Member Article

The Information Commissioner's Office (ICO) recently fined an organisation £250,000 fter its outsourcing vendor carelessly dumped confidential financial data in ublic recycling bins. This incident provides a stark reminder to organisations
that they remain legally responsible for personal data, even where they utsource data processing activities to third parties. Scottish Borders Council ase The facts of this case are not particularly remarkable, which is often a
feature of data breach incidents. Here, the Scottish Borders Council had utsourced to a third party the task of digitising the pension records of its urrent and past employees. A member of the public noticed that a recycling ank was overflowing with paper files and, having established the nature of the iles, handed them to the police. It transpired that the outsourcing vendor had
dumped some six boxes containing 676 files of the Scottish Borders Council's ension records at the recycling centre. The files contained confidential nformation, including names, addresses, national insurance numbers and dates
of birth and, in many cases, financial details.

      
The council, as controller, had failed to choose a data processor providing sufficient guarantees in relation to the technical and
organisational security measures governing the processing;

 ·   There was no procedure for monitoring the processing to ensure it was conducted securely;

·    There was no written contract, restricting the scope of the data processing and stipulating relevant security measures;

·   The nature of the data that were compromised was such that substantial damage or distress may have been caused to individuals.

Requirements of DPA The Data Protection Act 1998 (DPA) imposes obligations on data controllers and, where the controller uses a third party to conduct the processing, the DPA requires the controller to enter into a written contract, which must restrict the purposes for which the data are processed, and impose adequate data security requirements. Organisations need to be aware that the use of any third party for data processing activities must be undertaken in accordance with the DPA, even where the task is apparently as routine as digitising manual records. The data controller cannot outsource its responsibility for compliance with the DPA when it outsources data processing activities. Organisations must ensure that they conduct appropriate diligence on prospective vendors, and understand whether the processing involves personal data. Some organisations do not have a vendor diligence process, or may even be unaware of the fact that data processing has been outsourced. Increasingly, given the relatively low costs associated with cloud-based data processing, organisations are not aware that data processing is being conducted in a cloud environment, which may further affect the risk assessment.

Best practice Organisations should ensure that appropriate procedures are followed when data processing is outsourced. These procedures should include:

·   Select a reputable third party;

·   Determine what data will be processed by the third party, and whether it includes personal data;

·   Determine whether any of the processing is cloud based;

·   Ensure that the third party can ensure the data will be safeguarded utilising appropriate technical and organisational
security measures;

·   Verify that the third party conducts appropriate security checks on its staff;

·   Execute a written contract that limits the purposes for which the data may be processed, obliges the third party processor
to ensure adequate security measures are in place and requires the processor to report any security breaches immediately;

·   Monitor the data processing activities, and conduct audits as appropriate;

·   Ensure staff are appropriately trained to identify outsourcing arrangements and to implement appropriate measures to
ensure legal compliance and manage risk.

For now, fines for serious breach of the DPA are capped at £500,000, but under proposals for a new general data protection regulation in Europe, fines for breach are to be capped at 2 percent of worldwide turnover. Further, the proposed data protection regulation requires that security breaches are reported to the relevant regulator within 24 hours, and to individuals where there is a serious risk of harm. It is widely anticipated that the 24 hour period for reporting breaches will be extended before the regulation is finalised, but the requirement to report breaches is unlikely to disappear. Organisations must therefore ensure that they have in place robust procedures for responding to a security breach incident. These should include a policy which addresses the following issues:

·  Identifies members of the incident response team;

·  Prescribes measures for containing the breach;

·   Prescribes measures for investigating and evaluating the risks associated with the breach;

·   Establishes criteria for determining who is affected by breach;

·    Establishes criteria for determining whether harm is likely to follow;

·    Prescribes reporting and notification obligations.

The Scottish Borders Council case serves as a reminder that the ICO will hold a controller to account for a data breach by a processor acting on its behalf. Organisations which choose to outsource their data processing activities must ensure that they conduct appropriate due diligence and incorporate relevant contractual safeguards to keep the data secure and help mitigate the risk of data breach. Doing nothing, and hoping for the best, is not an option.

Bridget Treacy leads the UK Privacy and Information Management practice at Hunton & Williams. Her practice focuses on privacy, data protection, information governance and e-commerce issues for multinational companies across a broad range of industry sectors.
Bridget can be reached on +44 (0) 20 7220 5731.