Outsourcing the Processing of Personal Information - Guidance

The Information Commissioner’s Office offers guidance for small businesses on how to comply with the Data Protection Act 1998 (DPA) when you outsource the processing of personal information, such as your payroll function or customer mailing information.

If you use an outside organisation to process personal information on your behalf, you remain responsible for the processing and will be liable for any breaches of the DPA. The Act requires that you take the appropriate technical and organisational measures to protect the information being processed whether this takes place in-house or whether someone else does it for you. In order to decide what measures are needed, the following should be taken into account:

  • what sort of information is being processed?
  • what harm might result from its misuse?
  • what technology is available to ensure the appropriate level of security?
  • what would be the cost of providing this level of security?

The guidance stresses that if you employ another organisation to process personal information for you, you must select one that you believe will carry out the work in a secure manner. Ongoing checks should be made to ensure that this is the case. Wherever the organisation is based, you must have a written contract with them. This should state that the personal data can only be used and disclosed in line with your instructions and that appropriate security measures must be taken.

If you are using an organisation based outside the European Economic Area, make sure the contract is enforceable in that country.

In summary, the good practice recommendations if you want to outsource the processing of personal data to an outside organisation are:

  • select a reputable organisation offering suitable guarantees as to their ability to ensure the security of the data;
  • make sure the contract is enforceable;
  • make sure the appropriate security measures are in place;
  • make sure that the organisation makes appropriate checks on its staff;
  • audit the organisation regularly to make sure it is up to standard;
  • require the organisation to report any breaches of security or other problems; and
  • put in place procedures that allow you to act appropriately if a problem is reported.

The guidance can be found on the Information Commissioner's website.

See also our guidance on the eight data protection principles.

The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.
Print pagePrintable Version

