Information security—passwords
Information security—passwords

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Information security—passwords
  • Introduction to passwords
  • Regulatory requirements
  • When and how to use passwords
  • Risks and technical considerations
  • Your obligations in a data breach
  • Failure to comply

Passwords are a widely available method of protecting access to personal data and the systems used to process it. They are relatively affordable and simple to implement, so is recommended by the Information Commissioner’s Office (ICO) as a means of protecting personal data.

Organisations could be subject to regulatory action where appropriate data protection measures have not been implemented. Many data breach incidents investigated by the ICO where personal data was stolen, lost or accessed without appropriate authorisation, would have been less severe if the data been adequately protected.

This Practice Note reflects the ICO’s detailed Guidance on passwords to help organisations understand their options and responsibilities, as well as the General Data Protection Regulation (GDPR).

Introduction to passwords

One of the biggest issues when handling personal data and other information is making sure that access to it is available to those who need it, while preventing access by unauthorised individuals. This means you need to authenticate and authorise the individual who is attempting to access it. This is commonly done by checking for something an individual:

  1. has, eg a tangible device such as a smart card

  2. is, eg biometric measures such as retina scans or fingerprints

  3. knows, ie a password

Passwords are the most common, as they are the easiest to put into place and familiar to most users, whether employees or