Please note: This is one of a series of guides about overseas transfers of personal data. If you're new to that subject, read the introduction to overseas transfers first.
This article looks at some common scenarios and which options may be available in each one.
Example 1: call centre outsourcing
InsuranceISus, a leading specialist insurance company wants to outsource its call centre to India.
As most, if not all, the information collected on each telephone call to obtain an insurance quote will be personal data, InsuranceISus has to consider the application of the Data Protection Act 1998. InsuranceISus is the data controller in relation to the data and the call centre acts as its data processor. Firstly, as it proposes to appoint a data processor, InsuranceISus should consider what security arrangements are in place with the third party in India for the data as the Act requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage. InsuranceISus should make sure that there is a contract in place with the third party which sets out what InsuranceISus expects from the third party in protecting the data, for example making sure that those people who will be answering the phones to InsuranceISus' customers and will be inputting the data onto computer systems will have data protection training and will have been adequately vetted, as well as seeking assurances about the security of the systems in place, who will have access etc.
InsuranceISus will also have to look at the arrangements in place for the transfer of data as the Act requires that personal data must not be transferred to a country outside of the European Economic Area (EEA) unless that country ensures an adequate level of protection for the rights and freedoms of data subjects or one of the exceptions applies.
India is not one of the "adequate" countries approved by the European Commission for the purposes of transferring data. What options are suitable?
There are various ways that InsuranceISus can meet its obligations under the Act in terms of adequacy. From a practical point of view, the easiest approach to take may be to enter into a contract with the third party in India based on the model clauses produced by the European Commission. The model clauses are intended to be used where data is transferred to a third party based outside of the EEA, for example, India. There are different types of model clauses depending on the status of the parties involved in the transfer. InsuranceISus will be outsourcing its call centre function to a data processor processing data on behalf of InsuranceISus and the outsourced provider will not be able to use this data for any other purpose. The data controller-to-data processor contract would therefore be the appropriate version.
Given that a contract is required for Principle 7 and that the model clauses include security obligations, the model clauses could meet both requirements. Given that InsuranceISus will also want other commercial and legal issues covered in the contract, the model clauses could be annexed to the main agreement and referred to within it. It is open to InsuranceISus to carry out its own assessment of adequacy and decide that a commercial agreement meeting the requirements of Principle 7 is enough but use of the model clauses offers compliance certainty.
Whilst in this case it may be unreasonable and impractical to expect to obtain each potential customer's consent for the transfer, this is something to consider for the future for new customers. If InsuranceISus outsources further functions overseas, for example back office processing or inbound customer service calls, it would be sensible to review its terms and conditions and data protection notices to obtain routine consent from customers to such transfers.
Example 2: running a website
Tony Flour is the owner of a highly successful, family-run bakery in the Cotswolds supplying a large number of local businesses and individuals.
In the run up to the annual, highly prestigious, "Baker of the Year (Cotswold Region)" awards he decides to promote his business by setting up a website, www.tonysbreads.co.uk. He intends this to be seen locally to promote sales in the region and raise his profile for the competition. There is a page on the website which lists a typical day at the bakery and includes details of his customers and deliveries on that day including their names and addresses. He also describes a special delivery of wheat-free bread to Janet Thompson, one of his regulars, who suffers from a wheat allergy.
Janet's ex-husband Derek who regularly 'Googles' his ex-wife and is now living in Ecuador, finds these details and starts sending harassing letters to Janet. Janet complains to the Information Commissioner.
Does the posting by Tony raise any Principle 8 issues?
For Principle 8 to apply, Tony would firstly have to be transferring personal data to a country or territory outside of the European Economic Area ('EEA').
The questions which need to be answered are, therefore: does this information constitute personal data; is the act of posting this material on the internet "a transfer" for the purposes of Principle 8; and if so, is it a transfer to a territory outside of the EEA?
If such a transfer is found to have occurred then it would need to be considered (a) whether there is an adequate level of protection for the rights and freedoms of the data subjects; or (b) can an exception in the DPA be made out so that Principle 8 does not apply?
The information posted on the website is "data", as defined in the Act, as it is being processed by computer. The data is "personal data" in that it relates to living individuals who can be identified from that data (via their names and addresses).
(The information about Janet's wheat allergy probably also constitutes "sensitive personal data" as it is personal data consisting of information as to Janet's health and medical condition. Processing sensitive personal data is generally harder to justify.)
