Businesses that outsource call centres or other data processing outside Europe must take account of special Data Protection Act provisions or face legal action, the Information Commissioner’s Office has warned.
The information watchdog has published updated guidance on transferring personal information outside the European Economic Area (EEA), to help data controllers comply with the law.
The 1998 Data Protection Act prohibits the transfer of personal information outside the EEA unless there is an adequate level of protection for the information, and for individuals’ rights in relation to that information.
The new guidance has been drawn up to help businesses analyse how and when they must assess the levels of protection for data transfer and when exemptions apply. It includes detailed guidelines on the use of outsourcing and other contracts and binding corporate rules.
Deputy information commissioner David Smith, said, “A UK-based business outsourcing a call centre or other aspect of its data processing abroad remains legally liable for any failings. It could face legal action by the Information Commissioner’s Office and by an individual even if a breach takes place outside the UK.
“We are therefore urging all businesses processing personal information abroad to study our updated guidance. It is in their interests to do so."
Vote for your IT greats
Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?
Vote now at: www.computerweekly.com/ITgreats