Password protection must always be adopted and in accordance with the following rules unless the data controller has a Password Protection Policy which shall take precedence over these rules:-

1. manufacturers’ default passwords are not to be used;
2. the issue of passwords should be restricted on a need to know basis;
3. the data manager for the location must have an overriding administration password enabling management of all other passwords;
4. data processors may share common passwords between groups of employees where necessary;
5. passwords should not be issued to temporary employees;
6. access to passwords shall be limited on a ‘need to know’ basis;
7. common passwords may be applied e.g. CCTV and access control systems may have the same password; and
8. passwords shall contain a minimum of 8 and a maximum of 10 characters and comprise numbers and letters one which shall be upper case and one symbol such as # or $ unless the manufacturers use a matrix or other method.