(1) A data controller shall —
(a) take appropriate security and organizational measures for the prevention of unauthorized access to, alteration of, disclosure of, accidental loss, and destruction of the personal data in the data controller's control; and
(b) ensure that the measures provide a level of security appropriate to —
(i) the special risks that exist in the processing of the personal data, and
(ii) the nature of the personal data being processed.
(2) A data controller shall take all reasonable steps to ensure that any person employed by the data controller is aware of and complies with the relevant security measures referred to in subsection (1).
(3) Without prejudice to subsection (1), in determining the appropriate security measures, in particular, where the processing involves the transmission of personal data over an information and communication network, a data controller shall have regard to —
(a) the state of technological development available; and
(b) the cost of implementing any of the security measures.