The seventh data protection principle provides that
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
The level of security required is therefore not a single standard - it will depend on the sensitivity of the data, and the harm which could ensue from something going wrong. A useful 2008 report entitled “Data Handling Procedures in Government” (available at http://www.cesg.gov.uk/products_services/iatp/documents/data_handling_review.pdf) indicates steps that should be taken in order to improve data security. In short, institutions should be evaluating their processes on the handling of personal data and should have a method of identifying such data and assessing how it is processed and how secure it is.
The guidance information on the BECTA website, referred to below, is aimed at schools and how they are to process personal data and this may be valuable to colleges that, likewise, are processing sensitive data.
Although written for schools, the 2008 BECTA report "Good Practice Guide on Information Handling in Schools – Impact Levels and Labelling" (available at http://www.invictustechnology.co.uk/invictus-resources/doc_download/9-good-practice-in-information-handling-in-schools-impact-levels-and-labelling) will also be useful for colleges and universities. It deals specifically with the issue of the protection of student data and suggests how to reduce the risks when processing sensitive personal data.
It states:
"In order to comply with Data Handling Procedures in Government, every school will need to have in place a policy and a procedure for identifying sensitive or personal data and assessing its impact level."
Both of these documents contain recommendations and are not mandatory. However, they should be used to gauge how personal data, and in particular, sensitive personal data, is handled in your institution in comparison with the security standards contained therein.