Datacentre storage creates a range of important regulatory issues for multinational organisations, particularly around the area of cross-border information flows. Offshoring data storage or processing arrangements can give rise to complicated legal concerns ­ and failure to comply with relevant laws can have serious implications.

What sort of data could be subject to legal restrictions?

UK law protects information that is deemed to be personal data. This includes any information through which you can identify a living individual, such as name, address, bank details, National Insurance number and other identifying details that you may hold in relation to employees, customers or other individuals.

Employee details and human resource records may also contain sensitive personal data; a category of information relating to particularly private matters, such as trade union membership, ethnic origin, medical and criminal records. There are extra restrictions on processing sensitive personal data.

Other types of data that may have to be processed with caution are commercially confidential information, such as customer lists or company accounts; market sensitive data, such as major strategic initiatives or business plans; and matters that may be subject to legal privilege, such as information concerning legal or disciplinary proceedings. Commercially confidential information categories may be protected by law, regulation or contract.

What legal issues are involved in transferring data overseas?

There are a number of questions to consider, depending on the nature of the data being transferred overseas and the country to which it is being transferred. For example, in the case of personal data that is being exported from the UK to a country outside the European economic area (EEA), such transfers are generally prohibited unless the destination country ensures an adequate level of protection for the rights of the individuals to whom the data relates.

The European Commission has a list of non-EEA countries that, in the Commission’s opinion, ensure adequate protection for a data subject’s rights and freedoms. At the time of writing, this is limited to Argentina, Canada, Switzerland, the US, Guernsey and the Isle of Man. The current list can be found at: http://tinyurl.com/2w47yu.

If the country to which you intend to transfer data does not feature on the list at the time of export, you will need to rely on an exemption from the general prohibition to export the data lawfully. As well as understanding the regulatory controls on transferring data overseas, it is important to take into account the legal and regulatory environment in the destination country.

If the proposed importing country has less effective protection for confidentiality, data protection or computer misuse than the exporting country, you may not have the legal remedies you might ordinarily expect for any breach of privacy or data security. Under such conditions, it will be important to ensure that the contract makes the data importer contractually liable for the same breaches.

Other important legal considerations are whether or not the exporting country’s rules on legal privilege mean that the disclosure of the information to a third party or third country could jeopardise the privileged status of information; whether or not the document retention obligations in the importing country are different to those in the exporting country; and whether or not the importing country’s rules on disclosure of encryption keys are more onerous than those in the exporting country, because some countries have specific legislation for production of encryption keys and others do not.

How can I protect my firm’s legal position if we need to transfer data outside the UK?

Personal data can usually be processed for any purpose and in any location provided you have obtained the prior informed consent of the data subject. If you have explained to your customers at the time of collecting their contact details that you will need to send their names and addresses to be processed by a specified overseas company ­ and explained the reasons for this ­ you are more likely to obtain the customer’s consent to the activity. If they consent, you would also be permitted to lawfully export the data under the UK rules.

Other ways to exempt a transfer of personal data to a non-EEA country from the general prohibition include using certain EU-approved model clauses for the export of personal data. The clauses are available online at: http://tinyurl.com/yafb6t.

In the case of exports to the US, you can transfer data to an organisation that is part of the Safe
Harbor scheme. The list of organisations participating in the scheme is available at: http://tinyurl.com/2b24su.

Alternatively, for intra-group transfers, multinationals can adopt legally binding corporate rules that have the effect of imposing European data protection standards in all jurisdictions in which the organisation processes personal data. The rules must be approved by all EEA data protection regulators in countries in which the multinational operates; an approval mechanism that has contributed to a low take-up of such a route.

Commercially sensitive information may be protected to some extent by a contract between the disclosing party and the receiving party, sometimes called a confidentiality agreement or a non-disclosure agreement. If the receiving party subsequently discloses the information to a third party without consent and contrary to the terms of the agreement, the party could face a claim for breach of contract ­ or the disclosing party might seek a court order or injunction to stop any further disclosure of the material.

What are the consequences of failing to comply with the relevant laws and regulations?

A transfer of personal data that contravenes the Data Protection Act 1998 could lead to enforcement action that may ultimately result in criminal proceedings punishable by a maximum fine of £5,000 on summary conviction, or an unlimited fine if brought in the Crown Court and, in certain circumstances, personal criminal liability for the directors or officers of a company. Perhaps of more practical importance, failure to comply can also result in significant damage to reputation.

