Currently, half of UK firms* outsourcing personal data are failing to make provisions for the Data Protection Act, despite a legal requirement to do so. As well as risking unlimited fines from the Information Commissioner for ignoring the Act, they risk being sued by an individual who suffers as a result of their personal data, such as credit card details or addresses, being leaked.
Duncan Aitchison, Managing Director, International at TPI commented:
"UK companies are increasingly outsourcing the handling of sensitive information, and as such they have to be aware of the risks to their customers, their reputation and the bottom line. When outsourcing overseas it is important to ensure that procedures and systems are put in place; that workers adhere to them and that they are strictly enforced."
Outsourcing personal data to an offshore location outside the EEA has its own difficulties, as the EU discourages transferring personal data to countries that may lack the same level of data protection. To make outsourcing personal data to India easier for European businesses, the Indian government has mooted introducing a voluntary "Safe Harbour" code. Indian companies that sign up to such an arrangement will automatically be considered suitable for handling personal data from the UK. A similar scheme in the US has attracted almost 500 members since its agreement in 2000.
TPI recommends that UK firms consider the following when outsourcing sensitive personal data:
* Get a written contract that guarantees access to third parties' audits or security reports
* Visit the third party periodically to check they actually handle data securely
* Ensure that the third party vets staff to prevent likely fraudsters getting near personal records
* Use encryption and other technologies to prevent sensitive information being traced to individuals
* Make it clear that personal data can only be accessed when specifically instructed
* Check to see if the country they are outsourcing to provides adequate data protection: http://www.europa.eu.int/comm/internal_market/privacy/index_en.htm