Always clarify in outsourcing deals who is liable for data security, advises Tamzin Matthew.
The trend for business process outsourcing shows no sign of abating, as organisations strive to achieve costs savings and increase efficiency. Along with this expectation often comes the idea that all the legal liabilities in relation to outsourced processes will be borne by the service provider.
As many companies have discovered to their cost, this is simply not the case; particularly in relation to information security. The Data Protection Act 1998 is a key source of potential liability in any outsourcing transaction involving personal data.
The primary responsibility for breaches of the Data Protection Act lies with the data controller. The definition of that role in the act is "a person who determines the manner in which any personal data is or is to be processed".
This definition sometimes leads to confusion. Although the service provider may impose well-established ways of processing information, this does not automatically make it the data controller in relation to the personal data it receives as part of the outsourcing arrangement.
The deciding factor is whether the provider will be entitled to use the data for its own purposes, and whether it will stop processing the data when the outsourcing contract terminates. The usual position is that the service provider is a data processor and only processes the personal data to achieve the outsourcing company's business purposes.
The Data Protection Act requires data controllers to ensure that the processing is undertaken pursuant to a written contract. The terms required by the Act may not automatically be incorporated into early drafts of an outsourcing contract, particularly if the deal is being agreed on the supplier's standard terms.
The contract must state that (a) the processing of personal data is only to be undertaken on the instructions of the data controller and (b) the data processor is to comply with obligations equivalent to those in data protection principle 7. This principle states that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data".
What is appropriate depends on the kind of technological measures that are available, the type of data being processed and the likely harm that would result from unauthorised processing, loss, damage or destruction.
Data protection principle 7 requires data controllers to "choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out". Potential suppliers should be questioned about their security provisions. It is often only when proper contract negotiations begin that the sales puff can be distinguished from a firm commitment.
The data controller must also "take reasonable steps to ensure compliance with (technical and organisational security) measures". The "sufficient guarantees" are not defined in the Act, but a clear statement of what the appropriate security measures must entail will be crucial. Many organisations impose their internal security policies on service providers, but some adjustments may be required.
The best position the data controller can achieve is to obtain an unlimited indemnity from the service provider to cover the controller's losses and costs arising from any failure to comply with security measures. The commercial reality, however, is that this kind of assurance is difficult to obtain. An ordinary contractual commitment to pay damages for failure to meet the agreed security provisions may be "sufficient".
Outsourcing arrangements are often complex, and a great deal of time and effort needs to be invested in getting them right. Many organisations never involve their internal information security experts at the procurement stage and, in doing so, take an unnecessary risk.
- Tamzin Matthew is a partner in law firm Blake Lapthorn Tarlo Lyons, and specialises in IT law. She can be contacted at Tamzin.Matthew@bllaw.co.uk or on 01865 254262.