Customer data and the passage to India

8th Jul 2005

The news last week that The Sun newspaper had conducted a sting operation on an Indian call centre operative has sparked the predictable row about the security of customer data being shipped offshore.

Critics argue that India does not operate the same standards of data protection that are legally required by the Data Protection Act (DPA) in the UK. The same concerns can be levelled at other offshore locations outside of the European Union (EU) - and in many of the accession counties within the EU. Currently, India does not have a data protection act. Indian companies primarily comply with BS 7799 - a global standard that covers all domains of security.

It's a contentious issue. European law stipulates that personal data can be transferred outside the European Economic Area only with the consent of customers. On the other hand, under the terms of the DPA, customer permission was not required, provided the personal records had to "adequate" protection.

The requirements of the DPA are universal. All UK-based businesses are compelled to adhere to the Act - although there is disturbing evidence of a lack of awareness of what this means in practice, particularly among small and medium enterprises. Failure to comply with the Act can led to financial penalties as well as to long term reputational and brand damage - if a company cannot offer adequate protection for personal data in a digital economy then its likelihood of commercial success is significantly reduced.

For offshore regimes, it’s increasingly important to assauge data protection concerns if their appeal as offshore locations is to continue. India in particular is likely to have a tighter data protection and privacy regime in place later this year. Rather than have a separate law to deal with data security and privacy issues, the government will amend the Information Technology Act of 2000.

The act in its existing form only covers unauthorised access and data theft from computers and networks, with a financial penality and does not have specific provisions relating to privacy of data. The new clauses are likely to enable the act to conform to the so-called adequacy norms of the European Union's Data Protection Directive. The adequacy norms allow the EU to declare that third-party countries have levels of data protection that conform to European standards and thus allow data on EU citizens to be transmitted outside of the union.

In the meantime, there are some basic rules of thumb:

  • Get a written contract that guarantees access to third parties' audits or security reports

  • Visit the third party periodically to check they actually handle data securely

  • Ensure that the third party vets staff to prevent likely fraudsters getting near personal records

  • Use encryption and other technologies to prevent sensitive information being traced to individuals

  • Make it clear that personal data can only be accessed when specifically instructed

  • Check to see if the country they are outsourcing to provides adequate data protection

Replies (2)

Please login or register to join the discussion.

By davehoare
30th Jun 2005 18:58

I seem to have read several stories of data loss with British and American banks which have died the death after a couple of days. My understanding is that the case in India is not even proved, and may even be similar to the situation that lost Piers Morgan his job at the Sun. I do recognise that data security, and particularly personal data security is vitally important, but I would have thought that India has far more to lose than most nations in this area, and is going to take much more trouble to put things in place to stop it.

Thanks (0)
By d.burton
01st Jul 2005 09:56

The whole issue of overseas call centres and their impact on brand value is nowhere near receiving the level of attention it should.
- When brands that used to be worth something, like American Express choose to try ‘flogging insurance’ via powerdialler from overseas on a weekday evening – using people incapable of even pronouncing the name Louise correctly (my wife!) the consumer is left in no doubt - financial services are now truly no more than a commodity, with cost of delivery being more important than customer experience. So we can’t blame the consumer for choosing to believe The Sun ahead of previously respected institutions.

Thanks (0)