The Data Protection issues of outsourcing
Data Protection law in the form of the Data Protection Act 1998 (“the Act”) applies to all organisations processing “personal data” (data which identifies a living individual) within the UK. Various provisions of the Act, which enacted into English law EC Directive 95/46/EC, have particular application to outsourcing arrangements.
The Information Commissioner (ICO) has issued a Good Practice Note on Outsourcing, aimed at small-to-medium-sized businesses, but the broad principles are the same for all outsourcing arrangements. Given the increasing media attention on breaches of security leading to loss of data, and the ICO’s new powers, compliance is becoming increasingly important: Hounslow Council recently suffered the imposition of a monetary policy by the ICO of £70,000 due to a loss of data by Ealing Council, to whom it had outsourced the provision of certain services.
The extent of the application of Data Protection law to an outsourcing arrangement will clearly depend on the nature and extent of the personal data being shared, and the services being provided. Transfers to organisations outside the European Economic Area, for instance, add an extra level of regulatory requirement in the form of Principle 8 of the Act. However, the requirements of Principle 7 will apply wherever the service provider is located.
Principle 7 of the Act
Principle 7 of the Act requires a data controller (i.e. the customer) to take “Appropriate technical and organisational measures… against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” whether the processing is being undertaken by it, or by someone appointed on its behalf.
Service providers will normally be regarded as a ‘data processor’ for the purposes of the Act, and if so, the data controller must:
- choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out;
- take reasonable steps to ensure compliance with those measures; and
- ensure that: the processing is carried out under a contract which is made or evidenced in writing, and under which the data processor is to act only on instructions from the data controller; and the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.
What this means in practical terms is that the data controller must conduct due diligence on its data processor(s) to ensure that personal data is being processed securely; the data processor’s activities must be audited regularly throughout the life of the contract; and there must be a written contract covering the provision of the services, which must include certain contractual terms (a written contract for the provision of outsourced services is important, of course, for reasons other than Data Protection compliance, but that is outside the scope of this article).
Many service providers and customers are fully aware of their obligations, and the consequences of failing to comply – as the data controller, the customer will be legally responsible for any failure by the service provider (data processor) to comply with Data Protection law. However, there are still examples of both customers and service providers failing to take into account the provisions of the Act.
Monetary penalties: Hounslow Council
In 2010 an employee of Ealing Council lost two unencrypted laptops containing sensitive personal data in an opportunistic theft. Ealing was providing out-of-hours services on behalf of both itself and Hounslow Council. Although Hounslow had a contract in place with Ealing for the processing of personal data:
- the contract expired in 2009;
- even the expired contract did not include the appropriate clauses as set out in the Act or any requirements regarding the security of personal data; and
- Hounslow did not monitor Ealing’s compliance with Data Protection law.
In addition to the monetary penalty imposed on Ealing (of £80,000), the ICO imposed a separate monetary penalty of £70,000 on Hounslow, and cited the following as reasons for the level of the penalty:
- the fact that there was no written contract in place between Ealing and Hounslow, and no assurances as to how personal data would be processed;
- there was no monitoring of Ealing’s processing of data by Hounslow;
- all of the ‘data processor’ requirements of Principle 7 had been contravened.
Principle 8 of the Act
If the data processor is situated outside the European Economic Area, there will be an extra requirement to ensure that the transfer does not breach Principle 8: “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.
There are various ways of ensuring compliance, the main two which are relevant here being the use of the EU Model Contract Clauses, or making an assessment of the adequacy of the level of protection applicable to the personal data being processed (taking into account all of the circumstances of the processing).
Again, although many customers and service providers are aware of their obligations, there is still confusion in some quarters regarding the application of Principle 8, and the various methods of assuring compliance.
Given how long the Act has been in place, it is easy to think that the basic principles of Data Protection law applicable to outsourcing relationships are well established, widely applied and therefore not requiring repetition. However, it is an issue that is still overlooked in many outsourcing relationships, and for the reasons outlined above it is vital that both customers and service providers are aware of their obligations and ensure compliance.