- Outsourcing Law - http://www.outsourcing-law.com -
United Kingdom Data Protection (England and Wales)
General
The DPA applies to the “processing” of “personal data”, both of which terms are very widely defined. This means that practically any business operating in the UK which holds information about individuals (whether employees, customers or anyone else) is affected by the DPA. Since breaches of data protection laws can result in criminal as well as civil liability (not to mention adverse publicity, which is increasingly the likely result of non-compliance), no organisation can afford to ignore its data protection obligations. This is not always easy given the complexity of the DPA and the number of obligations it imposes on those who process personal data.
The DPA applies only to personal data. Data is defined as information which is being processed by means of equipment that operates automatically in response to instructions given for that purpose, or is recorded with the intention that it should be processed by means of such equipment. The DPA therefore applies to automated data, such as that stored on a computer. It also extends to certain manual records.
In January 2009, the Information Commissioner’s Office (“ICO”) issued a technical guidance note in the form of a flowchart of numbered questions, which aims to help data protection practitioners determine whether information falls within any of the four categories of data covered by the DPA (see: http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/what_is_data_for_the_purposes_of_the_dpa.pdf)
All of the obligations under the DPA fall on the data controller. This is defined as the person who (either alone, jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or is to be, processed. For example, a company will be the controller of the data processed relating to its employees or customers. An entity may be a data controller even if the information concerned is held by a third party (for example, where payroll administration is outsourced to a third party), and there may be more than one data controller in respect of the same data (for example, companies in the same group which use the same data for different purposes).
In contrast, a data processor processes personal data only on behalf of a data controller. Where, for example, payroll administration is outsourced to a third party, that third party will usually be a data processor. Even though the DPA does not impose obligations directly on the data processor, it does require the data controller to pass on obligations to the data processor.
The role of a data controller (the customer)
Most customers in outsourcing contracts are the data controllers – they own the personal data of their customers, employees and website users which may be the object of outsourcing and determine the purposes for which such personal data is processed and used.
As a data controller, the customer is primarily responsible for compliance with the applicable data protection laws and should not pass that compliance responsibility onto the service provider.
This means the customer must satisfy itself that it has complied with its obligations under the law before passing personal data to the service provider for processing.
In addition, the customer must provide lawful instructions to the service provider as its data processor with regard to specific compliance steps that it wishes to carry out or be carried out on its behalf in relation to personal data which is processed by the service provider. Such steps may include:
The role of the data processor (the service provider)
As a data processor/service provider, the service provider’s responsibilities are to:
As a data processor, the service provider must not take on the role of data controller. For example, the service provider should not be permitted to:
If the service provider were to take on a role of data controller, then the service provider would be responsible for substantive data protection compliance in respect of customer data and would have to comply with every complex requirement of every applicable data protection law. The service provider, its employees and executives would become directly responsible and potentially criminally liable for any breach of any requirement of data protection law.
Addressing the roles and responsibilities of parties in outsourcing contracts
It is important that the roles of the customer, as a data controller, data owner and the service provider, as a data processor, service provider are clearly defined in the outsourcing contract.
The customer should seek the following additional requirements from the service provider:
Indemnity and liability
Customers should ask for a specific indemnity for breach of data protection provisions of the outsourcing contract.
The customer should also consider asking for an unlimited indemnity and liability for data protection contractual breaches. Service providers will attempt to avoid this on the basis that they perceive the risk of accepting unlimited liability as too great, given the multitude of enforcement regulatory and individual action and claims arising out of data protection and/or a data security breach. This is a commercial point which needs to be negotiated on a case by case basis.
Subcontracting
Where the service provider uses subcontractors for the provision of services to its customers, the customer remains the data controller, the service provider is the data processor and the subcontractor is the sub-processor.
The outsourcing contract should include wording to cover the scenario of the service provider engaging a subcontractor for the provision of services to the customer, and require the service provider to procure full compliance of the terms and conditions by the subcontractor. Ideally, the provisions and obligations of the service provider as a data processor in the main outsourcing contract should be included in agreements with subcontractors.
Practical tips for a customer
The customer should consider the following in respect of data protection provisions in an outsourcing contract:
International transfers of personal data
The eighth data protection principle states that:
“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. (Paragraph 8, Part I, Schedule 1, DPA)”
Transfers of personal data to a country outside the EEA (the 25 EU member states plus Iceland, Liechtenstein & Norway), otherwise known as a “third country” are therefore prohibited, unless:
Article printed from Outsourcing Law: http://www.outsourcing-law.com
URL to article: http://www.outsourcing-law.com/jurisdictions/countries/united-kingdom/data-protection/
Click here to print.
Copyright © 2012 Outsourcing Law. All rights reserved.