We are fully compliant with the Data Protection Act. The Information Commissioners Office issued guidance in February 2012 for organisations that outsource some of its data processing to a third party. The Data Protection Act allows outsourcing to take place but stipulates certain conditions that must be met for it to be compliant.

An organisation that processes personal data is required to handle personal data in accordance with the data protection principles. A data controller may choose to use another organisation to process personal data on its behalf – a data processor.
The data controller remains responsible for ensuring its processing complies with the DPA, whether it processes in-house or engages a data processor. Where a data processor is used the data controller must ensure that suitable security arrangements are in place in order to comply with the seventh data protection principle. Further extracts from the guidance are reproduced below and the entire document is available on the ICO website.

Schedule 1 of the Data Protection Act (1998) lists eight principles of data protection. The seventh principle is of particular importance where an organisation uses a third party to process data.

The seventh data protection principle provides that:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”