UK: Key Data Protection Issues In An Outsourcing Context

Many of us heard about the recent theft of data by an employee at an HSBC call centre in India. The resulting publicity was unrelenting, partly driven by consumer concern, but also by those with a vested interest in undermining the off-shoring and outsourcing markets. However, such incidents highlight the significance of data protection and security in an outsourcing context.

Sometimes regarded as overly protectionist, the European data protection regime was developed to encourage the free (and secure) flow of personal data across borders. In this article we consider some of the data protection issues which must be addressed by businesses preparing to outsource.

The UK’s Data Protection Act 1998 (the "Act"), governs the processing of personal data by data controllers. "Personal data" is any data, or combination of data, from which a living individual can be identified. A business’ staff records, customer details and supplier details would all amount to personal data. The Act imposes obligations on "data controllers" who determine the purposes for which, and the manner in which, personal data will be processed. A business will be the data controller in relation to its staff, customer and supplier personal data. If that business decides to outsource some of its functions, whether they be IT or business process activities, personal data will probably be transferred to the outsource vendor as part of that transaction. In most circumstances, the business transferring its data will remain the data controller which means that even though the data will be processed by the outsource vendor, the business will remain responsible, under the Act, for how those data are processed.

What data protection issues should a business take into account in planning its outsourcing activity?

The business must first identify what personal data will be processed as part of its proposed outsourcing activity. Due diligence should establish exactly what those data consist of, how they were collected, what the business is entitled to do with them (including whether there are any constraints on transferring the data to third parties or abroad), how the data are processed and what security measures are in place. Most outsource vendors require customers to warrant both (i) the quality of the personal data to be transferred; and (ii) that existing processing activity complies with the Act. Most businesses do not know enough about their internal data protection compliance to be able to provide such warranties.

It is necessary to determine: what personal data needs to be provided to the vendor as part of the outsource transaction; what the capacity of the parties will be in relation to those data (i.e. controller or processor); and how to effect the transfer of the data in compliance with the Act’s "fair and lawful processing" principle. Setting up an outsource may involve multiple points of data transfer: at due diligence; and at various stages after the contract is signed. Different considerations may apply to each transfer.

Will the transfer to the outsource vendor involve the data being sent outside the EEA? Such transfers are prohibited by the eighth data protection principle, unless the importing jurisdiction has "adequate" data protection. Adequacy may be established in several different ways, but careful consideration and expert advice should be sought in order to determine which route is the most appropriate for a particular transaction. (See BLG’s Data Protection Update - August 2006).

Some outsourcing deals involve an initial rationalisation or transfer of data within the business before it moves across to the outsource vendor. Such intra-group transfers may themselves involve crossborder transfers of the data outside the EEA.

Alternatively, the data may be transferred, at the outset, to an outsource vendor based off-shore. A third possibility is that the transfer is initially made to a local vendor who subsequently transfers the data to its off-shore operation, which may involve the vendor’s affiliates or even a third party processor.

Data protection and security considerations must feature in the initial vendor due diligence which should be supplemented by audit rights exercisable during the life of the outsource so that the business may reassure itself that personal data is lawfully processed and protected by adequate security.

It is increasingly common for businesses to impose detailed security obligations on outsource vendors. These may cover technical security measures relating to the systems over which data may be transferred, accessed, manipulated and stored, as well as organisational security measures governing access to premises such as a prohibition on staff bringing data storage devices on the premises (e.g. mobile phones and memory sticks).

It is key to establish the capacity in which the outsource vendor will process the data. If the vendor is a mere processor, it will have no obligation to comply with the Act and the business must seek to flow down into the outsource contract certain of its obligations as controller under the Act. In addition, the business must, as controller, evidence the processing arrangements by a written contract, require the vendor to process data only in accordance with the business’ instructions, and ensure that the processor has in place adequate technical and organisational security measures. These detailed requirements should be drafted with expert input.

The Information Commissioner is currently investigating allegations that mobile phone call centres in India are being targeted by criminals seeking access to UK citizens’ financial records. In this context, the ICO has reminded businesses that they remain responsible for the security of their customers’ data, even where they outsource aspects of the processing. Amongst the ICO’s enforcement powers for breach is the ability to order a business to stop processing personal data outside the UK.

As European data protection regulators focus increasingly on outsourcing, so individuals are becoming more aware of their data protection rights. Failure to deal adequately with data protection issues at the outset of a transaction could result in long lasting damage to a business’ reputation in the event of a breach.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.