UK: Stopping the Flow of Outsourcing?

For most people in the UK the word outsourcing tends to mean one thing — "sending jobs to India". Many British companies see outsourcing jobs offshore as an excellent way to reduce overheads and India’s large skilled and English speaking workforce are often the telephonists of choice. Outsourcing is clearly far less attractive for UK employees who may find themselves out of a job as a result. Sometimes unions threaten industrial action. Following Lloyds TSB’s recent announcement that it hopes to move 1500 posts to India, however, the Lloyds TSB Group Union began considering a different tactic.

For companies to successfully outsource their customer services abroad they need to make sure that customer service advisers have access to customers’ information: so long as the telecoms operator knows our account details and can deal with our queries we will not be concerned that they are in Bangalore rather than Bognor. To achieve this, companies must transfer customers’ personal data to India and this is where the Lloyds TSB union believes it has an advantage.

Under the Data Protection Act 1998 ("DPA"), companies that control personal data ("Data Controllers") cannot transport data outside the European Economic Area¹ unless the destination jurisdiction provides adequate protection for the rights of the individuals who are the subject of that data ("the Data Subjects"). Unfortunately for Lloyds, India’s legal regime does not provide such protection according to the European Commission². The Lloyds union has complained to the UK’s Information Commissioner ("IC") that the proposed transfer of customers’ personal data to India is not properly authorised under the DPA: if successful, they hope to prevent Lloyds from going ahead with the outsourcing.

In such circumstances, a Data Controller has two main choices: they can either obtain the consent of the Data Subjects to the transfer or put in place sufficient protections for the rights of the Data Subjects.

In cases where there are only a few data subjects involved it may be practical to obtain the Data Subjects’ consent, bearing in mind always that this must be freely given and fully informed. Where there are many thousands of Data Subjects, this may not be so easy. Data Controllers must consider:

1. the costs of obtaining such consents;
2. the likelihood of Data Subjects giving their consent;
3. the public relations issues of publicising such a move.

The only alternative approach recommended by the European Commission is to use either of its sets of standard contractual clauses.³ In the UK a Data Controller need only be satisfied that there are adequate safeguards in place, meaning that other options maybe sufficient. According to the IC, the Data Controller must consider:

1. the nature of the data being transferred;
2. the manner in which the data will be used;
3. the laws and practices in the destination country;
4. whether there is an effective mechanism for individuals to enforce their rights or obtain redress if there is a breach.

The IC recognizes that it may not always be possible to carry out a detailed adequacy assessment and acknowledges that a test may not be necessary where the data is only being transferred to a data processor who will merely carry out a task with the data on behalf of the Data Controller (although a contract guaranteeing proper security and control over the use of the data will still be required).

Although there may be some difficulties, the contractual approach or an adequacy test should be sufficient in most circumstances. It is possible that other issues will thwart such an approach, however. First, there may be some other reason why the data cannot be transferred; for example, if it was collected on the basis that it will only be processed in the UK. Second, it could be that the data will be processed for purposes other than those for which it was originally collected after it is transferred abroad; for example, if data were collected for the purpose of dealing with an order but will now be used for future marketing. In such circumstances, the Data Controller may need to consider it is authorised to carry out the processing at all, regardless of whether the processing occurs in the EEA or elsewhere. Third, it could be that the proposed outsourcing has a very negative response from the public such that the Data Controller decides not to proceed regardless of the DPA compliance issues.

Across the EU, data protection officials tend to take a dim view of data transfers outside the EU. For the moment, the European Commission’s model contract clauses are the only methods for authorising such transfers which are likely to be compliant across the EU.⁴ This means that the argument that the Lloyds union is using may be more effective in other parts of Europe.

Both the Indian Ministry of Information Technology and the National Association of Software and Service Companies (NASSCOM) have been lobbying the Indian government for the introduction of legislation on data protection in order to facilitate data transfers from the EU.

So have the unions found a secret weapon to prevent the exporting of their members’ jobs? In short, the answer is "no": provided that they take the business of compliance seriously there is no reason why companies cannot export data in compliance with the DPA. The contractual route should be more than adequate in most cases. However, if Data Controllers do take their eyes off of the data protection issues which arise from outsourcing, they could find that unions will be able to use the DPA as a rather effective irritant.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.