Founding Member of FormIGA – the global Industry for Good Alliance

Outsourcing Data Banks

2 Jun 2008 12:00 AM | Anonymous

Recent headlines regarding the DVLA and the Child Benefit agency have highlighted how data loss as a result of negligence can springboard an organisation into the headlines for all the wrong reasons. With data controls set to get stricter, those companies looking at outsourcing data banks need to be aware of both the legal requirements, and the associated risks. Michael Porter, Director of commercial and contract management consultancy Blake Newport explains…

Legally within the UK there is still very little control regarding how data is held or outsourced, and common law has no recognition of data privacy. This has ultimately led to the creation of the Data Protection Act. But whilst the Act sets out eight principles by which those organisations holding personal data should abide, it is generally seen as guidance only with penalties for its breach historically difficult to quantify in court.

Those organisations that see this lack of legislation as a free reign on data management however should think again. If recent recommendations by the House of Commons Justice Committee go through and negligent data loss becomes a criminal offence, the issues surronding corporate responsibility for the protection of data will only become more pressing. Couple this with the fact that many UK businesses currently outsource to countries where data privacy law is applicable and we have a significant issue on our hands.

Lets take a look at Germany for example. Here data can only be held for a single specific use, for which full permission is needed from the originator. Once the data has been used for the reason it was obtained, it must not be passed on, either externally or to other internal departments. UK companies outsourcing abroad need to be comply with these laws or face possible prosecution.

Regardless of the legislation, stringent controls on the outsourcing of data make good business sense as aside from the obvious public relations issues there are also many operational risks associated with outsourcing data management, with the misplacement of critical information potentially resulting in significant delays and costs being incurred.

So what can be done?

The integrity and security of those companies that you may outsource to should be of key concern and if sensitive data is to be processed or transferred offshore, a compliance mechanism to deal with data protection will be required.

Whether outsourcing internationally or nationally, effective contract management presents the legal mechanism by which organisations can ensure full control over the data that is being outsourced. By utilising clauses within a contract to stipulate how information can be used and stored, your business can ultimately gain more control and ensure that damages can be sought if the contract is breached.

And whilst the rules surrounding the outsourcing of data are foggy at best, there are still some simple questions that organisations can pose namely:

 Is the data being sent to the company going to be held in a safe, secure and appropriate manner?

 Will the data only be used in the manner for which it is being held?

 Does the outsourced company have appropriate security processes in place such as high levels of encryption or email policy to ensure that employees cannot transfer data out of the organisation?

Clear commercial and contract management will ensure that the outsourced company can answer positively to the above questions. But if in doubt ask an expert and follow the guidance laid out in the Data Protection Act. After all ‘best practice’ working only creates better business efficiencies, minimising risks and maximising profits. What more motivation do you need?

Powered by Wild Apricot Membership Software