Feeds

New guidance on data protection and outsourcing

Info commissioner issues advice for small.biz

Providing a secure and efficient Helpdesk

The Information Commissioner’s Office (ICO) has published advice to businesses on how to comply with data protection rules when outsourcing the processing of personal information, aimed primarily at smaller companies without an inhouse data protection expert.

The good practice note follows requests for clarification on outsourcing, not only by organisations which hold personal information, such as payroll, but also by individuals who are concerned about how their information is protected when it is outsourced to companies both in the UK and overseas.

The advice stresses that when a business uses an outside organisation to process personal information on its behalf, it retains liability for the security and accuracy of information and full control over how it is used. This means the business remains liable for any breaches of the Data Protection Act, even if the outsourced company is based abroad.

Deputy commissioner David Smith acknowledged that many companies outsource some of their data processing functions to other companies, quite often overseas.

"There have been several highly publicised instances recently which suggest that personal information is not always held securely," he said. "Companies considering outsourcing must ensure that they choose companies that can be relied upon to take proper care of the personal information they are entrusted with."

He added that they should put in place mechanisms so that when the personal information has been outsourced they can check that it is being properly looked after.

"The Information Commissioner’s Office takes the failure to take proper care of personal information very seriously, and we will not hesitate to investigate where companies have failed to fulfil their obligations under the Data Protection Act. Such investigations could result in formal enforcement action."

The good practice note covers, for example, the selection of a service provider, ensuring the contract is enforceable, checking for security, and auditing that provider.

Daradjeet Jagpal, a solicitor with Pinsent Masons, the law firm behind OUT-LAW.COM, said: "Businesses need to remember that just because personal information is processed thousands of miles away, it does not mean that it takes away their responsibility for complying with the DPA."

Jagpal, a data protection specialist, continued: "A contract with the foreign processor is necessary, requiring the processor to respect the same security obligations that the business has to. Not getting this right means not only risking enforcement action from the Information Commissioner, but from aggrieved individuals, too, who may claim compensation for damage or damage and distress suffered due to breach of security obligations."

Another member of the Pinsent Masons information law team, Louise Townsend, added: "Straightforward guidance from the Information Commissioner on this topic is to be welcomed. Many organisations will have standard terms and conditions and it is a simple task to review these to ensure that they meet the requirements of the Data Protection Act."

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.