity. It is the technical procedures and operations measures that is undertaken or should be undertaken by an organization to ensure the security and safety of every information they collect, maintain and transmit. Information security deals with every aspect of an organization such as an organization’s products, people and processes. Information security deals with the use and storage of information as well as the sharing of information. It also covers what happens when an organization’s information is stolen or lost. Information security takes care of such organizational practices as the use of passwords and the changing of the password periodically to the transmission of information or the sharing of information between two different organizational levels.