United States: Outsourcing and Data Protection – New Guidance for Small and Medium Size Businesses

The Data Protection Act 1998¹ (the "Act") sets out the regulatory framework for dealing with personal data in the UK, imposing obligations on those organisations that it defines as "data controllers" (i.e., those persons who decide the purposes for which and the manner in which personal data are to be processed). It applies to any entity, both UK and non-UK, who controls personal data. "Personal data" is defined as any information which allows a data subject to be identified (e.g., an individual’s name, date of birth or address). Data Controllers may be liable to penalties under the Act, both civil and criminal, if personal data is not "processed" correctly. The Act applies such a wide definition to processing that if, for example, a company outsources to a third party the processing of any personal data (e.g. to a payroll bureaux), the company will be liable for all infringements of the Act, even if the infringements are carried out by the third party.

The Information Commission regulates the Act in the UK. It has recently issued the following practice note: Data Protection Good Practice Note: Outsourcing – a guide for small and medium sized businesses² (the "practice note"). Essentially the practice note says little new, although it does stress the point (though not explicitly) that ‘processing’ is defined so widely as to encompass outsourcing.

The Act sets out eight data protection principles which all data controllers must comply with. These principles are set out at Schedule 1 of the Act. The practice note covers the seventh and eighth data protection principles and provides guidance for small and medium sized businesses who outsource the processing of their personal data. The seventh principle requires data controllers to ensure that appropriate technical and organisational measures shall be taken against incorrect processing of their personal data. The eighth principle states that personal data shall not be transferred to a country outside the European Economic Area (the "EEA") unless that country ensures an adequate level of protection.

Small and medium sized businesses are not defined in the practice note or by the Act. Presumably, the Information Commission is using the Companies Act (1985) definition: however, this was amended by The Companies Act 1985 (Accounts of Small and Medium-sized Enterprises and Audit Exemption (Amendment) Regulations 2004³. According to this a small company has a turnover of not more than £5.6 million, a balance sheet total of not more than £2.8 million and not more than 50 employees. A medium-sized company has a turnover of not more than £22.8 million, a balance sheet total of not more than £11.4 million and not more than 250 employees. It is worth noting that this definition is not universally applied in the UK. In any case, the fact that the practice note title targets small and medium sized businesses is misleading: large businesses would be well advised to take heed of the practice note.

The practice note sets out various general obligations that all companies, whether outsourcing within or outside the EEA, must consider when outsourcing personal data processing to a third party supplier or other entity (which could include another company within the same group) . Essentially, the practice note repeats, in a different order, and without acknowledgement, the seventh data protection principle at Schedule 1 of the Act, and the interpretation of the seventh data principle at Schedule 1, part II, 9-12. Nothing new is stated here. The practice note then goes on to make seven good practice recommendations to enable a company to comply with its obligations under the seventh data principle. These are as follows:

1. select a reputable organisation offering suitable guarantees about their ability to ensure the security of any personal data;
2. make sure the contract with the organisation is enforceable;
3. make sure the organisation has appropriate security measures in place;
4. make sure that they make appropriate checks on their staff;
5. audit the other organisation regularly to make sure they are ‘up to scratch’;
6. require the organisation to report any security breaches or other problems; and
7. have procedures in place that allow you to act appropriately when you receive one of those reports.

These seven good practice recommendations are good so far as they go. However, there is no further practical guidance on the meaning of ‘reputable,’ ‘suitable,’ ‘enforceable,’ ‘appropriate,’ ‘regularly,’ and ‘up to scratch.’

The practice note explains that there are two ‘relatively simple’ ways to ensure compliance with the eighth principle:

1. select a reputable organisation, ensure appropriate security measures, place restrictions on use, and ensure that the ad hoc contract with the third party supplier or other entity is enforceable in that country;
2. alternatively, use the model contract clauses approved by the European Commission (the "EC") and the Information Commissioner for transfers to organisations acting on your behalf. These contract terms can be used independently or incorporated into the Master Services Agreement with the organisation.

The practice note then goes on to say that these are only two of the ways of ensuring compliance. However, what the practice note does not say is that, with regard to ad hoc contracts, these still require authorisation by the Information Commission; the EC model contract clauses are regarded as prohibitively cumbersome; that they are under review by the EC; and the model contract clauses that apply to transfers from data controllers to data processors⁴ do not mention the possibility of onward transfers of data at all.

Furthermore, the practice note does not highlight the fact that the ad hoc and model clause contracts are a derogation to be used if the final destination of the personal data is to a country which does not have an adequate level of protection. The US and EC worked together to draw up the Safe Harbor framework to provide such a level: data can therefore be transferred (without the use of the ad hoc or model clause derogations) to US signatories to Safe Harbor.

The practice note provides a useful reminder of the need to ensure compliance with the Act whenever a third party is engaged by a data controller as its data processor. The wide interpretation of processing imposed by the Act means that this is sometimes overlooked. Moreover, the Act imposes no obligations on a data processor by itself. It is down to the data controller to ensure, through the means outlined above, that it obtains adequate protections in its contract with the data processor in the event of any failure to process in accordance with the Act; for which the data controller remains liable. Businesses contemplating an outsourcing arrangement which will include the processing of personal data are advised to ensure that robust data protection clauses are inserted into the Master Services Agreement.

Further data is available at the Information Commission’s webpage on transferring personal information outside the EEA⁵ and the EC webpage on model contracts⁶.