This British Standard, has been developed to establish best practice and aid compliance with data protection legislation. It is the first standard for the management of personal information.

The BS 10012 provides the framework which will enable effective management of personal information. It can be used by organizations of any size and sector to create a tailored management system which includes procedures in areas such as training and awareness, risk assessment, data sharing, retention and disposal of data and disclosure to third parties.

The BS 10012's main objective is to enable organizations to put in place a personal information management system (PIMS), as part of an overall data governance infrastructure, which provides an infrastructure for maintaining and improving compliance with Privacy legislation such as the UK Data Protection Act 1998 (DPA) which implements a European Directive (95/46/EC) or the Protection of Personal Information Act.

The BS 10012 applies the Plan-Do-Check-Act cycle for establishing, implementing, operating, monitoring, exercising, managing and improving the effectiveness of the organisation's Personal Infromation Management System. It requires "data controllers" to comply with eight data protection principles, which require personal information to be:

1. fairly and lawfully processed
2. obtained for a specific purpose and not processed further
3. adequate, relevant and not excessive
4. accurate and uptodate
5. not kept for longer than necessary
6. processed in line with the individuals rights
7. kept secure
8. not transferred to countries where it is not offered adequate protection