Tighten Up Data Protection Policies in Outsourcing or Prepare to Pay Penalty
RECENT data losses by local authorities, the MoD and NHS, together with a radical report highlighting changes which will be necessary in Data Protection law in the UK, have highlighted the need to review privacy and data security obligations under outsourcing agreements.
The UK Information Commissioner's office has recently endorsed calls for a rewrite of the EU Data Protection Directive following publication of a critical report by the RAND Institute. A number of high profile data security breaches involving outsourcing arrangements have made this issue a key component in negotiating outsourcing structures.
Customers and suppliers need to address data security and data protection issues under all outsourcing arrangements. It is frequently the case that planning for these issues is left unaddressed until the last minute. Dealing with these issues late in the outsourcing negotiating arrangements often results in higher costs, unwieldy solutions and the increased risk of regulatory intervention.
With more and more data being stored by organisations and transferred by removable data, including the NHS, which is now storing patient records electronically, organisations need to address their security and privacy policies, to safeguard the data that they hold, outsourcing service providers must protect personal data to avoid penalties and distrust. These issues need to be reflected clearly in any outsourcing arrangement and the obligations between the customer and the supplier in respect of data security, data transfer and the compliance with data protection regulation needs to be signed off at board level.
The position is now clear; any data handler that loses sensitive personal data having failed to take reasonable precautions will face civil penalties under the UK and European legislation.
Following the press coverage of the loss of sensitive data by the MoD and NHS in the past couple of months, the public and private sector must realise that unless they address the security of data management penalties will follow.
This is particularly the case in outsourcing arrangements which usually underpin data transfer arrangements.
Data controllers failing to protect sensitive data face damage to their reputations, commercial loss and a regulator who can, and increasingly will, make them pay.
The practical position is that companies are now forced to take data protection issues seriously under outsourcing arrangements and the requirements for data protection audit controls are now a matter of operational risk management for most major companies and subject to intense scrutiny by regulators and stakeholders alike.
Common problems in relation to data protection principles frequently arise as a result of misunderstandings between customers and suppliers in respect of each party's obligations applying to the transfer of data. …