Data protection should be a priority from the start of all
outsourcing and offshoring contracts if businesses are to retain
customer confidence and avoid heavy fines from the Information
Commissioner's Office (ICO), according IT trade association
Intellect.
The organisation launched its guide to data security and
protection in outsourcing contracts, and warned that the protection
of people's data is often an afterthought when contracts are
written.
If customer data security for a UK company is infringed by an
offshore outsourcing company it is the UK company that will be
punished by the ICO.
"You can outsource the doing but not the responsibility," said
Bill Pepper, director of security risk management at CSC and
co-author of the report.
The guide advises suppliers and customers to work together to
ensure that personal data protection is considered from the
start.
Bridget Treacy, a solicitor at Hunton and Williams and
co-author, said if organisations do not think about personal data
protection enough at the start it can become difficult expensive
and time consuming to fix later on.
"When data-protection issues are addressed at the end of
discussions there is no time to do anything about it," she
said.
David Evans, senior data protection manager at the ICO, said
that since the
HMRC customer lost data debacle, where the public sector body
lost data including the bank account details of 25 million child
benefit claimants, the general public has become much more cautious
about how firms they work with protect their personal data.
"In a recent survey, one-third of people said they have actually
asked to have their personal details removed from a database," said
Evans.
He also revealed that more than half of respondents were not at
all confident or had very low confidence in how organisations
protect their data."If a business offshores or outsources it has to
make sure that the person whose data is being outsourced trusts
them," said Evans.
He said contracts should be able to be rewritten if regulations
change.