General
The DPA applies to the “processing” of “personal data”, both of which terms are very widely defined. This means that practically any business operating in the UK which holds information about individuals (whether employees, customers or anyone else) is affected by the DPA. Since breaches of data protection laws can result in criminal as well as civil liability (not to mention adverse publicity, which is increasingly the likely result of non-compliance), no organisation can afford to ignore its data protection obligations. This is not always easy given the complexity of the DPA and the number of obligations it imposes on those who process personal data.
The DPA applies only to personal data. Data is defined as information which is being processed by means of equipment that operates automatically in response to instructions given for that purpose, or is recorded with the intention that it should be processed by means of such equipment. The DPA therefore applies to automated data, such as that stored on a computer. It also extends to certain manual records.
In January 2009, the Information Commissioner’s Office (“ICO”) issued a technical guidance note in the form of a flowchart of numbered questions, which aims to help data protection practitioners determine whether information falls within any of the four categories of data covered by the DPA (see: http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/what_is_data_for_the_purposes_of_the_dpa.pdf)
All of the obligations under the DPA fall on the data controller. This is defined as the person who (either alone, jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or is to be, processed. For example, a company will be the controller of the data processed relating to its employees or customers. An entity may be a data controller even if the information concerned is held by a third party (for example, where payroll administration is outsourced to a third party), and there may be more than one data controller in respect of the same data (for example, companies in the same group which use the same data for different purposes).
In contrast, a data processor processes personal data only on behalf of a data controller. Where, for example, payroll administration is outsourced to a third party, that third party will usually be a data processor. Even though the DPA does not impose obligations directly on the data processor, it does require the data controller to pass on obligations to the data processor.
The role of a data controller (the customer)
Most customers in outsourcing contracts are the data controllers – they own the personal data of their customers, employees and website users which may be the object of outsourcing and determine the purposes for which such personal data is processed and used.
As a data controller, the customer is primarily responsible for compliance with the applicable data protection laws and should not pass that compliance responsibility onto the service provider.
This means the customer must satisfy itself that it has complied with its obligations under the law before passing personal data to the service provider for processing.
In addition, the customer must provide lawful instructions to the service provider as its data processor with regard to specific compliance steps that it wishes to carry out or be carried out on its behalf in relation to personal data which is processed by the service provider. Such steps may include:
- drafting notices to individuals about the processing of their personal data by the customer and the service provider;
- deciding what legal grounds under data protection law exist for lawful processing of personal data (either by the customer or by the service provider) and ensure that, where necessary, any consents are drafted and are obtained;
- ensuring personal data is adequate, relevant for the purpose, accurate and up to date;
- etting the retention schedules for personal data;
- dealing with any requests from individuals for exercise of their rights under data protection laws, such as the right of access or the objection to direct marketing and making legal decisions on any possible exemptions from these rights as provided in the applicable data protection laws;
- notifying/registering processing activities with the Information Commissioner’s Office; and
- ensuring there is a legal basis for lawful transfers of personal data to a country without data protection laws, as required by data protection laws.
The role of the data processor (the service provider)
As a data processor/service provider, the service provider’s responsibilities are to:
- process customer personal data on behalf of and on instructions from the customer;
- process customer personal data only in accordance with and for the purpose of provision of the services under the outsourcing contract; and
- ensure that there are appropriate technical and organisational measures in place to protect customer data against unauthorised or unlawful access to, processing and disclosure of personal data, and against loss alteration or destruction of such personal data.
As a data processor, the service provider must not take on the role of data controller. For example, the service provider should not be permitted to:
- decide on different uses and purposes of customer personal data;
- suggest different uses and sources of data;
- carry out any activities which are outside the scope of the agreement and beyond customer instructions; and
- use customer data for its own research, business/product development or other purposes.
If the service provider were to take on a role of data controller, then the service provider would be responsible for substantive data protection compliance in respect of customer data and would have to comply with every complex requirement of every applicable data protection law. The service provider, its employees and executives would become directly responsible and potentially criminally liable for any breach of any requirement of data protection law.
Addressing the roles and responsibilities of parties in outsourcing contracts
It is important that the roles of the customer, as a data controller, data owner and the service provider, as a data processor, service provider are clearly defined in the outsourcing contract.
The customer should seek the following additional requirements from the service provider:
- having a right of audit of the service provider premises and procedures for compliance with data protection and data security requirements of the law and the outsourcing contract;
- prompt assistance with dealing with rights of individuals;
- assisting with any regulatory inquiry or enforcement action; and
- ensuring the reliability of staff handling customer personal data.
Indemnity and liability
Customers should ask for a specific indemnity for breach of data protection provisions of the outsourcing contract.
The customer should also consider asking for an unlimited indemnity and liability for data protection contractual breaches. Service providers will attempt to avoid this on the basis that they perceive the risk of accepting unlimited liability as too great, given the multitude of enforcement regulatory and individual action and claims arising out of data protection and/or a data security breach. This is a commercial point which needs to be negotiated on a case by case basis.
Subcontracting
Where the service provider uses subcontractors for the provision of services to its customers, the customer remains the data controller, the service provider is the data processor and the subcontractor is the sub-processor.
The outsourcing contract should include wording to cover the scenario of the service provider engaging a subcontractor for the provision of services to the customer, and require the service provider to procure full compliance of the terms and conditions by the subcontractor. Ideally, the provisions and obligations of the service provider as a data processor in the main outsourcing contract should be included in agreements with subcontractors.
Practical tips for a customer
The customer should consider the following in respect of data protection provisions in an outsourcing contract:
- include minimum data protection outsourcing wording to address the distinction and the roles and responsibilities of the data processor/service provider and the data controller/data owner, irrespective of the country of origin of the data, or whether data will be transferred internationally;
- specify that the service provider will act on the instructions of the customer;
- specify that the customer is primarily responsible for compliance with applicable data protection laws, and that the service provider will follow the customer’s instructions in order to help the customer maintain its compliance with such laws;
- build in change-management provisions so that a change of law or a change of interpretation of law that imposes a material change in services on the service provider does not result in a cost impact on the customer;
- seek that the service provider “complies with applicable data protection laws”;
- seek that the service provider agrees to cooperate and/or assist with regulatory investigations, complaints, and enforcement actions;
- seek that the service provider agrees to the customer’s right to audit the service provider processing premises, policies and procedures; and
- seek that the service provider agrees to a general duty of the service provider to train its staff to reliably handle customer’s data.
International transfers of personal data
The eighth data protection principle states that:
“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. (Paragraph 8, Part I, Schedule 1, DPA)”
Transfers of personal data to a country outside the EEA (the 25 EU member states plus Iceland, Liechtenstein & Norway), otherwise known as a “third country” are therefore prohibited, unless:
- there is an adequate level of protection for the data subjects’ rights and freedoms;
- the parties have put in place appropriate safeguards; or
- one of the exemptions set out in Schedule 4 of the DPA applies.