As more and more call or ‘contact’ centre functions are contracted out to overseas providers, UK laws controlling the transfer and processing of personal data are often overlooked in the rush. Osborne Clarke partner, James Mullock, focuses on the risk management issues.
Data processor agreements are playing a crucial role in the hot cost reduction topic of the moment, overseas outsourcing. Amongst the list of questions being asked by the directors of the growing number of European business's which have hired overseas service providers are what operational risks could the outsourcing give rise to, and what legal implications arise from outsourcing business operations overseas?
The two questions are becoming increasingly inter-linked. More and more data management laws and regulations are focusing in on penalising companies which allow their operations to be run without an assessment first having been made as to the operational risks which the business could face. Failure to agree provisions with an outsourced service provider which deal with such risks head on could leave a business exposed, both in legal and regulatory terms, but also when the cover offered by its insurance policy is assessed.
Operational Risk Issues
Technology lawyers advising businesses which are outsourcing activities to third parties have been drafting clauses to manage the operational risks which arise from losing direct control over areas of their operations for as long as outsourcing has been around. The obligations in 1995 Data Protection Directive which were enacted in the UK's 1998 Data Protection Act as the Seventh Principle merely gave legal justification for doing so – the Seventh Principle requires a data controller to enter a written agreement with a data processor obliging it to only use personal data as directed by the controller, and to adopt appropriate measures to ensure adequate security of that data.
A legal trend, which has developed since the introduction in the UK of the 1998 Act, has been for individual sectors to introduce regulations which impose data management obligations to re-enforce those imposed by data protection laws. In many cases data protection laws will not cover a business activity because although data is being processed it is not "personal" or "sensitive" data, as defined in the 1998 Act. Data protection advisors, in particular those grappling with the legal consequences of outsourcing operations overseas, need to be alive to these sector specific regulations as they often impose specific operational requirements. My feeling is that 2004 will see an increase in the number of codes of practice and regulations which contain obligations relating to operational risk management and data security.
It is the financial services sector which has led the way in imposing such regulations. For example, since 2001businesses regulated by the Financial Services Authority ("FSA") have been obliged by the FSA's Guide to Outsourcing (the "Guidelines") to pre-notify to the FSA details of their arrangements for any material outsourcing which they undertake. Like the Data Protection Act's Seventh Principle, the Guidelines specifically require that service levels be formalised in writing. On receiving a notification of a material outsourcing the FSA has the opportunity to consider whether other requirements contained in the Guidelines have been complied with. Examples of such requirements which could be particularly relevant to anyone engaging an overseas outsourced service provider include those set out below. These examples offer an interesting checklist of issues for any business which is considering outsourcing elements of its operations, whichever sector it operates in:
- A right of audit must be retained over a supplier in a way which enables an on-going assessment of its performance to be measured. Anyone outsourcing overseas is clearly going to need to carry out some due diligence into which elements of a service providers operations should be audited, what assistance the service provider should (and is willing to) offer, and what forum for considering the results of an audit and acting upon its recommendations the service provider will consider;
- Service providers must be required to immediately inform its customer of any developments which may have a materially adverse effect on its ability to meet its service levels. Where a service provider is based overseas clear reporting lines are very important if this obligation is to be met effectively. Regular meetings at which, for example, it is the supplier's obligation to raise the possibility and impact of potential force majeure events such as adverse weather, power supply disruption or labour disputes will improve disaster recovery planning and reduce the supplier's ability to argue that the consequences of such an event were outside its control;
- The company which is outsourcing its operations must have in place a specific contingency plan covering the replacement of a service provider as swiftly and as painlessly as possible when its engagement is terminated. So called exit plans are a feature of most outsourcing arrangements. Where operations are outsourced overseas provisions agreed with a service provider in an exit plan around data migration, data security and continuity of service provision during migration to a replacement service provider will be particularly important;
- The FSA must be given a right of access to any information which it requires to pursue investigations. Clearly any regulated business which is outsourcing operations (not just those in the financial services sector) needs to consider what information it is likely to have to disclose to regulators or law enforcement agencies, and in what format those disclosures be made in. Service providers can then be specifically required to operate in a way which facilitates these disclosures on time but in a way which pays due respect to other human rights laws;
Another other key area of financial services regulation for data protection practitioners to keep an eye on are the Basel II provisions for clearing banks which is likely come into force in 2007. These will dictate what level of capital reserves individual clearing banks must maintain when their operations are assessed against a set risk assessment criteria. Data management is sure to be a key feature of the operational risk assessment criteria.
