Privacy Officers Network
30 January 2007
Dresdner Kleinwort, London
Overview
Host: Dresdner Kleinwort
Managing privacy when outsourcing to a country without a privacy law includes issues, such as:
- what national Data Protection Authorities (DPAs) in different EU countries require of companies
- DPAs' requirements for specific countries, for example, India, China, South Africa
- customer perceptions of culture and levels of security in different countries to which processing is outsourced
- how to handle outsourcing from a data controller in an EU country to a processor in a non adequate territory
- auditing a remotely located processor in a non adequate country both when there is the same parent company and/or when there is an independent provider.
Surveillance/investigation of employees/tracking employees/customers includes issues, such as:
- active badge systems
- surveillance of employees and customers via access to websites
- privacy problems related to use of closed circuit television (CCTV) and/or webcams in processor, controller, data center or other premises
- types of controls on physical access to data centres
- tracking people through buildings via fingerprints and iris scans
- use of conversion of fingerprints into a mathematical code and using it as an authentication token
- security of this type of data
- combining this data with an Human Resources database for different purposes
- need for DPA prior approval of biometric data in some countries, with conditions for limited use
- need for a written/recorded notice informing call centre staff and customers of their Data Protection duties and/or rights
- drawing up a Data Protection clause in call centre contracts
- handling an outsourced call centre's wish to sub-contract to another party; establishing duty levels in such circumstances.