outsourcing GP appointments to India: is this legal under DPA?

Matthew Pemble matthew at pemble.net
Fri Jan 21 08:32:27 GMT 2011

On 21 January 2011 08:12, Mary Hawking <maryhawking at tigers.demon.co.uk>wrote:

> GPs are always being reminded of the importance of confidentiality and
> observing the Data Protection Act - which forbids the export of personally
> identifiable data to countries outside the EU with data protection laws
> which do not match EU standards.
> Both India and the USA fall into this category.

Not quite - if there isn't an equivalent (& approved) legal standard, you
can still export provided you ensure adequate protection:

(from the ico site)

Yes, if you are satisfied that in the particular circumstances there is an
> adequate level of protection. You can:
>    - assess adequacy yourself;
>    - use contracts, including the European Commission approved model
>    contractual clauses;
>    - get your Binding Corporate Rules approved by the Information
>    Commissioner; or
>    - rely on the exceptions from the rule.

> Assuming I am right in this, where will legal liability for the possible
> breach of confidentiality and the breach of Data Protection regulations
> lie?

With the Data Controller - which I assume is usually the GP partnership.


Matthew Pemble
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20110121/1eb23924/attachment.htm>

More information about the ukcrypto mailing list