The Data Protection Act (1998) regulates data processing and storage in the UK. It ensures that businesses adequately safeguard identifiable personal information about British citizens, while also obliging companies in the UK to remain compliant with the European Data Protection Directive. Today, third-party data processing, especially on an international scale, has become widespread. So the DPA, outlines a strict protocol for all companies that outsource some aspect of their data processing operations.
In the event that a third-party company mishandles data, the second-party business (ie. the Data Controller) assumes full liability for the security breach and is subject to penalties from the Office of the Data Protection Commissioner if they fail to respond properly. So when data is mishandled (either by a third-party or by the company who enters into the transaction with the customer), businesses are legally obligated to:
1. Promptly notify all relevant customers and parties about the security breach or mishandling. Whenever possible, companies must also request assistance from outside organisiations (financial institutions, for instance) in an effort to mitigate risks and avoid repercussions for the individuals whose data was jeopardized.
2. Immediately notify Data Controllers. (This applies to third-party Data Processers)
3. Immediately report to the Office of the Data Protection Commissioner (ODPC) any instance in which data might have been compromised. The ODPC often requests an in-depth written report explaining the cause for and response to the incident, and sometimes launches an investigation to ensure full compliance.
4. Create and retain written documentation of all data mishandlings; outlining why the incident occurred, how it was dealt with, and what will be done to prevent a future recurrence.
5. In some circumstances where damage is done to or losses are incurred by those whose data was compromised, pay compensation to the effected parties.
In distinguishing between ‘Data Controllers’ and ‘Data Processors,’ the Data Protection Act ensures that companies such as Frontline remain accountable to their customers, even when outsourcing telecommunication services internationally. As those who entered into agreements with customers, Data Controllers must ensure that all business partners provide the same level of protection that they themselves are legally obligated to provide.