GSA UK - Best practice in offshore data security

DOING BUSINESS BETTER. TOGETHER

Home
NEWS & INSIGHTS
Industry News
Best practice in offshore data security

Best practice in offshore data security

2 Apr 2008 12:00 AM | Anonymous

Put the term “data security” into Google’s search bar and for the UK alone you will receive over five and quarter million hits (and rising), spanning tens of thousands of pages.

Data security has become front-page news and is set to stay there for the foreseeable future. This has been driven by wave after wave of data security scandals, arising mainly from the public service sector where laptops or discs containing millions of names have either gone missing or been stolen.

The biggest scandal to date occurred in late 2007 when the Inland Revenue lost a CD-Rom containing the details of 25 million individuals including their dates of birth, addresses, bank accounts and national insurance numbers, opening up the threat of mass identity fraud and theft from personal bank accounts.

In an offshore environment the implications have been huge: companies have become far more nervous about outsourcing data management offshore, simply because of the ramifications and the associated PR nightmare if they get it wrong.

This is understandable but ill-founded. Offshore data security is the best in the world. It has to be. Even before the recent data security scandals hit the headlines, companies willing to risk sending their data offshore expected the very highest standards. As a result, offshore data security has become the benchmark for all companies managing data security, be it in-house, outsourced in the UK or offshore.

So what is best practice for data security in an offshore environment?:

• Personal data should not be transferred to a country or territory offshore, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. This is common sense and is closely associated with a basic level of political and social stability.

The Philippines, for example, boasts companies like Accenture, AOL and HSBC and generated offshore revenues of $2.1 billion in 2006, placing it third behind India and China. It is estimated that 200,000 people were working in 120 BPO (mostly contact) centres in the Philippines in 2006, and this is forecast to grow to 900,000 people by 2010. Put simply, the Phillipines is geared up for outsourcing and embodies best-in-class data security as standard.

• Physical stability is not often considered when choosing an offshore provider. Physical stability refers to factors such as acts of nature (earthquakes, landslides, floods, fires, tsunamis, hurricanes, and so on) and also acts of terrorism. It is crucial therefore, that in an offshore environment, the outsourced provider has a rigorous strategy for coping with such disasters. At the very least, this will involve a disaster recovery centre situated away from the central HQ. Back-up electricity generators should be standard in case of power failure.

• Check the physical security measures in place at your chosen offshore provider. External security should comprise of 24 hour security guard(s) at the entrance and both a coded number-pad and card entrance requirement. Internal security should be similarly rigorous with the internal server room ring-fenced with a similar level of security. All windows must be shut at all times and a comprehensive fire sprinkler system should be standard.

• Contracts and agreements between data controllers are important. European data protection law prohibits the transfer of personal data outside the EU to countries that do not enjoy an adequate level of data protection.

One of the ways to provide for such an adequate level of protection for transfers to countries that have not been formally deemed to be ‘adequate’ by the EU is for the data exporter in the EU and the data importer outside the EU to conclude a data transfer agreement. The European Commission’s new clauses provide adequate protection for data transfers.

For a full downloadable Pdf, go to: http://www.iccwbo.org/uploadedFiles/ICC/policy/e-business/pages/Model%20clauses%20Toolkit.pdf • No hard media. Data professionals know that the source of nearly all data security lapses is the transfer of information to hard media such as CD-Roms. State-of-the-art offshore data management providers have no terminals with CD writers – thereby preventing any information being downloaded onto hard media either on purpose or inadvertently. Indeed, laptops are also forbidden ensuring that data stays securely within the confines of the data management centre.

• All data is transmitted online using encryption technologies. The only personnel with the encryption codes are the sender and receiver, i.e. offshore provider and client. This is a very powerful method of ensuring data security, which, when properly firewalled is almost impossible to penetrate. Data transfers of three gigabytes (30 million address records) typically take just a few hours to transmit.

• All transferred data is logged ensuring a permanent record of who has transferred ‘what data’ to ‘whom’ and ‘when’. This ensures complete transparency and accountability.

• All data transfers are acknowledged at the receiving end, i.e. by the client.

• Finally, for ultra-cautious companies, data management can be outsourced offshore yet all data remains in-house and doesn’t even leave the company’s own building. Some larger organisations employ this method, which allows access to a company’s data from a remote terminal using virtual private networks (VPNs). Work is undertaken offshore using computer programs uploaded onto the client’s network.

The technology for this works similar to how an IT professional might have access to his company’s network from his own home. It ensures that no data can be downloaded, only uploaded, with no data leaving the company’s own building.

In conclusion, it must be stressed that offshore data security is typically better than within the UK. When data is transmitted within the UK, there is a perception that it is safer – it’s not. Indeed, data security standards are often relaxed within the UK because there doesn’t appear to be any immediate ‘threat’. Yet whether data is sent five miles from Clerkenwell to Wimbledon or 6,600 miles to Manila is actually irrelevant – if it’s being transferred it needs the highest standards of security.

• Jed Mooney is the managing director of database management specialist Datahold. Based in London and offshore in the Philippines, Datahold’s clients range from small start-up businesses to FTSE 100 corporations.