Offshore IT Outsourcing and the 8th Data Protection Principle - legal and regulatory requirements - with reference to Financial Services

In the global sourcing world, particularly in financial services,offshore outsourcing and associated data transfers are commonplaceand increasing, searching out lower cost third countries, whichmay have even fewer data protections. In such an environment,the1998 Data Protection Act’s 8^th Principle and associated7^th Principle security provisions become critical protectionsfor UK data subjects. Yet the few statistics that exist indicate that unrestrictedtransfers appear to occur from several EEA countries. Furthercriticisms are that the UK 1998 Act does not fully align withthe EEA Directive, the Schedule 4 exceptions are overly wide,the country assessment process can be ignored with the InformationCommissioner’s ‘blessing’ and his powers andresources are limited. Financial Services may be a contrasting exception, where theindustry regulator, the FSA, ‘incidentally’ enforcesmany of the data protection requirements of overseas data transfers,has significant direct enforcement powers and a model ADR approachthrough the Financial Ombudsman. Although the UK banking lawand regulation meets many privacy requirements, it falls shortof the full data protection requirements, clearly illustratingthe value that data protection legislation brings. The alternative self regulatory approach exemplified by theUS Safe Harbor illustrates the weaknesses of pure self regulation,recognized by the US financial services which are moving towardscentralized data privacy supervision with the Gramm-Leach-BlileyAct, reinforcing the worldwide trend towards a more EEA-stylesupervised personal data protection world. In short, seven years after the 1998 Act was passed, we areready for an appropriate mid-course correction, with the 8thPrinciple (& 7^th Principle) needed more than ever in thegrowing outsourced world.