9.1 Password Protection Management

Password protection must always be adopted and in accordance with the following rules unless the data controller has a Password Protection Policy which shall take precedence over these rules:

  1. manufacturers’ default passwords are not to be used
  2. the issue of passwords should be restricted on a need to know basis
  3. the data manager for the location must have an overriding administration password enabling management of all other passwords
  4. data processors may share common passwords between groups of employees where necessary
  5. passwords should not be issued to temporary employees
  6. access to passwords shall be limited on a ‘need to know’ basis
  7. common passwords may be applied e.g. CCTV and access control systems may have the same password; and
  8. passwords shall contain a minimum of 8 and a maximum of 10 characters and comprise numbers and letters one which shall be upper case and one symbol such as # or $ unless the manufacturers use a matrix or other method.