The Data Protection Act 1998 (DPA) was put in place to give individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly where payroll outsourcing takes place.
The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.
All organisations are legally obliged to protect any personal information they hold, and will be required to register under the DPA with the Information Commissioners Office (ICO) if they process personal information. Penalties and sanctions can apply for breaches of the regulations, with a maximum fine possible of £500,000.
The ICO has published a Good Practice Guide in relation to what organisations need to do to comply with the DPA when outsourcing the processing of personal information. In particular, the examples used refer to outsourced payroll.
The key point is that when the processing of personal information is outsourced the organisation doing the outsourcing remains responsible for the processing. It will be regarded as the Data Controller under the DPA and the organisation and not the outsourced service provider will be liable under the DPA for any breaches.
In practical terms, when outsourcing the processing of personal information, such as payroll, an organisation needs to ensure the appropriate technical and organisational measures are in place to protect the data.
The ICO Good Practice recommendations are:
- Select a reputable organisation offering suitable guarantees about their ability to ensure the security of personal data.
- Make sure the contract with the organisation is enforceable.
- Make sure the organisation has appropriate security measures in place.
- Make sure that they make appropriate checks on their staff.
- Audit the other organisation regularly to make sure they are ‘up to scratch’.
- Require the organisation to report any security breaches or other problems.
- Have procedures in place that allow you to act appropriately when you receive one of these reports.