Regulation 4 Security of processing
(1) With respect to network security and, in particular, the requirements of paragraph (2), an undertaking providing a publicly available electronic communications network or service shall take appropriate technical and organisational measures to safeguard the security of its services, if necessary, in conjunction with undertakings upon whose networks such services are transmitted. These measures shall ensure the level of security appropriate to the risk presented having regard to the state of the art and the cost of their implementation.
(2) Without prejudice to the Data Protection Acts, the measures referred to in paragraph (1) shall at least -
(a) ensure that personal data can be accessed only by authorised personnel for legally authorised purposes,
(b) protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure, and
(c) ensure the implementation of a security policy with respect to the processing of personal data.
(3) The Commissioner may audit the measures taken by an undertaking providing publicly available electronic communications services and issue recommendations about best practices concerning the level of security which those measures should achieve.