Information Age: News, analysis & insight for IT & business leaders

Improve data control of IT outsourcing contracts or face closer regulation, trade body Intellect advises

A new report from IT trade body Intellect calls on businesses to instigate tighter security controls in their outsourcing contracts.

In failing to include clauses that make the responsibilities of data control explicitly clear, businesses are currently exposing themselves to risk, both of data breaches and of greater regulation, should such breaches continue, the report found.

“The money that outsourcers and their customers pay in data breach fines would be better spent improving data security processes, so these breaches don’t occur in the first place,” said John Higgins, Intellect’s director general.

“Companies recognise their responsibility towards consumers’ data but don’t always understand the best way to achieve this,” he added.

According to the Data Protection Act, if an organisation hands personal data of its customers over to an outsourcing provider, it is still considered to be the data controller – the outsourcer is only doing what it is told to do by its client. The company is therefore both legally obliged to know exactly what is happening to that data and culpable should it fall into the wrong hands.

Intellect’s report outlines the various data protection laws operating in different countries. India, the Philippines and China – all popular IT outsourcing destinations – have no explicit data protection legislation in place. European companies that entrust customer data to outsourcing providers in those countries must therefore meet their legal obligations through the terms of their contracts.

The trade body’s guidelines for ensuring data protection in outsourcing contracts are available to download for free here.

Further reading

Up to 38,000 credit cards stolen in Cotton Traders hack

US drives strong IT services growth

Find more stories in the Security & Continuity and IT Services Briefing Rooms