Latest News

Data Protection Breaches - Recent Cases
In a recent case, Plymouth Hospital NHS Trust was ordered to pay compensat...
Read More
The Olympic Games - Are You Prepared?
With only a couple of months to go before the London 2012 Olympic Games co...
Read More
Breach of Planning Permission Negates Commencement of Development
When a developer sought to make use of a 37-year-old planning permission b...
Read More
EU Proposals for Data Protection Reform
The European Commission has published its framework for modernising data p...
Read More
Compromise Agreements and the Equality Act
A compromise agreement is a legally binding agreement by which an employee...
Read More
Parent Company Liable in Landmark Asbestos Case
A worker who developed asbestosis after being exposed to high levels of as...
Read More
Services - Should the Landlord Charge VAT?
In general, rents on property are exempt supplies for VAT purposes. Howeve...
Read More
Failure to Register Renders Property Inaccessible
When the owner of a property failed to register a right of access, trouble...
Read More
Competition - New Market Investigation
The aggregates, cement and ready-mixed concrete industries are the latest ...
Read More
Barrister Wins Sexual Orientation Discrimination Claim
In Bivonas LLP and others v Bennett , the Employment Appeal Tribunal (E...
Read More
Functionality Not Protected in Computer Programs
Computer programs have been at the centre of many legal disputes. Although...
Read More
HMRC In Line for £160 Million Windfall After Salary Sacrifice Scheme Rejected
When a member of staff is on a temporary assignment, they are allowed to r...
Read More
Increase in Unpaid Parental Leave Postponed
Currently, any employee who has completed one year of continuous employmen...
Read More
Companies Take Note - Dividends Can Be Proceeds of Crime
Problems with doing ‘clean’ business in some jurisdictions are...
Read More
Housing Law Changes
The Localism Act 2011 is expected to come fully into force in April 2012...
Read More
The Dilapidations Protocol
On 1 January 2012 a new Pre-Action Protocol came into force to deal with t...
Read More
Immigration and Work - Policy Changes Bite
For businesspeople from outside the EU who do not have a commercial sponso...
Read More
Beware What You Say on the Web!
The laws relating to defamation apply equally to material posted on the In...
Read More
Online Payment of VAT
As of 1 April 2012, all VAT-registered businesses must file their VAT retu...
Read More
Court Protects Wind Farmer When Board Freezes Him Out
When the co-founder of two companies in the wind farm business was effecti...
Read More
Failure to Provide Deposit Protection Details Costs Landlord
A landlord who receives a deposit from a tenant in respect of an assured s...
Read More
Contractor Fined Over Worker's Death
A Trafford firm has been fined £145,000 after an employee fell throu...
Read More
Guidance on Intellectual Property Infringement
If your business infringes the Intellectual Property (IP) rights of others...
Read More
Budget Summary 2012 - Business
The Chancellor’s Budget this year was set in the context of mixed ec...
Read More
New Minimum Wage Rates
The Government has accepted the recommendations of the Low Pay Commission ...
Read More
Who Gives You Advice is Important
When a financial services company went into administration and came under ...
Read More
Government Reviews the Dismissal Process
The Government is carrying out a review of the current dismissal process a...
Read More
Veer Dhara Offer for Dolegal Business News Readers
VEER DHARA RESTAURANT AND COCKTAIL BAR Get 10% off your total f...
Read More
No Such Concept as 'Self-Dismissal'
In Zulhayir v JJ Food Service Ltd. , the Employment Appeal Tribunal (EA...
Read More
Interest Rate Swap Mis-selling: the latest scandal to hit the banks
The banks are set to face claims for compensation running to many billions...
Read More
Holiday Lettings - Get Ready for New Rules
Owners of furnished holiday letting (FHL) properties are reminded that new...
Read More
GPhC Case Studies
Pharmacist removed from Register for theft from Pharmacy A pharmacist w...
Read More
GPhC unveils consultation on the draft standards for registered pharmacies
The GPhC has launched a formal consultation on their vision for a safe sys...
Read More
Facts Determine if Adjudicator's Decision Must be Revisited
When the construction of a village hall did not proceed as planned, the co...
Read More
Capital Allowances Reminder
31 March is a common year-end for companies and, with that in mind, compan...
Read More
Planned Changes to Unfair Dismissal Rights
The Government has confirmed that the qualification period for the right t...
Read More
Internet Sales Ban Breaches Competition Law
A French firm that manufactures cosmetics and requires them to be sold onl...
Read More
Tenant Pays Price for Incomplete Paperwork
The wisdom of making sure that agreements are finalised in good time and n...
Read More
OFT Rejects Predatory Pricing Claim
When a company engages in below-cost pricing or other ‘predatory&rsq...
Read More
Government Review of Sickness Absence
Each year, around 11 million employees take sickness leave. Of these, 300,...
Read More
Restaurants Now in HMRC's Sights
HM Revenue and Customs (HMRC) have recently set up a taskforce to investig...
Read More
Adjudicator's Decision Not Violation of Natural Justice
When an adjudicator in a construction dispute gives a ruling, the decision...
Read More
Reforms to the Employment Law System
The Government has announced its proposals for reform of the employment la...
Read More
Overall Impression Crucial in Design Right
Design rights are not the same as copyright, but are valuable intellectual...
Read More
Commerciality the Key in Contract Interpretation
When a dispute arises concerning the meaning of a contract term that is ca...
Read More
Dismissal for Comments on Facebook Unfair
A recent case ( Whitham v Club 24 Ltd. t/a Ventura ) sheds further light o...
Read More
Mandatory Eviction Powers for Local Authorities?
A consultation on ways of making it easier for social housing providers t...
Read More
Swiss Bank Accounts - 6,000 Letters on the Way
HM Revenue and Customs (HMRC) will be targeting 6,000 Swiss bank accounts ...
Read More
Long-Term Sickness and the Accrual of Annual Leave
There has recently been a further case on long-term sickness and a worker&...
Read More
Unauthorised Database Use to Cost Companies
Creating a commercial database and keeping it up to date is an expensive b...
Read More
Directors Who Misled Creditor Personally Liable
When a supplier to a marquee company was not paid for goods it had supplie...
Read More