The good practice note follows requests for
clarification on outsourcing, not only by organisations which hold
personal information, such as payroll, but also by individuals who
are concerned about how their information is protected when it is
outsourced to companies both in the UK and overseas.
The advice stresses that when a business uses an outside
organisation to process personal information on its behalf, it
retains liability for the security and accuracy of information and
full control over how it is used. This means that the business
remains liable for any breaches of the Data Protection Act, even if
the outsourced company is based abroad.
Deputy Commissioner David Smith acknowledged that many companies
outsource some of their data processing functions to other
companies, quite often overseas.
"There have been several highly publicised instances recently
which suggest that personal information is not always held
securely," he said. "Companies considering outsourcing must ensure
that they choose companies that can be relied upon to take proper
care of the personal information they are entrusted with."
He added that they should put in place mechanisms so that when
the personal information has been outsourced they can check that it
is being properly looked after.
"The Information Commissioner’s Office takes the failure to take
proper care of personal information very seriously, and we will not
hesitate to investigate where companies have failed to fulfil their
obligations under the Data Protection Act," said Smith. "Such
investigations could result in formal enforcement action."
The good practice note covers, for example, the selection of a
service provider, ensuring the contract is enforceable, checking
for security and auditing that provider.
Daradjeet Jagpal, a solicitor with Pinsent Masons, the law firm
behind OUT-LAW.COM, said: "Businesses need to remember that just
because personal information is processed thousands of miles away,
it does not mean that it takes away their responsibility for
complying with the DPA."
Jagpal, a specialist in data protection, continued: "A contract
with the foreign processor is necessary, requiring the processor to
respect the same security obligations that the business has to. Not
getting this right means not only risking enforcement action from
the Information Commissioner, but from aggrieved individuals, too,
who may claim compensation for damage or damage and distress
suffered due to breach of security obligations."
Another member of the Pinsent Masons information law team,
Louise Townsend, added: "Straightforward guidance from the
Information Commissioner on this topic is to be welcomed. Many
organisations will have standard terms and conditions and it is a
simple task to review these to ensure that they meet the
requirements of the Data Protection Act."
