Feeds

Outsourced data must be protected, says privacy chief

Companies liable for third party breaches

5 things you didn’t know about cloud backup

Companies are still liable for data protection breaches that happen on third party premises thousands of miles away, the Information Commissioner has warned.

With more and more firms outsourcing data-intensive processes such as call centre activity, companies must be aware of their responsibilities, the Information Commissioner's Office (ICO) has said. Any breach of security at a contractor's site will be the responsibility of the original company.

"The [Data Protection] Act requires you to take appropriate technical and organisational measures to protect the personal information you process whether you process it yourself or whether someone else does it for you," said an ICO statement.

Outsourcing data processing to foreign suppliers does not absolve firms from protecting the data once it passes to a third party. In fact, new guidance issued by the ICO seems to tighten up rules concerning a company's responsibilities to find an outsourcer who will safeguard the data.

"The new guidance clarifies the old guidance which stated that in the case of a data controller to data processor transfer the 'data controller might reasonably conclude that adequacy exists without carrying out a detailed adequacy test'. This could be interpreted as saying a complete assessment of adequacy is not needed," said Dr Chris Pounder, consultant and editor of data protection and privacy practice at Pinsent Masons, the law firm behind OUT-LAW.COM.

"By contrast, the new guidance states that such an adequacy test is needed, but this can be incorporated into a data processor contract and into the risk assessment which is required under the Seventh Data Protection Principle which deals with the security of personal data," said Pounder. "It is interesting to note that the commissioner refers to ISO 17799 in this regard."

"More and more companies are contracting out their data processing abroad. The rules governing the transfer of personal information overseas are therefore becoming increasingly important," deputy Information Commissioner David Smith said.

"A UK-based business outsourcing a call centre or other aspect of its data processing abroad remains legally liable for any failings. It could face legal action by the Information Commissioner's Office and by an individual even if a breach takes place outside the UK."

"We will not hesitate to investigate and, if necessary, take action in any instances where companies are clearly breaching the principles of good information handling," said Smith.

The new guidance relates to the eighth data protection principle in the Act, which governs personal information transferred outside the European Economic Area.

See:

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
Founder (and internet passport fan) now says privacy is precious
TROLL SLAYER Google grabs $1.3 MEEELLION in patent counter-suit
Chocolate Factory hits back at firm for suing customers
Facebook, Google and Instagram 'worse than drugs' says Miley Cyrus
Italian boffins agree with popette's theory that haters are the real wrecking balls
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
Sit tight, fanbois. Apple's '$400' wearable release slips into early 2015
Sources: time to put in plenty of clock-watching for' iWatch
Facebook to let stalkers unearth buried posts with mobe search
Prepare to HAUNT your pal's back catalogue
Ex-IBM CEO John Akers dies at 79
An era disrupted by the advent of the PC
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.