This example password/pass phrase policy could be used by an organisation to help protect client and employee data. It is jointly published by ICAEW's Business Law and Tech Faculty.

This content is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from taking any action in relation to the matters outlined.

The use of a password/pass phrase policy is just one element of effective data protection governance. To ensure this policy is viable and effective it must be considered in conjunction with a range of polices, processes and technologies.

This document provides an example of a pass word / pass phrase policy. Throughout this document we have used the term “pass phrase” in place of “password” as we consider the former to be a more effective security measure and would recommend its use. It is however recognised that the use of the term password is widespread and part of the common language of the internet and society today. As a result, the word password can be used if it aids the understanding of the target audience.