Data Protection Act – Are Outsourcing Companies Breaking it?

Data Protection Act
Data Protection Act

Data Protection Act

Are offshore companies breaking the data protection act?

I would like to raise an issue regarding the outsourcing of IT and call centre services to India etc.

The issue relates to the 8th Principle of the Data Protection Act of the UK. This states that you cannot store, or transmit, personal customer information outside of the European Union. That’s unless the country has a similar standard accepted by the EU. As yet only countries like Hungary and Canada have applied.

In which case how is it possible for companies to set up customer service operations in Asian countries. These regulations do not cover them. Surely many of these operations are in clear breach of the Data Protection Act.

UK Customer Database

A couple of years ago I worked for General Motors Acceptance Corporation in the UK. They suggested that we send our UK customer database to the USA for analysis purposes. However, the 8th principle prevented us from doing so. That’s because the USA does not comply with the act. I imagine, therefore, the same situation exists for Asian countries.

Personal data does not include contact information.

However, I believe it does include stuff such as:-

  • gender, employment details,
  • income details,
  • bank account details,
  • religious and racial background information.

I am no expert on the subject but I have read somewhere on an Indian site that one of the CEOs of an Indian software company was well aware of this problem.

This one states that they intend have something in place in 8 months time. So clearly, therefore, the current situation is not compliant.

New Contract Centre

An article in Financial Express refers to a new contact centre. They say:

“To ensure seamless transition and integration of processes, BT will assign site managers, who will work with the HCL Tech BPO team to ensure adherence to BT’s stringent standards of delivery performance and customer experience. Given the critical nature of the processes, the Data Security systems implemented, provide the highest possible levels of security and comply with the provisions of the EU Data Protection Act.”

This is rubbish. Regardless of whatever safeguards they put in, if the information is stored in India, it currently breaches the Data Protection Act.

The ultimate question, therefore, is do UK consumers want their personal information stored on systems in India and China?