What if I outsource my data management functions to a third party?
Many organisations outsource some of their functions. As a result, a third party may have access to the personal data of that organisation as part of the provision of the outsourced service. Common examples are the use of IT consultants, marketing agencies and external accountants. Whenever data management functions are outsourced to a third party, regardless of whether that company is a subsidiary, extra precautions must be taken to ensure that you do not fall foul of the Act.
When outsourcing to a third party, the Act makes it clear that you must follow specific rules. These include choosing a third party which can provide sufficient guarantees of the security measures, taking steps to ensure that the security measures are followed by the third party, and most importantly, making sure that there is a written contract between the company and the third party to ensure that the principles of the Act are followed. The Act makes it very clear that without a written contract in place, it will be the company that is held responsible for any breaches of the third party to the Information Commissioner. This means that informal agreements or understandings will not suffice.
Lessons to Learn
Any Company that holds or processes personal data must:
- Ensure that they have up to date notification in place with the Information Commissioner regarding the
personal data that they hold and process.
- Ensure that they regularly review and update their data management policy to comply with their duties
under the Act.
- Ensure that they have a written contract in place when they outsource data management functions, even
when such outsourcing is within a group of companies.
The negative publicity that the loss of data has attracted recently should be enough to give anyone processing or storing information some food for thought.
For further information please contact
Stuart Hendry on 0131 226 8203
or email
stuart.hendry@mbmcommercial.co.uk
