30. The seventh standard
30.—
1. The seventh standard is that appropriate technical and organisational measures shall be taken—
(a) against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
(b) to ensure that the Commissioner is notified, without any undue delay, of any breach of the data controller’s security measures which affect or may affect any personal data.
2. Having regard to the state of technological development and the cost of implementing any measures referred to in subsection (1), the measures shall ensure a level of security appropriate to—
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in subsection (1); and
(b) the nature of the data to be protected.
3. The data controller shall take reasonable steps to ensure that the data controller’s agents and employees who have access to the personal data are aware of, and comply with, the relevant security measures.
4. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall, in order to comply with the seventh standard—
(a) choose a data processor who provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out and the reporting of security breaches to the data controller; and
(b) take reasonable steps to ensure compliance with those measures.
5. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall not be regarded as complying with the seventh standard unless—
(a) the processing is carried out under a contract—
(i) which is made or evidenced in writing; and
(ii) under which the data processor is to act only on instructions from the data controller; and
(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by subsection (1).
6. For the purposes of subsection (1)(a), the technical and organisational measures include—
(a) pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability of, and access to, personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and
(e) measures to ensure adherence to the technical and organisational requirements specified in the other provisions of this Act.
7. A person who, wilfully and without lawful authority, uses any means to breach any pseudonymisation or encryption applied to any personal data commits an offence and shall be liable upon conviction for that offence before—
(a) a Parish Court, to a fine not exceeding two million dollars; or
(b) a Circuit Court, to a fine.
8. A person does not commit an offence under subsection (7) if—
(a) the breach is—
(i) necessary for the prevention, detection or investigation of crime;
(ii) required or authorised by a court or by or under any law;
(iii) justifiable in the public interest;
(iv) justifiable for the purposes of journalism, literature or art; or
(v) justifiable in the public interest with a view to testing the effectiveness of the technical and organisational measures referred to in subsection (1)(a) and the person—
(A) acted without intending to cause, or threaten to cause, damage or distress to a person; and
(B) without undue delay and, where feasible, within seventy-two hours after the breach, notified the Commissioner, or a data controller concerned, of the breach; or
(b) the person acted in the reasonable belief that—
(i) the person is a data subject in respect of the personal data concerned; or
(ii) the person is the data controller in respect of the personal data or acted with the consent of that data controller.