Data privacy breaches and outsourcing

Shared Services 3 iStock 000009458297Small 146x219With the Information Commissioner recently handing out huge fines to two public bodies for privacy breaches, Alison Deighton examines how the risks involved in outsourcing the processing of data can be mitigated.

Two recent fines for serious data protection breaches imposed by the Information Commissioner on public sector authorities serve as a cautionary reminder of the risks involved in contracting a third party to process confidential data and the need for organisations to be careful when destroying personal data in their control.

In each case, it was a third party employed by the authority who, either by accident or design, allowed confidential information which ought to have been destroyed, to be released into the public domain. In this article, we consider the steps that local authorities should be taking to minimise the risk of fines being imposed when data processing activities are carried out by a contractor on behalf of the local authority.

Before looking at the facts of the two cases, it is worthwhile stating that the Information Commissioner is only permitted to impose a fine if there has been a serious breach likely to cause substantial damage or distress and where the breach is deliberate or occurs because the data controller failed to take reasonable steps to prevent it.

So, what were the circumstances giving rise to the two recent fines and what 'reasonable steps' should the public authorities involved have taken to avoid being issued with a fine?

A hospital trust

Disposal of the Brighton and Sussex University Hospitals Trust's IT equipment was usually undertaken by a Health Informatics Service (HIS) under the terms of a service level agreement which, unfortunately, had expired. The HIS, who are accredited by the Department of Health, in turn occasionally sub-contracted work to a third-party, Company A. In April 2010 the Trust required the destruction of 1000 decommissioned hard drives which were stored at the hospital. Company A were unable to do the work and recommended Company B who were engaged by HIS, apparently without the Trust's knowledge. HIS did not enter into a contract with Company B, and only made rudimentary checks into the credentials of the company and its manager.

HIS staff supervised and occasionally assisted Company B's manager in the destruction of the drives on hospital premises. However, this supervision was not constant. On completion of the process, Company B provided a generic certificate of destruction for the drives. Subsequently the Trust was contacted by a data recovery company who had bought four hard drives online from the manager of Company B. The drives contained highly-sensitive unencrypted information relating to more than 67,000 patients.

Despite its assurances to the Information Commissioner that these were the only hard drives affected, the Trust was then informed by an online purchaser that a further fifteen drives had been acquired containing highly-sensitive patient and employee data. A subsequent police investigation revealed that 232 of the Trust's hard drives had been sold online containing highly-sensitive information of tens of thousands patients and staff.

A council

Scottish Borders Council's pensions team engaged a contractor to digitise its pension records. Despite the fact that the contractor had undertaken scanning work for other Council departments from time to time there was no contract in place. In September 2011 police were alerted to files containing personal data which had been left at on overfilled recycling bank. It transpired that the contractor had left ten boxes containing 848 files at two recycling banks. The files contained confidential employee data including name, address, National Insurance number and date of birth. In nearly half these cases salary and bank details were also included.

Over the previous six years the contractor had digitised an estimated 8000 records, scanning the files to unencrypted discs and sending the discs to the Council via standard post. It appears that the hard copies of each of these records had been disposed of by way of paper recycling banks.

The data controller's obligations

In each case the Information Commissioner imposed a fine for breach of the data protection principle which obliges organisations to take appropriate security measures to prevent disclosure of confidential information. More specifically, in order to ensure compliance with this principle, the Data Protection Act requires data controllers to take the following steps when contracting with third parties:

  • Choose a data processor that provides sufficient guarantees in respect of the security measures governing the processing to be carried out.
  • Take reasonable steps to ensure that the processor complies with those security measures.
  • Have a written contract which requires the processor to act only on the instructions of the data controller in relation to the processing of personal data and which requires the processor to comply with security obligations equivalent to those imposed on the controller by the seventh principle.

Local authorities that engage contractors to process personal data on their behalf will remain on the hook for any data security breaches committed by the contractor. It is therefore essential that local authorities ensure that the requirements above are met so that they can demonstrate that they have taken reasonable steps to prevent a breach from occurring and therefore avoid a fine.

In the sections below we consider the practical steps that local authorities need to take to ensure that they comply with the requirements of the Act when outsourcing data processing activities.

