Outsourcing the Processing of Personal Information - Guidance  - Sisman Nichols Solicitors - Clifton, Kingswood, Bristol
skip navigation

Outsourcing the Processing of Personal Information - Guidance

The Information Commissioner’s Office offers guidance on how to comply with the Data Protection Act 1998 (DPA) when you outsource the processing of personal information, such as your payroll function or customer mailing information.

If you use an outside organisation to process personal information on your behalf, you remain responsible for the processing and will be liable for any breaches of the DPA. The Act requires that you take the appropriate technical and organisational measures to protect the information being processed whether this takes place in-house or whether someone else does it for you. In order to decide what measures are needed, the following should be taken into account:

  • what sort of information is being processed?
  • what harm might result from its misuse?
  • what technology is available to ensure the appropriate level of security?
  • what would be the cost of providing this level of security?

The guidance stresses that if you employ another organisation to process personal information for you, you must select one that you believe will carry out the work in a secure manner. Ongoing checks should be made to ensure that this is the case. Wherever the organisation is based, you must have a written contract with them. This should state that the personal data can only be used and disclosed in line with your instructions and that appropriate security measures must be taken.

If you are using an organisation based outside the European Economic Area, make sure the contract is enforceable in that country.

In summary, the good practice recommendations if you want to outsource the processing of personal data to an outside organisation are:

  • select a reputable organisation offering suitable guarantees as to their ability to ensure the security of the data;
  • make sure the contract is enforceable;
  • make sure the appropriate security measures are in place;
  • make sure that the organisation makes appropriate checks on its staff;
  • audit the organisation regularly to make sure it is up to standard;
  • require the organisation to report any breaches of security or other problems; and
  • put in place procedures that allow you to act appropriately if a problem is reported.

The guidance can be found on the Information Commissioner's website.

The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.
 

Latest News

  Will Your Premises Be Shown The Yellow Card? 
  Good Faith and Errors in Documents 
  Companies Act Changes Afoot 
  Companies Act Changes - Purchase of Own Shares 
  Ambiguous Terms in Insurance - When Wrong is Right 
  Surviving the Recession - The Most Common Mistakes 
  More Big Fines for Competition Law Breaches 
  Licensees Breathe Sigh of Relief As Pubwatch Challenge Fails 
  Discovering a Cover-Up - Tips for Directors  
  What Makes a Director? 
More...
 
Home | About Us | Firm News | Our Services | Library | Help | Contact Us

Sisman Nichols and Ledbury Raskin are trading names of, and businesses run by, Sisnic Legal Services Limited.
Sisnic Legal Services Limited, is registered in England and Wales, number 3512183,
registered office 11 Elmdale Road, Clifton, Bristol BS8 1SL, and is recognised and regulated by The Solicitors Regulation Authority.
[smaller] Change text size [larger]