Where is your data anyway?

At the weekend, the Sunday Times broke news of how Indian call centre staff had been caught offering stolen personal information for sale – stolen from UK companys and available for as little as 2p per person. They boasted credit card details, mortgage and loans and phone contracts.

The 1998 Data Protection Act prohibits the transfer of personal information outside the EEA unless there is an adequate level of protection for the information, and for individuals’ rights in relation to that information. If the data is lost, stolen or misused then the UK-based organisation is liable.

The law is clear and back in 2006 Deputy information commissioner David Smith warned “a UK-based business outsourcing a call centre or other aspect of its data processing abroad remains legally liable for any failings. It could face legal action by the Information Commissioner’s Office and by an individual even if a breach takes place outside the UK.”

However, the drive to reduce costs has seen call centres, services and some data hosting move to lower-cost countries, with the latest example being data from the Driver and Vehicle Licensing Agency, including addresses and registration plate numbers, along with credit card details, nowbeing available to staff outside the UK after ministers changed an earlier decision to allow IBM to reduce costs.

IBM runs the congestion charge zone for Transport for London (TfL) and the changes to allow staff abroad to access data is expected to be completed by 18 May.

The risks around off-shoring data are clearly substantial if it is not done in a tightly-controlled way. Whether allowing staff to access data, or physically moving the data abroad, it is essential that the rush to save money does not lead to irrepairable damage to privacy and data security.