Offshore IT Outsourcing and the 8th Data Protection Principle – legal and regulatory requirements – with reference to Financial Services

• Published in: International journal of law and information technology Vol. 14; no. 1; pp. 1 - 27
• Main Author: Baker, R. K.
• Format: Journal Article
• Language: English
• Published: Oxford Oxford University Press 01.04.2006; Oxford Publishing Limited (England)
• Subjects: Communications technology; Companies; Contracting out; Financial services; Information technology; Law; USA
• ISSN: 0967-0769; 1464-3693
• DOI: 10.1093/ijlit/eai025

In the global sourcing world, particularly in financial services, offshore outsourcing and associated data transfers are commonplace and increasing, searching out lower cost third countries, which may have even fewer data protections. In such an environment, the1998 Data Protection Act’s 8th Principle and associated 7th Principle security provisions become critical protections for UK data subjects. Yet the few statistics that exist indicate that unrestricted transfers appear to occur from several EEA countries. Further criticisms are that the UK 1998 Act does not fully align with the EEA Directive, the Schedule 4 exceptions are overly wide, the country assessment process can be ignored with the Information Commissioner’s ‘blessing’ and his powers and resources are limited. Financial Services may be a contrasting exception, where the industry regulator, the FSA, ‘incidentally’ enforces many of the data protection requirements of overseas data transfers, has significant direct enforcement powers and a model ADR approach through the Financial Ombudsman. Although the UK banking law and regulation meets many privacy requirements, it falls short of the full data protection requirements, clearly illustrating the value that data protection legislation brings. The alternative self regulatory approach exemplified by the US Safe Harbor illustrates the weaknesses of pure self regulation, recognized by the US financial services which are moving towards centralized data privacy supervision with the Gramm-Leach-Bliley Act, reinforcing the worldwide trend towards a more EEA-style supervised personal data protection world. In short, seven years after the 1998 Act was passed, we are ready for an appropriate mid-course correction, with the 8th Principle (& 7th Principle) needed more than ever in the growing outsourced world.