Outsourced or out of control?

The growth in the outsourcing of subscription and circulation management has been considerable over recent years, but publishers need to be alive to the potential barriers that data protection legislation can present when undertaking an outsourcing arrangement. The devil is, most definitely, in the detail when it comes to getting these deals right.

Outsourcing, put quite simply, is the transfer of one or more of a company’s tasks or processes to an external service provider (ESP). Under contract to the company, the provider performs the tasks or processes against agreed service definitions for a specific period of time.

In some cases, the ESP may be offshore or may use offshore subcontractors taking advantage of reduced costs and the evolution of fast and efficient global communications. This means that multiple contractual relationships may need to be negotiated, all of which should cover the requirement to abide by data protection rules.

The performance of many circulation and subscription processes will require the transfer of personal data and, therefore, carry significant implications for compliance with data protection legislation.

Taking the decision to outsource

If you run a circulation department, you are likely to receive regular approaches from ESP’s and there is no shortage of services available. The decision to outsource will often be made to save cost or to avoid capital investment in technology. The ESPs can apply economies of scale which individual publishers cannot. When taking the decision to outsource one or more processes in the circulation / subscription chain, you need to get firm answers to questions about the use and security of your reader data:

* Are the ESP’s processes compliant with good data protection practice?
* If required by local law, has the processing to be undertaken been notified to the relevant data protection authority?
* Is there sufficient control over obtaining and managing permissions from the Data Subject?
* Can the ESP service suppression requests and the requirement for Data Subject Access?
* What are the security measures in place to prevent abuse of data?
* If the ESP is offshore and in an area without adequate data protection legislation, can the data be legally transferred?
* Will the ESP be a Data Processor or a joint Data Controller when managing the data?

It is vital that circulation outsourcing arrangements are covered by contracts which address data protection issues in order for a publisher (or Data Controller in the terms of the Act) to be able to satisfy his responsibilities. It’s worth remembering that in the event of abuse of data, the Information Commissioner’s Office would seek clarification of the contractual controls in place and the final responsibility for the breach would lie with the publisher.

Data Controller or Data Processor?

One of the most important things to establish when entering into an outsourcing contract is the status of the ESP under the Act; the provider may be a Data Processor or, in specific circumstances, may become a joint Data Controller.

The definitions from the Act are, as ever, important here:-

A Data Controller is: A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

A Data Processor is defined as: Any person (other than an employee of the Data Controller) who processes data on behalf of the Data Controller.

To understand whether an ESP is a Processor or a joint Data Controller, the nature of the processing to be undertaken and the degree of control that the provider will have over the data has to be established. If the ESP will be at all times processing the personal data under the direction and control of the publisher and is unable to take any decisions about what happens to that data, the ESP will be a Data Processor. If, however, the ESP is taking decisions about the personal data, changing or enhancing it at will, then it may well become a joint Data Controller with the publisher.

Apart from the commercial issues that such joint responsibility for data might create, the legal implications are significant for the provider under the DPA. If the provider is not in the UK, then it will have to comply with the local data protection regime, if one exists.

To avoid such confusion, it is advisable for publishers to ensure that the status of the ESP is clearly identified in the contract and that the clauses cover all the likely processing to be undertaken. There should be limitations on what the provider can determine regarding use of the data and stipulations that the publisher is, at all times, in control.

Necessary contractual terms for transfer of data to outsourcers

Writing an outsourcing contract is a task for lawyers and care should be taken that any "standard" outsourcing contract used covers the key data protection issues.

Before entering into the contract, the publisher must ensure, of course, that any personal data to be transferred to the ESP has been fairly obtained. Processing required for the completion of a contract does not have to be separately notified to the Data Subject but if this processing involves an outsourced provider, the Data Controller must assess whether it is necessary to notify the individual of this. The best place for this would probably be in the terms and conditions of a subscription offer or in a privacy policy.

When selecting an outsourcer, you need to undertake appropriate due diligence to satisfy yourself that they are reputable and have the relevant policies, procedures and practices in place to keep data secure and to process it in compliance with the prevailing law. When drawing up a contract for outsourcing to a UK processor, it should include the terms and the security measures which should be put in place by the ESP to ensure that Principle 7 of the DPA is complied with.

The 7th Principle reads: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

The aim is to ensure that the ESP can be as compliant with the legislation as the Controller himself has to be. The publisher needs to know where the data will be processed and how access to the data will be controlled.

If the outsourcing means that the Data Controller no longer has full access to some of his data, it is essential that the ESP is bound to assist in supplying answers for Subject Access Request enquiries within the legal timeframe of 40 days.

If the ESP is not located in the EEA or in one of the countries whose data protection legislation meets the approval of the European Commission, contractual clauses covering the export of personal data will need to be included. Standard clauses have now been approved for this purpose and agreed by the European Commission.

The contract should allow the publisher the right of audit and monitoring of the ESP’s processing of personal data. These rights should be actively enforced and, for long term outsourcing deals, regular audits should be undertaken.

It is also vital that the contract deals sufficiently with what happens to the personal data on termination of the relationship. This is particularly tricky if there is joint control over the data created as a result of the relationship. The agreement needs to cover the extraction, removal and erasure of the personal data owned by the publisher and to dictate how the transfer back to the publisher can be made in a secure manner.

It may also be necessary to ensure that any requests for access to data or enquiries about the use of data which may be received by the ESP after termination, are passed on immediately.

Prevailing law

In cases where the ESP is in another jurisdiction within the EEA or in one of the countries designated as having "adequate" data protection laws, the prevailing law will usually be that of the publisher’s home jurisdiction. This should be spelt out in the contract. Local rules do, however, apply concerning the security measures with which the processor must comply.

If the relationship allows the ESP to become a joint Data Controller, the local laws will apply to his processing and an assessment of whether these will conflict with those in the publisher’s jurisdiction should be made. Typical requirements which may conflict are the need to divulge information to Government or security agencies which may need to be notified to the Data Subject.

Is outsourcing worth the risk?

The benefits of outsourcing circulation and subscription processes have encouraged significant growth in the sector, but there are risks from a data protection perspective. Aside from the contractual issues, the day to day handling of personal data by an outsourced company could lead to mixed messages regarding permissions being received by customers and prospects. Further risks that the data protection policies of the publisher will not be adhered to are also inherent in any arm’s length situation.

Any service definition from an ESP should cover these issues in detail. The ESP should be able to demonstrate an understanding of the publisher’s data protection policies and procedures for collecting and storing personal data; training of staff at the ESP should be undertaken to clarify these policies.

In order to ensure consistency, it is essential that the publisher is able to dictate the content of permission statements used in interaction with individuals. Telemarketing scripting is particularly important as call centre agents should not be permitted to make impromptu decisions about wording.

In any outsourced arrangement, the security of personal data is clearly paramount.

Minimising the risk of breaches by careful selection of the ESP, watertight contracts and continuous performance monitoring is essential.