E-Archive

Standards Forum

in Vol. 20 - May Issue - Year 2019
Personal Information Management is relevant to everyone
Paul Huyton

Paul Huyton

If there is a reference to “PIMS”, most people will think of a summer beverage served at events such as the Wimbledon Tennis Championship. But it is also an acronym that is important in all business sectors. Personal Information Management Systems (PIMS) are relatively new management systems, necessary in the information technology era. And there are associated standards which have been compiled to ensure quality and consistency in the management of these systems.
Most of the public will be aware of the need to guard their personal information. Careless leakage of personal information can result in identity theft, financial loss or intrusive, nuisance contact from other persons. But any organisation that holds personal information has legal obligations to manage the information appropriately. This applies to all personal information, customer, employee and suppliers, so all organizations need to assess how regulations may apply to them.
Business managers, particularly in the European Union, will be familiar with GDPR – the General Data Protection Regulation. This seeks to mandate levels of data protection that will protect individuals and organisations. This is a lengthy regulation framed in legal terms with broad and general references. But in order to be able to apply good data management, a more concise and detailed standard is more useful. BS 10012 Personal Information Management Systems, is such a standard. The active paragraphs of the standard are briefly as follows.

4. Context of the Organisation.
Defining the context of the organisation will be familiar to users of standards such as ISO 9001 or AS 9100. In this case it will be defining the “interested parties” and scope of the system relevant to personal information.

5. Leadership and worker
participation.
The management of the organisation is required to participate in the planning and monitoring of the PIMS. They must ensure that information is gathered and stored legally and these requirements are communicated to staff within the organisation. Managers must monitor the performance of the system and ensure that the required outcomes are achieved.

6. Planning.
Planning is required to achieve the required outcomes and minimise the risks as identified in Section 4. This should identify what processes are within the scope of the PIMS, which is responsible for implementation, as to who will receive or have access to personal information. It is important to clearly understand who are data controllers and who are data processors, terms which are defined by GDPR.

7. Resources.
Any management system needs to be adequately resourced and new requirements cannot always be absorbed by the existing staff. At the very least, there will be the need to provide training in personal data management and awareness of the regulations. There should be procedures to ensure that the competence of personnel is assessed and that the knowledge generated through training and experience is retained within the organisation.

8. Operations.
A Data Protection Officer (DPO) should be identified, also a representative in the top management with responsibilities for data protection.
This section lists all the documentary requirements for the PIMS.

9. Performance Evaluation.
Maintaining the principle of Plan-Do-Check-Act, the PIMS must be checked and evaluated for its performance. This then leads to changes to provide continuous improvement in data protection. This will include internal audit of the PIMS.

10. Improvements.
Every management system must look to improve to better meet the defined requirements and keep current with the changing business environment. The PIMS must have capability for change management and it would be expected that evidence of such changes would be available to internal or external audit.

This brief description of the standard will give an outline of the approach to be taken in managing personal information. All organisations need to establish their responsibilities under the regulations and many will have to implement a complete Personal Information Management System.

For questions contact paul@mfn.li

Standards Forum
by Paul Huyton,
MFN Course Director World Wide
more information at www.mfn.li/trainers