Feeds

New guidance on data protection and outsourcing

Info commissioner issues advice for small.biz

Remote control for virtualized desktops

The Information Commissioner’s Office (ICO) has published advice to businesses on how to comply with data protection rules when outsourcing the processing of personal information, aimed primarily at smaller companies without an inhouse data protection expert.

The good practice note follows requests for clarification on outsourcing, not only by organisations which hold personal information, such as payroll, but also by individuals who are concerned about how their information is protected when it is outsourced to companies both in the UK and overseas.

The advice stresses that when a business uses an outside organisation to process personal information on its behalf, it retains liability for the security and accuracy of information and full control over how it is used. This means the business remains liable for any breaches of the Data Protection Act, even if the outsourced company is based abroad.

Deputy commissioner David Smith acknowledged that many companies outsource some of their data processing functions to other companies, quite often overseas.

"There have been several highly publicised instances recently which suggest that personal information is not always held securely," he said. "Companies considering outsourcing must ensure that they choose companies that can be relied upon to take proper care of the personal information they are entrusted with."

He added that they should put in place mechanisms so that when the personal information has been outsourced they can check that it is being properly looked after.

"The Information Commissioner’s Office takes the failure to take proper care of personal information very seriously, and we will not hesitate to investigate where companies have failed to fulfil their obligations under the Data Protection Act. Such investigations could result in formal enforcement action."

The good practice note covers, for example, the selection of a service provider, ensuring the contract is enforceable, checking for security, and auditing that provider.

Daradjeet Jagpal, a solicitor with Pinsent Masons, the law firm behind OUT-LAW.COM, said: "Businesses need to remember that just because personal information is processed thousands of miles away, it does not mean that it takes away their responsibility for complying with the DPA."

Jagpal, a data protection specialist, continued: "A contract with the foreign processor is necessary, requiring the processor to respect the same security obligations that the business has to. Not getting this right means not only risking enforcement action from the Information Commissioner, but from aggrieved individuals, too, who may claim compensation for damage or damage and distress suffered due to breach of security obligations."

Another member of the Pinsent Masons information law team, Louise Townsend, added: "Straightforward guidance from the Information Commissioner on this topic is to be welcomed. Many organisations will have standard terms and conditions and it is a simple task to review these to ensure that they meet the requirements of the Data Protection Act."

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Internet Security Threat Report 2014

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.