This week the ICO has published a useful Good Practice Guidance note on how to comply with the Data Protection Act (DPA) when outsourcing the processing of personal information.

The Guidance stresses that under the DPA, when a company uses an outside organisation to process personal information on its behalf, the company remains liable for the security and accuracy of information and how the information is used.

To limit this exposure to liability, the Guidance advises that companies considering outsourcing should ensure that they contract only with organisations they can rely on to take proper care of the information they are entrusted with and ensure that mechanisms are in place to enable them to check that the data is being looked after properly. The Guidance also sets out a list of further recommendations.

This week the ICO has published a useful Good Practice Guidance note on how to comply with the Data Protection Act (DPA) when outsourcing the processing of personal information, for example your payroll function.

The Guidance sets out which parts of the DPA you should be aware of when outsourcing and provides some good practice recommendations.

The DPA applies when a company uses an outside organisation to process personal information on its behalf. One of the most important provisions under the DPA is that the company remains liable for breaches of the DPA made by the outside organisation.

The DPA requires you to take appropriate technical and organisational measures to protect the personal information being processed. To ensure this provision is complied with you need to consider the following factors: the sort of information you have, the harm that might result from its misuse, the technology that is available and also what it would cost to ensure an appropriate level of security. This applies regardless of where the organisation is based.

The Guidance stresses the importance of making sure that you have a written contract in place with your chosen organisation which states that they can only use and disclose the personal data in line with your instructions and which requires them to take appropriate security measures.

If you outsource processing outside the EEA, perhaps to a call centre based in Asia or a transcription service based in Africa, you will have additional considerations to make sure that the information is adequately protected. You should ensure that the terms of the contract with the processor are enforceable in that country and should consider using the model contract clauses approved by the European Commission and the Information Commissioner where appropriate.

The Guidance makes the following general recommendations when outsourcing the processing of personal data:

  • Select a reputable organisation offering suitable guarantees about their ability to ensure the security of personal data;
  • Ensure that the contract with the organisation is enforceable;
  • Ensure that the organisation has appropriate security measures in place;
  • Ensure that they make appropriate checks on their staff;
  • Audit the other organisation regularly to make sure they are ‘up to scratch’ on Data Protection requirements;
  • Require the organisation to report any security breaches or other problems; and
  • Have procedures in place that allow you to act appropriately when you receive one of these reports.

To access the Good Practice Guidance please click here.

This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq

Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.

The original publication date for this article was 02/05/2006.