Offshore IT Outsourcing and the 8th Data Protection Principle - Legal and regulatory requirements - With reference to Financial Services

International Journal of Law and Information Technology

Volumn 14, Issue 1, 2006, Pages 1-27

  Baker, Roger K ^a  

^a ItemPlus Consulting

Author keywords

[No Author keywords available]

Indexed keywords

EID: 32644436851     PISSN: 09670769     EISSN: None     Source Type: Journal    
DOI: 10.1093/ijlit/eai025     Document Type: Article

References (82)

1. Offshore Outsourcing - IDC Research Organisation Report June 2003.
2. Gartner Dataquest forecast: IT Outsourcing Worldwide 2002-2008. 8 March 2005.
3. Statistical source http://www.evalueserve.com.
4. Offshoring of IT Services - Present & Future. Evalueserve. Nasscom Survey 2003.
5. Data Privacy in Cyberspace. A Charlesworth, Director Univ. Hull Law School, published in Law & The Internet Edwards & Waelde Hart Publishing.
6. Reflections on Durant v FSA. S Chalton Computer Law & Security Report Vol 20. No 3 2004.
7. M Douglas v Hello, N Campbell v Mirror Group Newspapers, von Hanover v Germany ECHR.
8. Law Relating to Financial Services. Graham Roberts, 5th Ed 2003, Institute of Financial Services.
9. Sutherland v Barclays Bank Ltd 1938.
10. ref Note 8.
11. Data Protection - A Practical guide to UK & EU Law Peter Carey, 2nd edition OUP 2004.
12. 1st report on the implementation of the Data Protection Directive (95/46/ EC) 15/5/2003 COM (2003) 265 final.
13. EU Parliament's report on the 1st Report of the Data Protection Directive, by the Committee on Citizen's Freedoms & Rights COM(2003) 265. A5-0104/2004.
14. WP92 10650/04/EN.
15. WP98 in particular S3 - Challenges and Priorities.
16. As at April 2005.
17. EU Commission investigation into UK data protection legislation: New information 01/09/04 Bird & Bird.
18. The Durant Case & its impact on the Interpretation of the Data Protection Act 1998 4/10/04 Information Commissioner pg3.
19. The next step on from Durant: Terence William Smith v Lloyds TSB Bank 07-03-05 J Okines Bird & Bird.
20. European Commission 7th Annual Report 21/6/2004 page 80.
21. For detailed comparison of terms, see Technical Annexe to 1st Report of the Commission 12.5.2003 COM(2003) 265 final.
22. Also Sixth Annual Report 16/12/03.
23. European Commission suggests UK Data Protection Act is deficient. Pinsent Masons 15/07/04 Out-Law.com
24. ref Note 20 page 85.
25. Information Commissioner letter Request for Information under FOI Act Jan.05. (Ref: JB/FOI/09/05): - Letter from European Commission dated 7/7/ 04, - Letter from the Information Commissioner to the DCA dated 7/9/04, - Letter from the UK Government to the Commission (undated) All were refused 8/3/05, on grounds that these "relate to potential action against the UK Government by the European Commission" and "because infraction proceedings are on going and these involve a series of negotiations between the parties .....prior to any potential proceedings being commenced in the European Court of Justice."
26. Criminal Proceedings against Lindqvist Case C-101/01, 6 November 2003, ECJ.
27. Information Commissioner Guide International Data Transfers of Personal Data & The 8th Data Protection Principle and Transborder Dataflows. Information Commissioner July 99 vn1.
28. Data Processor Model Contract Appendix 1 10.01.02, Original and Alternative Data Controller Contract Appendix B to 2004/915/EC includes: description & purposes of transfer.
29. Information Commissioner SR/HC/BCR Checklist 11/2/04 pg4.
30. ref Note 6.
31. Transferring personal data to the USA Gillian Bull - Computer Law & Security Report Vol 17, Issue 4, 31 July 2001, Pages 239-243.
32. COM (2003) 265 ref 4.4.5 Articles 25 & 26. The external dimension & WP98 subsequently.
33. WP4-26/6/1997.
34. Note 11, pg 88-89 relating to medical insurance and personal financial planning.
35. S Room DPFB Handbook 2004 Rowe Cohen.
36. LWoolf CJ in R v Chief Constable of Essex Police (2002).
37. Information Commissioner's Annual Report July 04 http://www.official-documents.co.uk/reps/ic/05-dataprotection98.html & Strategy presentation.
38. Article 29 Data Protection Working Party Declaration on Enforcement WP101 12067/04/EN - adopted 25/11/04.
39. European Commissioner suggests UK Data Protection Act is deficient ref to Richard Thomas quoted in June 2003 Outlaw.com 15/07/04.
40. Commission Decision of 27/12/2004 amending decision 2001/497/EC (L.385/ 75.29.12.04) as regards alternative contractual clauses for the transfer of personal data to third countries C(2004)5271, including associated FAQs.
