http://www.legislation.gov.uk/id/ukpga/1998/29/schedule/1/enacted

SCHEDULES

SCHEDULE 1The data protection principles

Part IIInterpretation of the principles in Part I

The seventh principle

11

Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

a

choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

b

take reasonable steps to ensure compliance with those measures.