Offshore IT Outsourcing and the 8th Data Protection Principle - legal and regulatory requirements - with reference to Financial Services

Abstract

In the global sourcing world, particularly in financial services, offshore outsourcing and associated data transfers are commonplace and increasing, searching out lower cost third countries, which may have even fewer data protections. In such an environment, the1998 Data Protection Act’s 8 Principle and associated 7 Principle security provisions become critical protections for UK data subjects. Yet the few statistics that exist indicate that unrestricted transfers appear to occur from several EEA countries. Further criticisms are that the UK 1998 Act does not fully align with the EEA Directive, the Schedule 4 exceptions are overly wide, the country assessment process can be ignored with the Information Commissioner’s ‘blessing’ and his powers and resources are limited. Financial Services may be a contrasting exception, where the industry regulator, the FSA, ‘incidentally’ enforces many of the data protection requirements of overseas data transfers, has significant direct enforcement * Roger Baker BA, FBCS, ACIB, LLM (Strathclyde) is a senior consultant with ItemPlus Consulting, specialising in IT regulation in Financial Services. A former advisor to House of Commons Select Committee on Science & Technology, he is the founder of the British Computer Society’s Financial Services Specialist Group, and contributor to the Society’s publications on Offshore Outsourcing, e-Commerce, the Euro & Year 2000. OFFSHORE IT OUTSOURCING 2 powers and a model ADR approach through the Financial Ombudsman. Although the UK banking law and regulation meets many privacy requirements, it falls short of the full data protection requirements, clearly illustrating the value that data protection legislation brings. The alternative self regulatory approach exemplified by the US Safe Harbor illustrates the weaknesses of pure self regulation, recognized by the US financial services which are moving towards centralized data privacy supervision with the Gramm-Leach-Bliley Act, reinforcing the worldwide trend towards a more EEA-style supervised personal data protection world. In short, seven years after the 1998 Act was passed, we are ready for an appropriate mid-course correction, with the 8th Principle (& 7 Principle) needed more than ever in the growing outsourced world.