Customer data and the passage to India

The news last week that The Sun newspaper had conducted a sting operation on an Indian call centre operative has sparked the predictable row about the security of customer data being shipped offshore.

Critics argue that India does not operate the same standards of data protection that are legally required by the Data Protection Act (DPA) in the UK. The same concerns can be levelled at other offshore locations outside of the European Union (EU) - and in many of the accession counties within the EU. Currently, India does not have a data protection act. Indian companies primarily comply with BS 7799 - a global standard that covers all domains of security.

It's a contentious issue. European law stipulates that personal data can be transferred outside the European Economic Area only with the consent of customers. On the other hand, under the terms of the DPA, customer permission was not required, provided the personal records had to "adequate" protection.

The requirements of the DPA are universal. All UK-based businesses are compelled to adhere to the Act - although there is disturbing evidence of a lack of awareness of what this means in practice, particularly among small and medium enterprises. Failure to comply with the Act can led to financial penalties as well as to long term reputational and brand damage - if a company cannot offer adequate protection for personal data in a digital economy then its likelihood of commercial success is significantly reduced.

For offshore regimes, it’s increasingly important to assauge data protection concerns if their appeal as offshore locations is to continue. India in particular is likely to have a tighter data protection and privacy regime in place later this year. Rather than have a separate law to deal with data security and privacy issues, the government will amend the Information Technology Act of 2000.

The act in its existing form only covers unauthorised access and data theft from computers and networks, with a financial penality and does not have specific provisions relating to privacy of data. The new clauses are likely to enable the act to conform to the so-called adequacy norms of the European Union's Data Protection Directive. The adequacy norms allow the EU to declare that third-party countries have levels of data protection that conform to European standards and thus allow data on EU citizens to be transmitted outside of the union.

In the meantime, there are some basic rules of thumb:

• Get a written contract that guarantees access to third parties' audits or security reports

• Visit the third party periodically to check they actually handle data securely

• Ensure that the third party vets staff to prevent likely fraudsters getting near personal records

• Use encryption and other technologies to prevent sensitive information being traced to individuals

• Make it clear that personal data can only be accessed when specifically instructed

• Check to see if the country they are outsourcing to provides adequate data protection