Being connected to a call centre in Bangalore when you call your UK bank or insurance company no longer comes as a surprise, in our increasingly global economy. Similarly, hosting your marketing database on a server in the US, or signing up for an ASP service provided from Australia seems ‘business as usual’.
But if your activities mean that personal data capable of identifying individual people in the UK or elsewhere in the EU is accessible outside of the EU then you have responsibilities under the Data Protection Act 1998.
So what does ‘accessible’ mean?
It means that the data can be viewed, downloaded or processed:
• by other clients or members of the public on a web site;
• by your hosting provider; or
• by third parties providing software support or services
How can you ensure you are protecting personal data in accordance with the Act?
First, whether your data is being processed inside or outside the EU you need to have a contractual commitment from the offsite company that they will comply with the ‘Seventh Data Protection Principle’. This means that they will use appropriate physical and operational security measures to prevent unauthorised access to or usage of your data.
If the third party is outside the EU, you need to take extra precautions to protect personal data. There are a variety of measures that can be considered, depending on where they are and what business they're in. These include:
• obtaining explicit consent from each data subject to the transfer of their data outside the EU; and/or
• signing a ‘model contract’ with the third party, approved by the Information Commissioner, that commits them to certain data protection obligations; and/or
• getting the third party to subscribe to 'Safe Harbor' provisions, if they are in a regulated industry in the US.
There is little case law in this area, and each situation needs careful consideration on its merits. So if you’re considering off-shoring or outsourcing any part of your business, be sure to take advice before signing on the dotted line!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment