|
Always clarify in outsourcing deals who is liable for data
security, advises Tamzin Matthew.
The trend for business process outsourcing shows no sign of
abating, as organisations strive to achieve costs savings and
increase efficiency. Along with this expectation often comes the
idea that all the legal liabilities in relation to outsourced
processes will be borne by the service provider.
As many companies have discovered to their cost, this is simply
not the case; particularly in relation to information security. The
Data Protection Act 1998 is a key source of potential liability in
any outsourcing transaction involving personal data.
The primary responsibility for breaches of the Data Protection
Act lies with the data controller. The definition of that role in
the act is "a person who determines the manner in which any
personal data is or is to be processed".
This definition sometimes leads to confusion. Although the
service provider may impose well-established ways of processing
information, this does not automatically make it the data
controller in relation to the personal data it receives as part of
the outsourcing arrangement.
The deciding factor is whether the provider will be entitled to
use the data for its own purposes, and whether it will stop
processing the data when the outsourcing contract terminates. The
usual position is that the service provider is a data processor and
only processes the personal data to achieve the outsourcing
company's business purposes.
The Data Protection Act requires data controllers to ensure that
the processing is undertaken pursuant to a written contract. The
terms required by the Act may not automatically be incorporated
into early drafts of an outsourcing contract, particularly if the
deal is being agreed on the supplier's standard terms.
The contract must state that (a) the processing of personal data
is only to be undertaken on the instructions of the data controller
and (b) the data processor is to comply with obligations equivalent
to those in data protection principle 7. This principle states that
"appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data and
against accidental loss or destruction of or damage to personal
data".
What is appropriate depends on the kind of technological
measures that are available, the type of data being processed and
the likely harm that would result from unauthorised processing,
loss, damage or destruction.
Data protection principle 7 requires data controllers to "choose
a data processor providing sufficient guarantees in respect of the
technical and organisational security measures governing the
processing to be carried out". Potential suppliers should be
questioned about their security provisions. It is often only when
proper contract negotiations begin that the sales puff can be
distinguished from a firm commitment.
The data controller must also "take reasonable steps to ensure
compliance with (technical and organisational security) measures".
The "sufficient guarantees" are not defined in the Act, but a clear
statement of what the appropriate security measures must entail
will be crucial. Many organisations impose their internal security
policies on service providers, but some adjustments may be
required.
The best position the data controller can achieve is to obtain
an unlimited indemnity from the service provider to cover the
controller's losses and costs arising from any failure to comply
with security measures. The commercial reality, however, is that
this kind of assurance is difficult to obtain. An ordinary
contractual commitment to pay damages for failure to meet the
agreed security provisions may be "sufficient".
Outsourcing arrangements are often complex, and a great deal of
time and effort needs to be invested in getting them right. Many
organisations never involve their internal information security
experts at the procurement stage and, in doing so, take an
unnecessary risk.
|