Keep yourself up to date. Sign up for our e-newsletter:

All fields required







Do you outsource or provide outsourced services?

A statutory duty under the Data Protection Act 1998 means that third party service providers that process personal data on behalf of another business should be vetted for compliance with the security aspects of the Act and written data protection contracts are required including two specified terms.


Identifying those relationships involving a "data processor" is not always straightforward. The test is whether or not the outsource service provider makes decisions about the personal data. A simple example would be a payroll bureau. The bureau has no interest in processing the personal data except that it is remunerated for so doing. The data controller, in this example, the employer is outsourcing its data processing activity in relation to the payroll. The payroll bureau is a data processor, it makes no decisions about the personal data, it processes purely on instructions from the employer.


Pensions administrators are also likely to be data processors although their remit to act may be very wide, nonetheless they act on instructions from the pension fund trustees and in accordance with the pension scheme trust deed.


A harder case to decide is where a company outsources its travel arrangements for staff. The service provider may be a travel agent and in that capacity acts as a data controller, but when it acts on behalf of the employer, allocating travel on the basis of grades or seniority, then it is acting as a data processor.


On a continuing basis the data controller is required to check the compliance of the data processor with the Data Protection Principles. In addition, written contracts are needed incorporating two specified terms:

  1. that the data processor will act only on instructions from the data controller when processing personal data supplied by the data controller and
  2. that the data processor will observe security standards at least commensurate with those imposed on the data controller by the 7th Principle.

Examples of areas which are routinely outsourced and which will involve processing personal data by a data processor are:

  • Mailing house to distribute reports and accounts and circulars
  • Share registrars
  • Fleet management

Go back