As the information is personal data, Principle 8 prohibits the transfer outside of the EEA unless there are adequate safeguards in place or an exception.
The issue of whether the posting of personal data on a website constitutes a transfer for the purposes of Principle 8 was considered by the European Court of Justice ('ECJ') in the case of Bodil Lindqvist v Kammaraklagaren (for more information on this case see our OUT-LAW guide An introduction to overseas transfers of personal data).
According to the ECJ, the posting of personal data on a website within the EEA is not a transfer of personal data outside of the EEA even if that personal data can be accessed by internet users outside of the EEA, provided that it is hosted by a natural or legal person who is established in the EEA.
So, in this case, provided that the internet service provider which hosts Tony's website is based in a member state of the EEA, no transfer outside the EEA will have occurred and Principle 8 will not apply. However, this is on the basis that Tony has no intention that his website will be accessed globally, it is aimed at the UK market.
Consequently, there is no need to consider issues of whether a territory outside of the EEA is involved (although Ecuador is a territory outside of the EEA), issues of adequacy or the application of Schedule 4 conditions.
The other principles will still apply. The Information Commissioner would in all likelihood consider that the posting of this information on the web was a breach of the first principle in that it was not "fair" for it to be so widely disclosed without notifying/ obtaining the consent of the data subjects.
The answer may be different if Tony runs a global bakery enterprise, supplying bread worldwide. In that case he may intend his website to be accessed overseas and know that it will be. If that is the case his only likely solution under Principle 8 is to obtain consent.
Example 3: US Head Office
Boys Toys is one of the leading suppliers of toys and gadgets in the UK. It has recently been bought out by a US multinational, Big Boys' Toys.</>
As part of its new reporting obligation, Boys' Toys has been asked to send copies of all of its employee records to Big Boys' Toys' head office in Washington. However, compliance with this request may be difficult as it is one of the main principles of the Act that personal data should not be transferred outside of the EEA unless the data will be adequately protected. The commercial director is a little concerned that if he sends these, he could be in breach of Principle 8, but head office is adamant that they must be sent, so he considers his options.
The US is unique in that it is the only country where European approval provides that if a company has signed up to the Safe Harbor Principles then the transfer will be allowed. However, it is also worth bearing in mind that very few companies have actually signed up to the Safe Harbor Principles since their inception in 2000, and it is more than likely that given head office's current disregard for anything data protection related it is unlikely that it will be one of the 1,000 or so companies that have self-certified. On checking the Department of Commerce Certification page it appears (as anticipated) that Big Boys' Toys have not signed up to the Principles, so that option is out. (For more information see our OUT-LAW guide to The US Safe Harbor scheme)
The only thing that the commercial director thinks that he can do now to ensure compliance with the Act is to ask each and every one of his employees for their consent to the transfer. This may prove an unpopular request as employees may be highly sceptical of the reason for the transfer, linking it perhaps to some kind of cost cutting exercise or job outsourcing. In addition there is the practical problem of actually getting consent to the transfer. The consent has to be shown to be "clear and unambiguous" in order to be effective. Obtaining clear and unambiguous consent in an employment context is very difficult, as it could be implied that any employee's consent had to be given in order for the employee to keep his employment. Although this route may appear to be relatively straightforward it may not provide Boys' Toys with the comfort it needs to ensure compliance with the Act and the commercial director thinks that he won’t be popular with head office if he asks for consent and employees refuse.
Although Boys' Toys could consider going down the route of putting in place a set of Binding Corporate Rules (see our OUT-LAW guide The effect of binding corporate rules on overseas transfers of personal data) and applying for approval for these, as this will involve time, effort and commitment, the commercial director does not anticipate that head office will buy into this idea. Therefore, possibly the best option in this situation will be the use of standard contractual clauses which have been approved by the European Commission (see our OUT-LAW guide EU model contractual clauses). But even these cannot be used without some words of warning. If either Boys' Toys or Big Boys' Toys does not treat the personal data in line with the Act (or equivalent principles in model clauses), then the employees could have a right of action against either Boys' Toys or Big Boys' Toys. In addition, there is a risk that the Information Commissioner could bring an investigation against Boys' Toys. But there are steps that Boys' Toys can take to limit the risk of a civil suit which involves carrying out a due diligence exercise prior to transferring the data to ensure that Big Boys' Toys are able to protect the personal data.