China -  Chinese law firm

Data Protection

03/04/2007

In any outsourcing where the outsourcing provider will be handling personal data, which in most cases will include any data that identifies a living individual. The Protection of Data is essential.

What is the top 10 Tips a Chinese Outsourcing Provider should be considering when keeping data secure, when placing trust in a third or when trying to keep a balance between security and business efficiency?

Here are our Top Ten Checklist Tips for a Data-Friendly Outsourcing
Agreement:
 
1) The Consideration at the outset of whether personal data is to be passed to the provider needs to be asked. So, does this data need to be passed to the provider - could the services be provided without it?
 
2) The processing of personal data is an integral part of the outsourcing, the nature of the data and the potential risk of disclosure when taking the decision to outsource needs to be considered.

3) Choosing your provider must be done carefully – the need to seek guarantees of the security that they can offer and be able to do your commercial and technical due diligence with regard to their processes is a must.

4) Remember, security of data isn't just about good IT security. You need to
be confident that your provider's staff’s are reliable, and that they have organizational measures in place - robust confidentiality obligations on their staff, policies relating to data protection - and that they lock the door at the end of the day when they go home!
 
5) Remember, If sensitive personal data is to be processed, you may need more stringent security in place. Sensitive personal data is not necessarily what you think - it is personal data which relates to racial or ethnic origin, trade union membership, physical or mental health, sexual life or commission or alleged commission of an offence, including proceedings. You'd be surprised where sensitive personal data can rear its head.

6) Be flexible sometimes; you are allowed to make decisions with regard to the way in which data is processed to ensure that it is treated appropriately. This will depend on the nature of the data and the processing. Don't insist on disproportionate obligations on low risk processing, or you could divert resources from more critical data.

7) Global data processing is complicated; but perfectly possible! . There are a number of ways of doing this, but you will need the support and compliance of your provider and a certain adequate level of security should be meet. For example Data transfers of personal data from EU countries to jurisdictions outside the EEA is prohibited without putting in place an adequate level of protection

8) Remember if your operation is dealing with pan-European or global data, care will be required to ensure that you do not put compliance at risk in any individual jurisdiction.

9) Consideration of your own data protection practices is essential - this might be a good opportunity to ensure that your internal processes reflect best practice and dovetail with the provider's processes.

10) Remember exit! When you exit from the arrangement, personal data must be returned or destroyed, and you must be sure that the provider has not retained any data.

RSS Feeds