Third-party outsourcing can lead to a council data protection breach, and as the old saying goes, “you’re only as strong as your weakest link” – which means councils and local authorities are only as good as the private organisations they outsource work to.
This is important, because public sector data breaches are an ongoing problem, and councils can be a prime target for cyber-criminals as well as being vulnerable to leaks and breaches from inadequate procedures and policies.
With councils outsourcing work for the private sector a lot, there is understandable cause for concern.
Ultimately, if a council outsources work privately, and the private company is responsible for a data breach, it’s the council’s data that can end up being exposed. As the Data Controller, the council has the ultimate responsibility, which is why it’s so important that councils understand that the organisations they outsource work to can adequately protect and secure the data they hold.
Capita is perhaps an easy example to call upon. They do a lot of work on behalf of the public sector, and there have been incidents in the past where Capita has been responsible for data breaches when undertaking outsourced work from local authorities. Councils must be confident that the data they put into the hands of outsourced agencies is safe, and they must conduct their due-diligence checks to ensure that the data they hand over will be safe and secure.
Councils hold a lot of personal and sensitive data about people. In the wrong hands, this kind of data – when leaked or breached – can cause significant distress to victims and can open people up to incidents of fraud.
If you are the victim of a data breach caused by an outsourced company, who is responsible?
You would expect that the third-party company that the council has outsourced work to has their own insurance and / or finances to settle a data protection breach claim against them. In the first instance, a victim can make their claim against the organisation directly responsible for the breach. But that doesn’t totally absolve the council, and if it transpires that the organisation does not have the finances or the insurance to settle a claim, the burden can fall back on to the council itself.
If the council or local authority did not undertake adequate checks and have adequate agreements in place to ensure that the data they hand over is safe and secure, they can be equally as responsible. With council data protection breaches already a common problem, ensuring that outsourced organisations have the means to safeguard public data is essential.
If you have been the victim of a council data breach, please don’t hesitate to contact our legal team for assistance.