Overseas Data Transfer Issues
The other key data protection issue which an overseas outsourcing gives rise to is which route to complying with the Eighth Principle of the Data Protection Act 1998 will be taken. The Eighth Principle prohibits the transfers of personal data from within the EEA to countries outside the EEA whose laws do not offer data subjects adequate protection as compared to those offered by European laws.
Again any written contract made with an outsourced service provider is likely to have a major part to play in meeting this obligation. The use of an approved form model contract is likely to provide an attractive route to compliance when likely alternatives are considered, for instance:
1. Few of the countries offering the most attractive destinations for outsourcing have been approved by the European Commission as having laws which offer adequate protection. Although India has stated its intention to amend its existing Information Technology laws to meet the standards set by European data protection laws this is not going to provide a short-term solution to compliance with the Eighth Principle. EU approval requires a two-stage opinion process by various Commission committees to be completed and for the European Parliament and the Commission to give their respective endorsements. As Guernsey is currently finding out (and as Argentina, Canada, Hungary and Switzerland discovered before it) this is not a swift process. The 1998 Act does give businesses the opportunity to make their own assessment of adequacy against a set criteria, but it would be a brave business which did so without waiting for a strong hint from the European Commission that it was seriously considering approving the laws of the country in question.
2. The most useful derogations from the obligations imposed by the Eighth Principle other than the model contract route (ie obtaining data subject consent for a transfer to a specified country, or being able to argue that a transfer is necessary for the conclusion of a contract with the data subject) are unlikely to be respectably suitable or applicable. The European business which is transferring data is unlikely to be able to argue that it has to transfer to perform its contract with a relevant data subject. Obtaining data subject consent could prove a laborious and time consuming task, although it could provide a useful long term option.
3. The working paper proposals recently produced by the Article 29 Working Party Advisory Body relating to the creation of binding corporate rules for group companies could provide an alternative route to compliance. The idea is that an organisation or a group of organisations issue a binding code of conduct setting data protection compliance obligations based on European Data Protection laws. With the concept of joint venturing with overseas outsourced service providers currently somewhat in vogue the proposals, if finalised, could provide an interesting future route to compliance with the Eighth Principle. However, this is not a short term solution and large global organisations are unlikely to be particularly enamoured with the prospect of ensuring that all their global operations comply with a policy based on European data protection laws.
4. The 1998 Act offers the opportunity for individual applications to be made to the Information Commissioner for derogation from the Eighth Principle. However, this option is only available where the applicant has first sought to apply all other derogations listed in the Act. Clearly the Information Commissioner is very reluctant to consider such applications.
Form of Contract
The form of the contract selected to comply with the Seventh and Eighth Principles needs careful thought. The European Commissions model contract for the transfer of data to data processors (adopted in December 2001) should play a role, perhaps as a schedule to an agreement which set out specific data management service levels. In addition to the other service levels mentioned in this article I would expect key issues such as data back-up, disaster recovery, data security, data accuracy and support and maintenance to be covered in this agreement.
Given their strict provisions, the model contract's clauses will not be everyone's cup of tea and the service provider in question may need to be educated as to the importance of signing up to the clauses without amendment. If an amendment was perceived by the Information Commissioner's Office to have watered down the effect of the clauses this could affect its willingness to accept that compliance with the Eighth Principle had been achieved.
Regulations and common sense are driving those considering an overseas outsourcing to setting out a detailed relationship structure for the management of their data. Of course adopting a contractual solution to risk management is fallible where difficulties are likely to be experienced enforcing that contract and litigation in India, for example, has a reputation as being slow and painful amongst European businesses. Nevertheless, data processor contracts provide a good forum for a customer and an outsourced service provider to set out the risk management steps which they will adopt whilst working together. They also provide a route to compliance with the Eighth Principle of the Data Protection Act.
© Osborne Clarke 2003
TMT Department, Osborne Clarke
16 December 2003