P3 Legal requirements: IT
systems security
As an online software company which deals with money transfer, you will need to follow a number
of legal legislation as you are dealing with highly confidential information in bank account details.
These requirements relate to how the data is used, to how it is stored and must be followed closely
to avoid prosecution from the authorities. Prosecution takes the form of fines and possible
imprisonment, as not following these requirements is breaking the law. The main IT security
legislation is listed below:
Data Protection Act 2018 - General Data Protection Regulation (GDPR)
This legislation replaces the old ‘Data protection act 1998’ and acts to control how businesses,
organisations or governments use your personal data when stored on computer systems or on hard
copies. In your company you must follow the ‘data protection principles’, which can be split into 6
sections:
1. Used fairly, lawfully and transparently - all data that is stored must be used with an honest
reason, within the law and the need to use it must be made clear.
2. Used for specified, explicit purposes - you must state clearly the reason to use any data, and
this reason must be clear.
3. Used in a way that is adequate, relevant and limited to only what is necessary - the data
must be used only to complete what is necessary and nothing more; its use should be
acceptable and appropriate.
4. Accurate and, where necessary, kept up to date - all data which is stored must be updated
when needed to keep all the information accurate. This includes any changes to mobile
numbers or addresses - these must all be kept up-to-date.
5. Kept for no longer than is necessary - all data should only be stored when it is needed, for
example when you are dealing with a client. But when you no longer need this information
on the client it must be destroyed/deleted as it is no longer necessary to have such
information about someone/ or their business.
6. Handled in a way that ensures appropriate security, including protection against unlawful
or unauthorised processing, access, loss, destruction or damage - as a company or
organisation all data must be secure and have suitable protection. It should only be able to
be seen by authorised personnel, whilst not being subject to loss, destruction or damage.
An example of an organisation not following GDPR regulations is
certain NHS trusts across the UK. They could face fines from the
‘Information Commissioner’s Office (ICO) after they had failed to
pay the new data protection fee. As a company, we would need to
abide by these regulations to avoid any financial penalties.
Alongside these principles, people have rights to find out what
sort of information the organisation or business stores about
them. As an online software company, you will have to disclose
any information you store about anyone (if they wish to be
Unit 7: IT Systems Security and Encryption
systems security
As an online software company which deals with money transfer, you will need to follow a number
of legal legislation as you are dealing with highly confidential information in bank account details.
These requirements relate to how the data is used, to how it is stored and must be followed closely
to avoid prosecution from the authorities. Prosecution takes the form of fines and possible
imprisonment, as not following these requirements is breaking the law. The main IT security
legislation is listed below:
Data Protection Act 2018 - General Data Protection Regulation (GDPR)
This legislation replaces the old ‘Data protection act 1998’ and acts to control how businesses,
organisations or governments use your personal data when stored on computer systems or on hard
copies. In your company you must follow the ‘data protection principles’, which can be split into 6
sections:
1. Used fairly, lawfully and transparently - all data that is stored must be used with an honest
reason, within the law and the need to use it must be made clear.
2. Used for specified, explicit purposes - you must state clearly the reason to use any data, and
this reason must be clear.
3. Used in a way that is adequate, relevant and limited to only what is necessary - the data
must be used only to complete what is necessary and nothing more; its use should be
acceptable and appropriate.
4. Accurate and, where necessary, kept up to date - all data which is stored must be updated
when needed to keep all the information accurate. This includes any changes to mobile
numbers or addresses - these must all be kept up-to-date.
5. Kept for no longer than is necessary - all data should only be stored when it is needed, for
example when you are dealing with a client. But when you no longer need this information
on the client it must be destroyed/deleted as it is no longer necessary to have such
information about someone/ or their business.
6. Handled in a way that ensures appropriate security, including protection against unlawful
or unauthorised processing, access, loss, destruction or damage - as a company or
organisation all data must be secure and have suitable protection. It should only be able to
be seen by authorised personnel, whilst not being subject to loss, destruction or damage.
An example of an organisation not following GDPR regulations is
certain NHS trusts across the UK. They could face fines from the
‘Information Commissioner’s Office (ICO) after they had failed to
pay the new data protection fee. As a company, we would need to
abide by these regulations to avoid any financial penalties.
Alongside these principles, people have rights to find out what
sort of information the organisation or business stores about
them. As an online software company, you will have to disclose
any information you store about anyone (if they wish to be
Unit 7: IT Systems Security and Encryption