41. Data Transfer to third countries: Standard contractual clauses of the European Commission Bond, Audley and Knyrim Computer Law & Security Report Volume 18, Issue 3, 31/5/2002.
42. WP84 11754/03/EN Opinion 8/2003 on the draft "the alternative model contract" 17/12/03.
43. Commission Decision 2002/16/EC of 27 December 2001 on standard contractual clauses.
44. Currently being exercised by concerned Banking sector controllers of Indian data processors in the light of recent security breaches, despite meeting security standards.
45. Council of Europe Report 2nd Nov 1992 Conclusions of 13th Conference of Data Processing Commissioners Strasbourg 1991 Mr E Harremoes Director of legal Affairs summing up.
46. Binding Corporate Rules WP74 in June 2003.
47. ICC Report 28/10/04 - Binding Corporate Rules for international transfers of personal data.
48. The Daimler Chrysler codes of conduct Dr Hans-Werner Moritz Computer Law & Security Report Vol 20, Issue 3 May-June 2004 pgs 185-193.
49. Public Hearing on international codes of conduct for multinationals Art.29 WP 24/11/04.
50. Also WP108 Model BCR checklist application 14/04/05.
51. The obligation to notify the national supervisory authorities, the best use of exceptions and simplification and the role of the data protection officers in the European Union Art.29 WP Report 18th Jan 2005 WP106 10211/05/EN.
52. Art.29 Working Party 18/01/05 WP106 10211/05/EN Section 6 'Simplification by means of international co-operation: First approach to a simplified system for organisations with more than one establishment in the EU. WP107 Co-operative procedures for opinions 14/ 04/05.
53. Putting the concept into practice in the United Kingdom UK information Commissioner guidelines on Notification (JB v.1.2 22/09/03) Also WP74 section 6.
54. Data Protection Officers in EEA countries - Profiles Bird & Bird- 2004. Also Country-by-country survey 09/03/05 Bird & Bird.
55. Globalisation and Social protection: The impact of EU and international rules in the ratcheting up of US data privacy standards. G Shaffer. Yale Journal of International law Vol 25 Winter 2000, pg99 onwards.
56. ref Note 8.
57. Banks, Consumers & Regulation Peter Cartwright - Univ Nottingham 2004 Hart Publishing Oxford.
58. FSA Handbook, Senior Management Arrangements; Systems and Controls SYSC 3.2.4
59. Also FSA The firm - risk assessment framework para 34 Outsourcing.
60. Interim Prudential Sourcebook. June 2000. Section 20 Outsourcing.
61. Also Integrated Prudential Source Book (IPRU) (Bank) Oct 2003 SYSC3A Information Security & Outsourcing Arrangements.
62. Reference to A Ogus - Regulation: Legal form and economic theory Oxford Clarendon Press 1994
63. Information Technology Law IJ Lloyd 3rd Edition Butterworths 2000.
64. Offshore Operations FSA Industry Feedback April 2005 http://www.fsa.gov.uk/pubs/other paras 66-70.
65. Responsive Regulation: Transcending the Deregulation debate Ayres & Braithwaite OUP 1992).
66. ref Note 54.
67. FSA Consumer Research 13 July 2002.
68. 2000/520/EC: Commission Decision of 26 July 2000 on the adequacy of the safe harbor privacy principles and related FAQs.
69. Progress on Safe Harbor Commission Staff Working Paper SEC (2002) 196. 13.02.2002.
70. Staff Working Document on Safe Harbor implementation. Brussels 20.10.2004 SEC (2004) 1323.
71. S5 of the Federal Trade Commission Act 'unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.' Taking action will be the decision of the FTC, under the False Statements Act (18 USC 1001).
72. Jan-Peter Ohrtmann Bird & Bird website Implementation of Gramm Leach Bliley: Replacing the Safe Harbor Principle in the Financial Sector 01-10-03.
73. International data transfers between the United States and the European Union A. Zinser Dr. jur, LLM. Computer Law & Security Report Volume 20, Issue 3 May-June 2004.
74. ref Note 29.
75. Internet & Online Privacy; A Legal & Business Guide, Frackman, Martin & Ray. ALM Publishing New York 2002 pg 65 onwards and 232.
76. Gramm-Leach-Bliley Act, 15 USC, Subchapter I, Sec. 6801-6809, Disclosure of Nonpublic Personal Information 12/11/1999.
77. ref Note 67.
78. 36484 Federal Register/Vol. 67, No. 100/Thursday, May 23, 2002/Rules and Regulations;
79. 36484 16 CFR Part 314 Standards for Safeguarding Customer Information; Final Rule.
80. Offshore Outsourcing of Health Data Services - The Health Lawyer (vol. 16, no. 6, August 2004, p. 24-30).
81. Also Offshore Outsourcing of Health Data Services - the Financial Services Model. Kenneth N. Rashbaum Sedgwick, Detert, Moran & Arnold LLP. The Health Lawyer (vol. 16, no. 6, August 2004).
82. ref Note 70 pg 107.