Personal data – the stakes are raised
Jinfo Blog

16th February 2010

By Tim Buckley Owen

Item

Amid the deepening unemployment gloom it’s good to hear that 1,300 jobs are to be created at Trafford Park, Manchester, processing United Kingdom census data. But underlying the good news are some big issues for anyone doing Know Your Customer, due diligence research – in fact anything involving personal data. First of all, the European Commission has just adopted a Decision updating the standard contractual clauses for the transfer of personal data to processors established in non European Union countries (http://digbig.com/5bbcer). The Commission’s announcement states that it’s not compulsory for businesses to use these actual clauses – but as the Out-Law newsletter points out, it does mean that outsourcing companies outside the EU will now have to get written permission to subcontract the processing of personal data (http://digbig.com/5bbces). Which all has interesting implications for cloud computing service providers – implications raised during the closing panel discussion at last December’s London Online conference (http://www.vivavip.com/go/e27391). As Out-Law explains, only a ‘small handful’ of countries have proved their data protection regimes to be the equivalent of the EU's and so are permitted to receive personal data without further steps – so it’s reasonable to wonder what happens when data is processed not simply outside these few exempted countries but in a system that may utilise capacity on computers anywhere in the world. But meanwhile back to that census data processing centre in Manchester. According to Crain’s Manchester Business (http://digbig.com/5bbcew), its location has not been identified for security reasons – but more interesting still is the centre’s back story. It’s being run by UK Data Capture Ltd, a consortium of United Kingdom based companies. But the company that actually won the census contract and created the consortium is the United States based Lockheed Martin. As Out-Law explains, the US does have a special arrangement with the EU over processing personal data. It’s called the Safe Harbour scheme and means that participating US companies undertake to abide by local data protection rules over and above US law. But when an American company first looked like getting involved in processing UK census data a couple of years back, it’s small wonder that British MPs were worried. They demanded – and got – cast iron government guarantees that UK data protection rules couldn’t be trumped by the US anti terrorism Patriot Act (http://digbig.com/5bbcex). New EU rules, cloud computing, the Patriot Act. And when you add new powers for the United Kingdom data protection watchdog the Information Commissioner’s Office to fine organisations up to half a million pounds for privacy breaches from 6 April (http://digbig.com/5bbcey), the personal data stakes are suddenly being raised dramatically.

« Blog