9.1 Password Protection Management
Password protection must always be adopted and in accordance with the following rules unless the data controller has a Password Protection Policy which shall take precedence over these rules:-
- manufacturers’ default passwords are not to be used;
- the issue of passwords should be restricted on a need to know basis;
- the data manager for the location must have an overriding administration password enabling management of all other passwords;
- data processors may share common passwords between groups of employees where necessary;
- passwords should not be issued to temporary employees;
- access to passwords shall be limited on a ‘need to know’ basis;
- common passwords may be applied e.g. CCTV and access control systems may have the same password; and
- passwords shall contain a minimum of 8 and a maximum of 10 characters and comprise numbers and letters one which shall be upper case and one symbol such as # or $ unless the manufacturers use a matrix or other method.