outsourcing GP appointments to India: is this legal under DPA?
matthew at pemble.net
Fri Jan 21 08:32:27 GMT 2011
On 21 January 2011 08:12, Mary Hawking <maryhawking at tigers.demon.co.uk>wrote:
> GPs are always being reminded of the importance of confidentiality and
> observing the Data Protection Act - which forbids the export of personally
> identifiable data to countries outside the EU with data protection laws
> which do not match EU standards.
> Both India and the USA fall into this category.
Not quite - if there isn't an equivalent (& approved) legal standard, you
can still export provided you ensure adequate protection:
(from the ico site)
Yes, if you are satisfied that in the particular circumstances there is an
> adequate level of protection. You can:
> - assess adequacy yourself;
> - use contracts, including the European Commission approved model
> contractual clauses;
> - get your Binding Corporate Rules approved by the Information
> Commissioner; or
> - rely on the exceptions from the rule.
> Assuming I am right in this, where will legal liability for the possible
> breach of confidentiality and the breach of Data Protection regulations
With the Data Controller - which I assume is usually the GP partnership.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ukcrypto