4.—(1) In regulation 5, after paragraph (1) insert—
“(1A) The measures referred to in paragraph (1) shall at least—
(a)ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;
(b)protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure; and
(c)ensure the implementation of a security policy with respect to the processing of personal data.”
(2) After paragraph (5) insert—
“(6) The Information Commissioner may audit the measures taken by a provider of a public electronic communications service to safeguard the security of that service.”.