This document discusses information security and the measures organizations should take to protect personal data. It notes that under UK law, appropriate technical and organizational security measures must be implemented to prevent unauthorized processing or accidental loss of personal data. The level of security should be proportionate to the harm that could result from a breach. If personal data is processed by third parties, the organization must ensure those parties provide adequate security through a written contract. Any security breaches must be properly contained, assessed for risk, and responded to effectively. The document provides recommendations for individual online security such as using strong and unique passwords.