Data protection and outsourcing under the DPA 1998 [Archived]
Data protection and outsourcing under the DPA 1998 [Archived]

The following Information Law guidance note provides comprehensive and up to date legal information covering:

  • Data protection and outsourcing under the DPA 1998 [Archived]
  • Data protection regime
  • Other laws
  • Matters to consider before negotiating an outsourcing agreement
  • What should the outsourcing agreement typically include?
  • Sensitive personal data

ARCHIVED: This archived Practice Note provides information on the data protection regime before 25 May 2018 and reflects the position under the Data Protection Act 1998 (DPA 1998). This Practice Note is for background information only and is not maintained.

Data protection regime

The Data Protection Act 1998 (DPA 1998) is the principal law in the UK which deals with data protection. For more information on the DPA 1998 generally, see Practice Note: Applicability and scope of the DPA 1998.

When outsourcing, the customer and supplier should consider the requirements set out in the DPA 1998 (see: Data protection regime—overview) and, in particular, the following principles:

  1. the first principle: see Practice Note Data protection principles under the DPA 1998—Principle 1: Personal data must be processed fairly and lawfully. Who is the 'data controller' of the 'personal data'? Typically the customer is the data controller (eg it decides how the personal data is 'processed') and the supplier is the 'data processor'

  2. the seventh principle: see Practice Note Data protection principles under the DPA 1998. What measures are in place to protect the personal data?

  3. the eighth principle: see Practice Note Data protection principles under the DPA 1998

The DPA 1998 imposes additional obligations on the data controller to: ‘(a) choose a data processor providing sufficient guarantees in respect of the technical and