Feeds

Outsourced data must be protected, says privacy chief

Companies liable for third party breaches

Choosing a cloud hosting partner with confidence

Companies are still liable for data protection breaches that happen on third party premises thousands of miles away, the Information Commissioner has warned.

With more and more firms outsourcing data-intensive processes such as call centre activity, companies must be aware of their responsibilities, the Information Commissioner's Office (ICO) has said. Any breach of security at a contractor's site will be the responsibility of the original company.

"The [Data Protection] Act requires you to take appropriate technical and organisational measures to protect the personal information you process whether you process it yourself or whether someone else does it for you," said an ICO statement.

Outsourcing data processing to foreign suppliers does not absolve firms from protecting the data once it passes to a third party. In fact, new guidance issued by the ICO seems to tighten up rules concerning a company's responsibilities to find an outsourcer who will safeguard the data.

"The new guidance clarifies the old guidance which stated that in the case of a data controller to data processor transfer the 'data controller might reasonably conclude that adequacy exists without carrying out a detailed adequacy test'. This could be interpreted as saying a complete assessment of adequacy is not needed," said Dr Chris Pounder, consultant and editor of data protection and privacy practice at Pinsent Masons, the law firm behind OUT-LAW.COM.

"By contrast, the new guidance states that such an adequacy test is needed, but this can be incorporated into a data processor contract and into the risk assessment which is required under the Seventh Data Protection Principle which deals with the security of personal data," said Pounder. "It is interesting to note that the commissioner refers to ISO 17799 in this regard."

"More and more companies are contracting out their data processing abroad. The rules governing the transfer of personal information overseas are therefore becoming increasingly important," deputy Information Commissioner David Smith said.

"A UK-based business outsourcing a call centre or other aspect of its data processing abroad remains legally liable for any failings. It could face legal action by the Information Commissioner's Office and by an individual even if a breach takes place outside the UK."

"We will not hesitate to investigate and, if necessary, take action in any instances where companies are clearly breaching the principles of good information handling," said Smith.

The new guidance relates to the eighth data protection principle in the Act, which governs personal information transferred outside the European Economic Area.

See:

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Choosing a cloud hosting partner with confidence

More from The Register

next story
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights
Lobbies tetchy MPs 'to end indiscriminate online surveillance'
How the FLAC do I tell MP3s from lossless audio?
Can you hear the difference? Can anyone?
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.