Data protection should be a priority from the start of all outsourcing and offshoring contracts if businesses are to retain customer confidence and avoid heavy fines from the Information Commissioner's Office (ICO), according IT trade association Intellect.
The organisation launched its guide to data security and protection in outsourcing contracts, and warned that the protection of people's data is often an afterthought when contracts are written.
If customer data security for a UK company is infringed by an offshore outsourcing company it is the UK company that will be punished by the ICO.
"You can outsource the doing but not the responsibility," said Bill Pepper, director of security risk management at CSC and co-author of the report.
The guide advises suppliers and customers to work together to ensure that personal data protection is considered from the start.
Bridget Treacy, a solicitor at Hunton and Williams and co-author, said if organisations do not think about personal data protection enough at the start it can become difficult expensive and time consuming to fix later on.
"When data-protection issues are addressed at the end of discussions there is no time to do anything about it," she said.
David Evans, senior data protection manager at the ICO, said that since the HMRC customer lost data debacle, where the public sector body lost data including the bank account details of 25 million child benefit claimants, the general public has become much more cautious about how firms they work with protect their personal data.
"In a recent survey, one-third of people said they have actually asked to have their personal details removed from a database," said Evans.
He also revealed that more than half of respondents were not at all confident or had very low confidence in how organisations protect their data."If a business offshores or outsources it has to make sure that the person whose data is being outsourced trusts them," said Evans.
He said contracts should be able to be rewritten if regulations change.