Since 1998 UK businesses outsourcing marketing services to offshore providers have grappled with how this can de done without breaching the Data Protection Act of that year. Is a compliant data transfer agreement enough or are multiple prior customer disclosures and consents required? A recent official decision suggests things may not be as restrictive as many thought.
Topic: | Data protection |
Who: | The Information Commissioner's Office |
Where: | Wilmslow, Cheshire |
When: | Summer 2005 |
What happened: |
The UK's data protection watchdog, the Information Commissioner's Office, has given advice on the issue of international data transfer which appears to relax a position it had formerly taken on this issue.
The advice arose out of a complaint by an individual that his sensitive personal data, including information relating to his physical or mental health, had been transferred by a company providing him with financial services ("Provider") to a data processor in India ("Processor") without his written consent.
The question asked was whether this breached the terms of the Data Protection Act 1998. The Provider defended its position on the basis that the transfer had taken place pursuant to a written contract in place between itself and Processor.
Data controller/data processor contract
The contact made it clear that the Processor was at all times processing the complainant's data on behalf of and on the instructions of the Provider. This rendered the Processor a "data processor", whilst the Provider was a "data controller."
The DPA requires that all relationships between UK data controllers and data processors, wherever they are located, who are processing personal data on their behalf must be in writing and must deal with particular aspects. These include the data processor holding the data securely and only processing the data pursuant to the instructions of the data controller.
Another hurdle?
So far so good for the Provider. Up to the point of this complaint however, the accepted wisdom had been that despite the existence of such a contract, if personal data was to be transferred out of the European Economic Area ("EEA"), a further regulatory hurdle would have to be surmounted in order to ensure that the transfer was legal.
Data Protection Principle Eight renders all transfers of personal data from the UK to locations outside the EEA (EU plus Norway, Iceland and Liechtenstein) illegal unless certain narrow gateways can be passed through. One of these gateways is the data subject's consent. There is also the "fair and lawful" processing required by Data Protection Principle One.
So does this mean that in this particular case, the data subject's explicit consent should have been obtained, by way, for example, of ticking an opt in box, before his data was transferred to India?
Up until recently, the accepted view has been that such explicit consent was required. The recent ICO advice on the complaint in question, however, suggests that its position has changed. In the ICO's view, such explicit consent is not needed provided there is a compliant data controller/data processor agreement in place between the transferor and transferee of the data in question.
The rationale of this is that the UK data controller will remain in control of the personal data at all times. This means that provided valid consent was obtained in the first place from the data subject to his data being used for purposes including those for which his data was transferred to India, no separate, explicit consent is needed before the transfer of the data to India can take place.
Why this matters: |
The "advice" of the ICO on this point is not necessarily legally binding, but this is certainly an encouraging development for those wishing to minimise the extent to which further consents are required from data subjects with whom they deal whilst at the same time wishing to treat customers fairly and ensure customer data is processed only pursuant to their instructions.
It must be borne in mind that this advice only applies to data controller/data processor transfers: where the transfer is from a UK data controller to an ex EEA data controller, different considerations will apply.