Feeds

New guidance on data protection and outsourcing

Info commissioner issues advice for small.biz

Securing Web Applications Made Simple and Scalable

The Information Commissioner’s Office (ICO) has published advice to businesses on how to comply with data protection rules when outsourcing the processing of personal information, aimed primarily at smaller companies without an inhouse data protection expert.

The good practice note follows requests for clarification on outsourcing, not only by organisations which hold personal information, such as payroll, but also by individuals who are concerned about how their information is protected when it is outsourced to companies both in the UK and overseas.

The advice stresses that when a business uses an outside organisation to process personal information on its behalf, it retains liability for the security and accuracy of information and full control over how it is used. This means the business remains liable for any breaches of the Data Protection Act, even if the outsourced company is based abroad.

Deputy commissioner David Smith acknowledged that many companies outsource some of their data processing functions to other companies, quite often overseas.

"There have been several highly publicised instances recently which suggest that personal information is not always held securely," he said. "Companies considering outsourcing must ensure that they choose companies that can be relied upon to take proper care of the personal information they are entrusted with."

He added that they should put in place mechanisms so that when the personal information has been outsourced they can check that it is being properly looked after.

"The Information Commissioner’s Office takes the failure to take proper care of personal information very seriously, and we will not hesitate to investigate where companies have failed to fulfil their obligations under the Data Protection Act. Such investigations could result in formal enforcement action."

The good practice note covers, for example, the selection of a service provider, ensuring the contract is enforceable, checking for security, and auditing that provider.

Daradjeet Jagpal, a solicitor with Pinsent Masons, the law firm behind OUT-LAW.COM, said: "Businesses need to remember that just because personal information is processed thousands of miles away, it does not mean that it takes away their responsibility for complying with the DPA."

Jagpal, a data protection specialist, continued: "A contract with the foreign processor is necessary, requiring the processor to respect the same security obligations that the business has to. Not getting this right means not only risking enforcement action from the Information Commissioner, but from aggrieved individuals, too, who may claim compensation for damage or damage and distress suffered due to breach of security obligations."

Another member of the Pinsent Masons information law team, Louise Townsend, added: "Straightforward guidance from the Information Commissioner on this topic is to be welcomed. Many organisations will have standard terms and conditions and it is a simple task to review these to ensure that they meet the requirements of the Data Protection Act."

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Using blade systems to cut costs and sharpen efficiencies

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!
Grim diversity numbers dumped alongside Facebook earnings
Microsoft: We're making ONE TRUE WINDOWS to rule us all
Enterprise, Windows still power firm's shaky money-maker
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.