As noted above, breach of a contractual clause can lead to a right for the injured party to sue for damages. The owner of the data may also apply for an injunction to stop the information being further disclosed.

Is there a difference if I am only sending data to a secondary site for backup purposes while my primary site remains in the UK?

In most cases, the law is likely to treat the processing of copies in the same way as the processing of original data. You should also be aware that for certain types of documents, the original versions must be kept in-country. If your offshore location is the primary site, there is an increased risk that should be reflected in a higher liability for the service provider in your contract: the service provider is likely to reflect such risk through increasing the price.

My company is UK-based ­ – are cross-border issues relevant to me?

If you are outsourcing any services where the provider may be holding or using information about your employees, customers or other individuals you should ensure your contract contains appropriate protection for any liabilities that could arise. Many service providers that are ostensibly onshore operations may carry out certain tasks through service centres in countries with a lower cost base, such as India or China.

You may not be aware that activity is taking place offshore but, ultimately, you could be found responsible for any breaches that occur. As noted above, the risk is not purely legal; customers place considerable faith in organisations when handing over personal data, and the damage to your reputation can be significant if data privacy is compromised.

The protection of personal data is becoming an area of increasing concern to consumers. High-profile breaches ­ such as the loss of 25 million child benefit records at HM Revenue & Customs that came to light in November 2007 ­ have resulted in calls for tightening of the legislation and increased enforcement powers to be made available to the Information Commissioner.

In anticipation of new enforcement measures, many organisations that process large amounts of personal data are looking to review and tighten their policies and processes around information security and data protection.

Dino Wilkinson is a senior associate in the communications, media and technology team at Norton Rose LLP. Norton Rose Group is a leading international legal practice, offering a full business law service from offices across Europe, the Middle East and Asia.

Further reading:
More stories on these topics: Outsourcing
Permalink  Comments  Forward
what do you think?
Click here for more Post your comment
Click here for more Send an email to the Computing editor at feedback@computing.co.uk
Reader comments for this story
Post your comment Post your comment   What is this?
Like this story? Spread the news by clicking a link:   Post this to Delicious del.icio.us     Post this to Digg digg this     Post this to reddit reddit!

related content
latest news
barclays logo
Finance
BulletStop playing games with staff, Barclays told
Workers' union fears for job security of the bank's back-office workers in Poole  18 Jul 2008
Whitehall
Security
BulletHMRC missing disc investigation cost nearly £500,000
Tories critical over government waste  18 Jul 2008
a car
Manufacturing
BulletMichelin outsources application development
Logica will provide software development and support under three-year contract  18 Jul 2008
Click here for more More news
latest in depth
London Docklands
Software
BulletFinancial firms set for more virtualisation
The technology is thriving in uncertain economic climate, but adoption plans vary  17 Jul 2008
Datacentre
Strategy
BulletFirms taking datacentres outside M25
Facilities outside the City are in high demand as companies investigate the benefits of moving their datacentres  17 Jul 2008
Motorway
Hardware
BulletOn the right road to IT success
Highways Agency information director Denise Plumpton reveals her strategy  17 Jul 2008
Click here for more More in depth

Advertising Marketplace

Sponsored links

Featured jobs

Project and Portfolio Managers
London, United Kingdom | ACAS
Project and Portfolio Managers, London, £35,847 - £46,357 The Advisory, Conciliation and Arbitration Service (ACAS) is a publicly-funded body with over 30 years experience of working with employers, employees and trade unions to deliver better ... more >
Business/Systems Analyst
Leeds, United Kingdom | UKCRN
Business/Systems Analyst, Leeds Your brief will be to support us in the identification, analysis and definition of critical impacts and requirements in the IS programme. You're going to define, implement and maintain business analysis processes, ... more >
Application Development Team Leader
Leeds, United Kingdom | UKCRN
Application Development Team Leader, Leeds Part of the UKCRN IS Applications development team, you'll be responsible for leading the team behind a programme of IS developments to improve the IS environment for clinical research across ... more >
Information Services Directorate, Computer Suite Technician
United Kingdom | University of East Anglia
Information Services Directorate, Computer Suite Technician £18,710 to £21,681 per annum Applications are invited for the role of Computer Suite Technician. The role holder will be part of the Computer Suite Team that is responsible ... more >
Click here for more  More job opportunities