outsourcing work a guide for small and medium sized businesses

What does the Act require? When you contract or arrange with someone to process personal information on your behalf you remain responsible for the processing. This means that you will be liable for breaches of the Act.

• Outsourcing to any organisation

The Act requires you to take appropriate technical and organisational measures to protect the personal information you process, whether you process it yourself or whether someone else does it for you. To decide what measures are appropriate you need to take into account the sort of information you have, the harm that might result from its misuse, the technology that is available to protect the information and also what it would cost to ensure an appropriate level of security.

When you employ another organisation to process personal information for you, you must choose one that you consider can carry out the job in a secure manner and, while the work is going on, you should check that they are doing this. You must also have a written contract in place with them. This contract must:

• make sure they only use and disclose the personal data in line with your instructions; and
• require them to take appropriate security measures.

 The contract must be in place regardless of where the other organisation is based.

• Outsourcing to an organisation outside the EEA

The Act requires that where personal information is transferred to any country or territory outside the European Economic Area there should be an adequate level of protection in place. outsourcing work on personal information to an organisation outside the EEA, for example, to a call centre based in Asia or a processor based in the USA, you will have to make sure that the information is adequately protected. This will apply to the method you use to transfer the information to and from the processor, as well as the job role itself.

There are two relatively simple ways to do this.

• If you use an organisation based outside the EEA to act on your behalf, as long as there are appropriate security measures in place, it is likely that there will be adequate protection for personal information. This is because the use of appropriate security measures, the selection of a reputable organisation and restrictions on the use of the information will all help ensure an appropriate level of protection for personal data. However, you need to be sure that the contract with the other organisation and its terms are enforceable in the country in which the processor is located.

• You can also use the model contract clauses approved by the European Commission and the Information Commissioner for transfers to organisations outside the EEA acting on your behalf. These contract terms can be used independently or incorporated into your main contract for outsourcing work services with the organisation.

UK Anti-Outsourcing Legislation ‘Bound to Fail’ ...Read More
39 - Precautions to Take when outsourcing work in Software Development...Read More