Data security and offshoring
- PDF / 63,931 Bytes
- 4 Pages / 553 x 785 pts Page_size
- 13 Downloads / 210 Views
Keywords: data security, offshore, data protection, India
Data security and offshoring Belinda Haden Received (in revised form): 12 September 2005
Abstract This paper addresses how organisations can ensure that personal data are protected when outsourcing call centres offshore.
Introduction Recent stories in the tabloid press suggesting that customers’ personal data have been offered for sale by workers in Indian call centres have called into question security of data when Western companies outsource business functions offshore. The Sun newspaper revealed in June 2005 that an Indian ex-call centre employee had sold its reporter financial data about 1,000 UK bank customers for £3 per record. The story appears to imply that the UK Data Protection Act of 1998 covers data security requirements within the UK, but that outsourcing work to offshore destinations automatically moves data security outside the jurisdiction of UK and European data laws. Any average reader could be forgiven for assuming that, if their data are in the hands of a company that has placed work offshore, their data are not protected by law. This is far from the truth, as this paper will show.
Data Protection Act 1998 The 1998 Data Protection Act makes a number of requirements, many of which pertain to the privacy of data and the rights of individuals to expect their data to be handled and stored securely. Specifically, data controllers must comply with the Act’s eight principles of good information handling practice. The principles require personal data to be:
Data security and transfer
Belinda Haden CM Insight The Old Warehouse Church Street Weybridge Surrey KT13 8DG, UK Tel: +44 (0)1932 268100 E-mail: belinda.haden@ cm-insight.com
266
— — — — — — — —
processed fairly and lawfully processed only for limited purposes adequate, relevant and not excessive accurate not kept longer than necessary processed in accordance with individuals’ rights kept secure not transferred to countries outside the European Economic Area (EEA) without adequate protection.
It is the seventh and eighth principles, then, that are relevant to the recent alleged security breaches. It is worth noting, also, that the Act does not expressly forbid transfer out of the EEA, simply transfer without adequate protection.
& PA L G R AV E M A C M I L L A N LT D 1 7 4 6 - 0 1 7 4 / 0 6 $ 3 0 . 0 0 V O L . 7 N O . 3 PP 266–269.
Journal of Direct, Data and Digital Marketing Practice
Data security and offshoring
Sending data overseas
Check which law applies
If your company is sending personal data to other countries within the EEA (the 25 member states of the European Union, plus Iceland, Liechtenstein and Norway), then the UK Data Protection rules allow you to transfer data without further provision. But, since some of the new Central and Eastern European member states may not yet have enacted data protection legislation, you would be well advised to be cautious and treat them as if they were outside the EEA, as follows. If you are sending personal data to countries outside
Data Loading...
