outsourcing GP appointments to India: is this legal under DPA?
Matthew Pemble
matthew at pemble.net
Fri Jan 21 08:32:27 GMT 2011
On 21 January 2011 08:12, Mary Hawking <maryhawking at tigers.demon.co.uk>wrote:
>
> GPs are always being reminded of the importance of confidentiality and
> observing the Data Protection Act - which forbids the export of personally
> identifiable data to countries outside the EU with data protection laws
> which do not match EU standards.
> Both India and the USA fall into this category.
>
Not quite - if there isn't an equivalent (& approved) legal standard, you
can still export provided you ensure adequate protection:
(from the ico site)
Yes, if you are satisfied that in the particular circumstances there is an
> adequate level of protection. You can:
>
> - assess adequacy yourself;
> - use contracts, including the European Commission approved model
> contractual clauses;
> - get your Binding Corporate Rules approved by the Information
> Commissioner; or
> - rely on the exceptions from the rule.
>
>
> Assuming I am right in this, where will legal liability for the possible
> breach of confidentiality and the breach of Data Protection regulations
> lie?
>
With the Data Controller - which I assume is usually the GP partnership.
M.
--
Matthew Pemble
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20110121/1eb23924/attachment.htm>
More information about the ukcrypto
mailing list