Appropriate security measures

In determining the appropriate security measures that a data processor should have in place, a data-controller will need to bear in mind the available technology; the cost of implementing such technology; the nature of the data; and the harm that might result from a breach of security. The more sensitive the data is, the more stringent the measures will need to be in order for them to be deemed appropriate.

Prior to engaging a third party, local authorities should carry out due diligence to ensure that the third party recognises the risks posed by the data processing and has appropriate procedures and security measures in place to protect the data. Depending on the nature of the data being processed, this may involve an on-site visit to the premises where processing will be carried out; completion of a security questionnaire by the contractor; a review of the contractor's procedures and policies; and evaluation of the qualifications, experience and contractual obligations of key members of staff.

If a site visit is conducted, practical issues should be checked such as the quality of doors and locks, the protection afforded to the premises by alarms, security lighting and CCTV and the location and security of cabinets holding personal data. Other factors which contribute to security include the manner in which access to the premises is controlled and how visitors are supervised whilst on the premises.

Technical security measures employed by the contractor will also need to be checked by an appropriate expert to assess whether the security of electronic documents and systems is adequate.

In the Scottish Borders case, the Council did not take any steps to check how the contractor was going to dispose of the paper records once the digitisation had been completed, nor did the Council check the contractor's procedures for returning the digitised records to the local authority.

As part of its due diligence process the Council should have asked the contractor to confirm how records would be dealt with upon completion of the task, evaluated whether these measures were sufficient and included contractual obligations to dispose of records accordingly. For example, the Council could have required the contractor to encrypt the discs containing the scanned data and return them by secure post, sending the encryption key separately. The contractor should also have been obliged to dispose of the paper files securely and to provide a certificate of destruction for each file.

In addition to carrying out due diligence at the outset of the process, local authorities will need to continue monitoring compliance with security measures and contractual obligations throughout the life of the contract. Audits and spot-checks should be carried out, with the frequency and nature of the checks being determined by the nature and sensitivity of the data processing activities being carried out.

While budgetary constraints may impact on the ability and willingness of authorities to carry out detailed and regular checks on data processors, the short term savings that may be made by cutting back on such checks are likely to be outweighed by having a substantial fine imposed by the ICO. Local authorities are therefore advised to ensure that they have robust due diligence and monitoring procedures in place when outsourcing data processing activities.

Contracts

A further aggravating factor highlighted in the two recent cases was the fact that neither the Trust nor the Council had a written contract in place with the contractor.

Failure to have a written contract in place is a breach of a direct requirement of the Data Protection Act. As a bare minimum, a contract should specify that the contractor must process the data in accordance with the controller's instructions and comply with security obligations equivalent to those imposed on the controller by the seventh principle.

Local authorities will also need to give consideration to whether further requirements need to be set out in the contract in order to satisfy the ICO that 'reasonable steps' have been taken to prevent a breach from occurring. The level of detail required will depend on the nature of the outsourcing, the type of data being processed and the risk of harm if there is an unauthorised disclosure. The due diligence process carried out at the start of the project should inform the obligations that need to be included in the contract.

In the HIS case the ICO suggested that a prohibition on sub-contracting or a requirement to obtain consent to sub-contracting should have been included in a written contract. If such a prohibition had been in place, the Trust would have been alerted to the fact that sub-contracting was occurring and could have carried out a risk assessment and put appropriate measures in place to mitigate any risks. Such measures would have included checking the suitability of the individual involved in the data processing and ensuring that the sub-contract imposed equivalent data protection obligations on the sub-contractor as those imposed by the main contract.

Local authorities should also ensure that contracts include indemnities for breach of data protection obligations so that if a data breach does occur and a fine is imposed the local authority may recover its losses from the contractor.

Local authorities would be well advised to review their internal procedures to ensure that all outsourcing arrangements which involve data processing have a written contract in place prior to any data being transferred to the contractor and that appropriate obligations are placed on contractors to reflect the risks inherent in the data processing carried out. The recent cases demonstrate that failure to do so is likely to result in a fine if a data security breach occurs.

Alison Deighton is a partner and Head of the Data Protection and Privacy team at TLT. She can be contacted on 0117 917 8016 or by This email address is being protected from spambots. You need JavaScript enabled to view it..