It’s Data and Contracts all the Way Down!

The Tallaght Hospital story is a salutatory tale of what can go wrong when engaging third parties to perform any service for your organisation.

Left to their own devices and absent any control or governance framework that can verify that what is to be done has been done (in its entirety) and has been done in keeping with the requisite standards under the agreement outsourcers may deviate from task, get creative, or just get down right sloppy and careless.

When the outsourcing relationship consists of a chain of parties (an Irish entity, a UK entity, entities in 3rd countries) then things become even more complicated.

The Data Protection Acts require that Data Controllers put in place a contract in writing with Data Processors. This contract should, at a minimum, include specifications as to the security standards and protocols that should be in place. Ideally it should also grant the Data Controller a right of audit and inspection of those standards.

Things get really interesting when you bring multiple processors into the mix because the Data Controller continues to carry responsibility through the chain of contracts (or absence of contractual chain).

The Data Controller has to be able to look through the layers of contract and see the Data Processor at the end and be sure that they are acting in a manner that is consistent with the requirement of the parent agreement between them and Processor 1.

And if the data is moving around jurisdictions (such as out of the EEA) this becomes even more critical.

So. When you are engaging a chain of data processors to do things on your behalf, it is important to remember that it is turtles all the way down. And if not turtles than at least Processors, contracts, and data.