Outsourcing the processing of personal data – how to comply with the lawby
The Information Commissioner's Office has this week published basic advice to businesses on how to comply with data protection rules when outsourcing the processing of personal information. The advice is aimed at those smaller companies who may not have their own in-house data protection expert.
The good practice note has been published following requests for clarification on outsourcing, not only by organisations which hold personal information, such as payroll, but also by individuals who are concerned about how their information is protected when it is outsourced to companies both in the UK and overseas.
The advice stresses that when a business uses an outside organisation to process personal information on its behalf, it retains liability for the security and accuracy information and full control over how it is used. This means that the business remains liable for any breaches of the Data Protection Act, even if the outsourced company is based abroad.
Deputy Commissioner David Smith said: "It is becoming more and more prevalent for companies to outsource some of their data processing functions to other companies, quite often overseas. There have been several highly publicised instances recently which suggest that personal information is not always held securely. Companies considering outsourcing must ensure that they choose companies that can be relied upon to take proper care of the personal information they are entrusted with. Further, they should put in place mechanisms so that when the personal information has been outsourced they can check that it is being properly looked after.
"The Information Commissioner’s Office takes the failure to take proper care of personal information very seriously, and we will not hesitate to investigate where companies have failed to fulfil their obligations under the Data Protection Act. Such investigations could result in formal enforcement action."
Good practice note covers:
- Selecting a reputable organisation offering suitable guarantees about their ability to ensure the security of personal data
- Making sure the contract with the organisation is enforceable
- Making sure the organisation has appropriate security measures in place
- Making sure that they take steps to ensure the reliability of their staff
- Auditing the other organisation regularly to make sure they are 'up to scratch'
- Requiring the organisation to report any security breaches or other problems.
- Having procedures in place that allow appropriate action to be taken when such a report is received
The advice on outsourcing the processing of personal information is part of a series of good practice notes produced by the Information Commissioner's Office to make data protection simpler. Click here to download a copy or go to www.ico.gov.uk