Saturday, May 26, 2007

Data theft - Call Centres

Newsnight presented a short excerpt on data theft, and in particular, the worrying problem of the ease with which personal information can be obtained from call centres located in India. Outsourcing of personal information to companies overseas is not new. However, the questions that will need to be asked (in the context of data protection) is the extent to which a UK organisation(s) (engaged in outsourcing activity) complies with the Data Protection Act 1998? Is there a data protection officer employed? If customer information is being outsourced to a company in India, are there adequate safeguards in place to ensure that data protection rules are in place? Just another reminder that the Data Protection Act 1998 (Sch. 1) contains eight data protection principles:
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

It is the eight data protection principle which is particularly relevant. A list of factors to take into account when considering an adequate level of protection can be found in Sch. 1, Part. II, para. 13 of the UK Data Protection Act 1998:

13. An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to-

(a) the nature of the personal data,

(b) the country or territory of origin of the information contained in the data,

(c) the country or territory of final destination of that information,

(d) the purposes for which and period during which the data are intended to be processed,

(e) the law in force in the country or territory in question,

(f) the international obligations of that country or territory,

(g) any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and

(h) any security measures taken in respect of the data in that country or
territory.
India does not currently have data protection laws and the proposal to amend their existing Information Technology Act 2000 is likely to raise questions over the remedies available for breach of data privacy. This (ie. remedies) will need to be strengthened if it has not already been addressed and secondly, there will be a need for better enforcement mechanisms against organisations (based in the UK that outsource the processing of personal information of customers etc. overseas) that do not adhere to the UK DPA 1998. This can be particularly problematic, if an individual based in UK finds that his or her rights under the UK Data Protection Act 1998 is not adhered to because his personal information is processed abroad without the adequate legislative safeguards in place. First point would be to complain to the organisation that holds your personal information. If this is unsatisfactory, then the next point of call would be to contact the UK Information Commissioner's Office. Finally, the amendments to the current India Information Technology Act 2000 under the proposed Amendment Bill (2006) will be worth following. See also:

No comments: