With more and more firms outsourcing data-intensive processes
such as call centre activity, companies must be aware of their
responsibilities, the Information Commissioner's Office
(
ICO
) has said. Any breach of security at a
contractor's site will be the responsibility of the original
company.
"The [Data Protection] Act requires you to take appropriate
technical and organisational measures to protect the personal
information you process whether you process it yourself or whether
someone else does it for you," said an
ICO
statement.
Outsourcing data processing to foreign suppliers does not
absolve firms from protecting the data once it passes to a third
party. In fact new guidance issued by the
ICO
seems to
tighten up rules concerning a company's responsibilities to find an
outsourcer who will safeguard the data.
"The new guidance clarifies the old guidance which stated that
in the case of a data controller to data processor transfer the
'data controller might reasonably conclude that adequacy exists
without carrying out a detailed adequacy test'. This could be
interpreted as saying a complete assessment of adequacy is not
needed," said Dr Chris Pounder, Consultant & Editor of Data
Protection & Privacy Practice at Pinsent Masons, the law firm
behind OUT-LAW.COM.
"By contrast, the new guidance states that such an adequacy test
is needed but this can be incorporated into a data processor
contract and into the risk assessment which is required under the
Seventh Data Protection Principle which deals with the security of
personal data," said Pounder. "It is interesting to note that the
Commissioner refers to ISO 17799 in this regard."
“More and more companies are contracting out their data
processing abroad. The rules governing the transfer of personal
information overseas are therefore becoming increasingly
important," said David Smith, deputy Information Commissioner. "A
UK-based business outsourcing a call centre or other aspect of its
data processing abroad remains legally liable for any failings. It
could face legal action by the Information Commissioner’s Office
and by an individual even if a breach takes place outside the
UK."
"We will not hesitate to investigate and, if necessary, take
action in any instances where companies are clearly breaching the
principles of good information handling," said Smith.
The new guidance relates to the 8th data protection principle in
the Act, which governs personal information transferred outside the
European Economic Area.
Footnote: Dr Chris Pounder was a consultant with Pinsent Masons until September 2008. He now runs a new training business, Amberhawk.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
