(1) A data controller shall take the necessary steps to secure the integrity of personal data in the possession or control of a person through the adoption of appropriate, reasonable, technical and organizational measures to prevent

(a) loss of, damage to, or unauthorized destruction; and

(b) unlawful access to or unauthorized processing of personal data.

(2) To give effect to subsection (1), the data controller shall take reasonable measures to

(a) identify reasonably foreseeable internal and external risks to personal data under that person’s possession or control;

(b) establish and maintain appropriate safeguards against the identified risks;

(c) regularly verify that the safeguards are effectively implemented; and

(d) ensure that the safeguards are continually updated in response to new risks or deficiencies.

(3) A data

controller shall observe

(a) generally accepted information security practices and procedure, and

(b) specific industry or professional rules and regulations.