Government issues guidance to protect outsourced data

Downloadable advice is available to help firms comply with the law

The UK’s privacy watchdog has issued guidance to help firms comply with data protection law when outsourcing personal information.

The Office of the Information Commissioner (ICO) said organisations had asked for advice to comply with the law when handing over employee data for processing by third parties; but it had also received enquiries from individuals worried about the protection of their personal details in outsourced systems.

According to the guidance, firms must be aware that they are responsible at all times for the security and accuracy of personal information processed on their behalf. The ICO stressed that businesses will be held liable for breaches of the Data Protection Act even if the outsourced systems are based abroad.

“It is becoming more and more prevalent for companies to outsource some of their data processing functions to other companies, quite often overseas,” said deputy commissioner David Smith. “There have been several highly publicised instances recently which suggest that personal information is not always held securely.”

Smith advised firms to choose outsourcing partners that can be relied upon to take “proper care” of personal information; and to establish mechanisms to check data is being properly looked after.

The guidance also encourages firms to check that outsourcers have taken steps to ensure the reliability of staff, and to insist that security breaches or related problems are reported.

The advice is aimed primarily at smaller firms and those organisations that do not have an in-house data protection specialist. It is part of a series of good practice notes from the ICO to simplify data protection compliance. Copies can be downloaded from the ICO web site.