Member Article

The UK press reported recently (August 2004) that an unnamed Lloyds TSB customer, backed by the Lloyds TSB Group Union, has complained to the Information Commissioner (the UK equivalent of the Irish Data Protection Commissioner) in respect of the transfer abroad of “sensitive personal data” 1 held by Lloyds about its customers. The government-appointed information commissioner has been asked to rule on whether Lloyds TSB is acting illegally. The union argued that the bank's plans to transfer work and 1,500 jobs to India infringes the UK Data Protection Act 1998 and the applicable European Directives, which they assert require the bank to seek the written consent of its customers to the transfer of sensitive personal data outside the European Economic Area. If successful, the case could force the bank to abandon its off-shoring policy for fear of breaching the law and losing customers. The Irish Data Protection legislation is based on the same EU Directive and is broadly similar to the UK Act, so Irish employees or customers could conceivably challenge outsourcing by Irish companies on the same basis as in the Lloyds TSB case. Generally, personal information may not be transferred to a country or territory outside the EEA unless the destination country has been approved for transfer by the EU 2, or a “model” processing contract is put in place, that has been approved by the Irish Data Protection Commissioner. The complainant in the Lloyds TSB case appears to be focussing on the fact that the data being transferred by Lloyds TSB includes “sensitive personal data”, because the rules for processing sensitive personal data are more stringent than the rules for processing non-sensitive personal data. On the other hand, Lloyds TSB appear to be arguing that provided they have met the legal requirements for the initial processing of the sensitive personal data, they then only need to meet the general legal requirements for transfer of personal data (which by definition includes both sensitive and non-sensitive data) outside the EEA. In relation to the former, Lloyds TSB will have already obtained consent to process the sensitive data at the time of its collection. In relation to the latter, Lloyds TSB point out that they have measures in place to ensure an adequate level of protection for the relevant personal data. As a result they argue that they are fully compliant with UK data protection legislation. We will keep readers updated with the developments in this interesting case. If you require further information in relation to data protection or outsourcing generally please contact John Whelan or another member of our Outsourcing Group. 1. “Sensitive personal data” means information about a person’s: racial or ethnic origin; political opinions, religious or philosophical beliefs; trade union membership; physical/mental health; sexual life; and any offence they committed or are alleged to have committed or proceedings or sentence in relation to an offence. 2. The European Commission maintains a “White List” of countries outside the EEA which it has found meet the required data protection standards. This list includes Switzerland, Canada, Argentina, Guernsey, and the Isle of Man ( http://europa.eu.int/comm/internal_market/privacy/adequacy_en.htm#countries). The US is not on this list but the US Department of Commerce maintains a list of US organisations which have certified that they will provide a standard of data protection that the Commission considers adequate (the so called “Safe Harbor” list; http://www.export.gov/safeharbor/ ).

 

Link to article