This blog was originally published in the July edition of Business Brief.
Deputy Data Protection Commissioner Rachel Masterton explains why outsourcing specialised support functions can make good business sense – and how it works when another organisation is handling your business’s personal data.
Businesses of the Bailiwick excel at providing professional support services to other companies, forming an integral part of our economy. Whether it be the fiduciary function of the finance sector or for the purpose of payroll and people management, there is a wealth of talent, and it is wonderful to see this edition dedicated to the businesses that help others work professionally and productively.
One of the factors driving the use of professional support services is the size of businesses and whether they can warrant employing people to deliver some of the more specialised support functions, such as HR, legal and accountancy. If a company doesn’t have enough work to keep these staff busy, better value can often be achieved by outsourcing these functions. And with fewer than 5% of companies based locally employing 50 or more staff[1], it is not surprising support services are thriving.
At the ODPA, we have adopted such an approach, directly employing staff that can drive the delivery of the priorities within our Strategic Plan while bringing in on service contracts the expertise to support the organisation. Financial management and HR are important functions and without them we could not operate but we do not have enough work for someone to be gainfully employed, even on a part-time basis, to fulfil those functions. This way we can turn the support on and off, to meet fluctuations in demand, and access a broader range of skills and experience than would otherwise be possible.
Of course, with information about people driving much of the economy locally, it is not a shock to discover that the companies supporting businesses will end up handling people’s information, whether that be of staff, customers or other suppliers. And, with people’s information comes the need to comply with data protection legislation. But how does that work when another company is using your business’s personal data? And where does the liability rest for anything that goes wrong?
In order to answer the first question – how does it work? – you need to understand where the decision-making sits. To help, consider the following. Your business engages a company to administer your payroll. You are making the decisions about how and why the information about your staff is to be used (to make the payroll calculations, to ensure staff get paid and that tax, social security and pension payments are properly determined and related payments made to cover them). The payroll company acts on your instructions and does nothing else with the information. Your business is the ‘controller’ and the payroll company is the ‘processor’ and that helps answer the second question – where does liability rest?
And to be clear, at the end of the day, data protection becomes a “shared responsibility” with service providers along the following parameters.
As a controller, your business is ultimately responsible for complying with the principles of the Law and for ensuring anyone exercising their rights under the Law gets an appropriate response. Any breach of these aspects of the Law your business will be liable for.
You need a contract or legally binding agreement with the payroll company that outlines, amongst other things, what they are to do with the information, the level of security you are expecting and how they should assist you in meeting your legal obligations.
The payroll company should only act under instructions and in accordance with the agreement. They should alert you as soon as possible to any breach of security involving that information so you can take the necessary steps to assess the breach and take action to mitigate the risk and/or put things right, reporting it to the ODPA as appropriate.
Critically they should not do anything with the information that you have not asked them to do and is not an agreed use. If they do, that secondary use makes them responsible, and they need to comply with the law. And importantly, if they have shared or used information outside your instructions, they have likely failed the test of lawfulness, fairness and transparency.
To help you, whether you are a support services business or a business that uses such services, there is
comprehensive guidance on our website. And remember, you can also attend one of our
drop-in sessions to seek tailored advice.
[1] States of Guernsey’s Facts and Figures 2023 booklet
&
Indulge