Offshore Outsourcing – safeguarding personal data
The Data Protection Act has been getting a lot of bad press recently, being the undeserving scapegoat for the apparent police failures of communication highlighted in the Soham murder trail and following the deaths of an elderly south London couple whose gas had been cut off because British Gas thought that the Act prevented it from forewarning social services.
Corporate paranoia that the Act is highly restrictive lives alongside consumers’ fears that the Act does not adequately protect their personal data. These fears have been exacerbated by the growth of offshore outsourcing, where personal data may be transferred to countries such as India. There is, for example, a suspicion that the growth of spam emanating from offshore jurisdictions is fuelled by a trade in personal data that has been – even lawfully – exported to offshore service providers.
This articles considers how UK companies wishing to outsource part of their data processing operations offshore can comply with the Act.
Outsourcing
Where UKCo outsources operations which involve processing by OutsourceCo of personal data of UKCo’s clients (the Act’s definition of “personal data” has recently been considered by the Court of Appeal in Durant v Financial Services Authority [2003] EWCA Civ 1746), then careful consideration needs to be given to compliance with the Act. Under the Act, OutsourceCo is termed the “data processor” which processes data on behalf of UKCo which is the “data controller”. UKCo will need to be sure that the ambit of its existing notification under the Act and consents from data subjects contemplate the outsourcing plans. There are then two further key areas.
Data Processing
The seventh data protection principle set out in Sched 1 Part I of the Act requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Sched 1, Part II of the Act specifies that where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle:
(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.
The data controller is not to be regarded as complying with the seventh principle unless the processing is carried out under a written contract under which the data processor is to act only on instructions from the data controller, and which requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.
It is clear that UKCo, as the data controller, remains responsible for the security of the personal data and does not absolve itself of that responsibility by contracting-out processing to a third party. In deciding what measures may be “appropriate”, reference may be made to British Standard BS 7799 and ISO 17799 on information security management.
Data Export
Contrary to popular belief the Act does not impose an outright ban on the transfer of personal data outside the EEA. The eighth data protection principle requires that “personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.
Where OutsourceCo is within the EEA, then the eighth data protection principle will not apply. However, where OutsourceCo is outside the EEA, then the data controller must make an assessment of adequacy.
Safe countries
The European Commission has power to determine whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into. So far, only Argentina, Canada, Guernsey, Hungary and Switzerland have been deemed to be adequate. It is reported that India – presumably to support its growing outsourcing industry - is preparing privacy laws with a view to their being deemed adequate for the purposes of compliance with the eighth data protection principle.
DIY Adequacy
Even if a country has not been designated as adequate, a data controller can reach its own conclusion that the country to which the data is being transferred provides an adequate level of protection. Factors to be taken into account relate to the nature of data being transferred, how the data will be used and the laws and practices of the target country. The Information Commissioner has provided guidance on this, including model contract clauses. In particular, the Commissioner has expressed the view that a presumption of adequacy can be made in most, if not all, instances of transfers outside the EEA made by exporting data controllers to overseas processors. This presumption is based on the fact that in such circumstances the data controller remains subject to the Act, the Commissioner’s powers of enforcement and individuals’ rights. Subject to overall compliance with the requirements of the Act, the Commissioner acknowledges that such transfers can ensure adequacy subject to there being no particular risks clearly apparent in the target country.
Whilst personal data that is kept in the UK is not immune from the risk of abuse, concerns over data security in offshore outsourcing in particular are likely to continue despite the legislative regime.