After HMRC’s loss of 25 million confidential child benefit records in November 2007, data protection, privacy and information law have never been such hot topics.
The outsourcing of data processing to a “data processor” may suggest that the risks associated with data processing are also outsourced. However, companies owning the personal data must at all times have “appropriate technical and organisational measures” in place against the “unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. This applies even when a data controller outsources the data processing to a data processor. In that case, both the controller and the processor must meet this security obligation.
So how can a data controller select a reliable data processor and ensure their safe handling of data while minimising the risk of a security breach? The main message to businesses wishing to limit their exposure is to:
- choose a reputable data processor offering guarantees (worded as above) in respect of the security of the data;
- have a written contract in place with the data processor;
- if the processor is based outside the EEA, find out how to transfer the data in a way that is fair and lawful and in a manner that ensures adequate levels of protection for the rights and freedoms of the individuals the subject of the data;
- carry out regular audits of the data processor.
Taking this approach should go a long way to ensure that your company does not fall victim to an equivalent of the HMRC debacle.
This article was first published in NewsBrief, Spring 2008
For more information or advice on data processing, please contact Christine Jackson.
