Organisations who are making use of outsourced service providers to process personal data, (e.g. cloud-based applications, web-hosting, data analysis/data management services) need to be wary of what I call the “Chain of Tools” which you need to do some due diligence on and have appropriate controls in place for.
Ultimately, the Data Controller carries the full weight of liability for any breach of the Data Protection Acts, both criminal (i.e. prosecution by the Data Protection Commissioner) and Civil (i.e. litigation for breach of the Duty of Care created by the Acts) unless they can demonstrate that they have taken all reasonable steps to ensure that the chain of personal data protection is unbroken.
This is very similar to the situation in property transactions where, for title in the property to validly be transferred, there needs to be a clear unbroken chain of title that shows that the person selling the property is actually the owner with the authority to do so. Likewise, it is very similar to the scenario in mortgages where the Lender has to ensure that the paperwork is complete and stacks up otherwise they will face difficulties (perhaps insurmountable ones) calling in the loan and selling the secured asset (and I mean “secured” here in the financial services/legal sense, not the “padlock and burglar alarm” sense).
So, if you are an organisation which is buying in a solution from a provider (for example an ‘on-demand’ electioneering tool or a cloud-based HR tool), it would be a good practice to make sure that all the links in the chain have adequate protections for Personal Data built into them.
If your solution provider is hosting their application and the data of your customers/members/clients in a 3rd party facility (e.g. Rackspace, Amazon AWS, Microsoft Azure) a prudent Data Controller should make themselves aware of this fact and ensure that they have verified that the ultimate home of the data meets the required standards for Data Protection. This may mean asking your solution provider to provide you with warranties, assurances, or indemnification for any breaches that might arise.
Likewise, it is not enough to rely just on an assurance that the place the data is being held meets the required standards. Any party interacting with the data on behalf of the Data Controller who is not an employee is a Data Processor. As such there must be a formal contract in writing governing that relationship and, if the Data Processor is based outside of the EU, or is accessing the data for some substantive processing from outside of the EU, then they must be assessed against the adequacy conditions for Cross Border Data Transfer (e.g. Safe Harbor registration, being on ‘Safe Countries List’, use of Model Contract terms, Binding Corporate rules etc.).
In addition, the Data Controller has to ensure that they have specified appropriate security protocols and standards for the data being processed (irrespective of how many links there are in the chain). The level of security controls required should be proportionate to the type of data being processed.
For example Sensitive Personal Data (e.g. expressions of Political belief and opinion, data relating to physical or mental health etc.) should, at a very minimum, be transferred and stored in an encrypted format, and websites collecting such data should be rigorously tested to ensure that appropriate security controls (e.g. access permissions, non-default passwords etc.) are in place and the coding of the site does not introduce risks to the security of the data. Where Financial Data is involved, encryption and adherence to the PCI standards should be a key consideration.
The case a number of years ago where the Irish Blood Transfusion Service Board had sensitive personal data stolen while in the possession of a contractor in the United States is a good example of where an organisation made reasonable efforts to do things right.
- There was a clear contract in place that specified security controls to be applied to the data at all times
- The data was transferred in an encrypted form.
- When it was stolen, it was in an encrypted file on an encrypted laptop
In that case, an employee of Data Processor acted in breach of the specified security protocols resulting in the loss of data. The fact that the Data Processor had not complied with the instructions in the written contract was one of the factors that showed the IBTSB had taken reasonable steps to meet the Standard of Care required under the Acts. The fact that they had encrypted the data so that it was not useable likewise demonstrated reasonable efforts to protect the privacy of individuals. None of that prevented a flurry of negative headlines or damaged trust.
While Technology provides tools to ensure that the links in the Chain are intact, ultimately it is first and foremost a matter of commercial focus and pragmatic risk management from the ‘Business’ to ensure that the length of the chain of information handlers/data processors and the risks to the data as it moves through that chain are identified and appropriate mechanisms are in place to manage and mitigate those risks to protect the privacy of individuals and the brand and reputation of the Data Controller.