The Data Protection Act threat or opportunity for the Private Security Industry.
Companies that offer private security services will be one of the first set of stakeholders in the data protection regime as data processors to feel the commercial impact of the newly promulgated Data Protection Act. This assertion is based on the patterns we have started to see emerge as privacy practitioners serving a broad customer base over several years.
Private security service providers will, sooner than later, feel pressure from the clients they serve to become compliant with the Data Protection Act. This is understandably so as the clients the private security service providers serve increasingly begin to start their data protection compliance journey. On the other hand, the clients who the private security companies serve will have the benefit, if they so choose, of the two-year transition period afforded by the legislation to become compliant before they have to start worrying about any third party, namely the Office of the Information Commissioner or their customers, pressuring them to become compliant. (By the way at the time of writing this article there is 1 year 4 months and 4 days left to become compliant.)
The peculiar challenge that the private security service providers face is that in order for the clients they serve, who are referred to data controller under the law, to become data protection compliant, the data controller will have to demonstrate that data processors (the security services providers) with whom they share their customer’s personal data are themselves data protection compliant.
Section 30 of the Data Protection Act specifically states that :
“Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall not be regarded as implementing the requisite technical and organizational measures unless the processing is carried out under a contract that requires the data processor to implement the appropriate technical and organizational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to, personal data.
In addition to the foregoing the data controllers are also required to ensure that the Commissioner is notified, without any undue delay, of any breach of the data controller’s security measures which affect or may affect any personal data.
In order to comply with this section data controllers will require their security service provide at a minimum to demonstrate that:
- there employees (contractors) are trained in data protection standards and are aware of informational privacy rights,
- they can safeguard the personal data being shared with them,
- they have systems in place to enable the exercise of rights by data subjects,
- they have established retention and disposal policies
- they have established clearly defined reporting process, reporting structure, reporting formats, escalation procedures
Interestingly security service providers when acting as data processors, are not governed by the Data Protection Act. Consequently, they cannot be sanctioned by the Office of the Information Commissioner for a breach of the Data Protection Act, however if security service providers cannot demonstrate that they are compliant with the Data Protection Act they face the risk of losing their service contract with the data controller. In other words, as a form of de-risking the prudent data controller may terminate the contract if they are safer alternatives in the market.
We have observed, without fail, that organizations that are now starting their compliance journey, would overlook the fact that security service providers processes personal data on their behalf. Initially organizations would not appreciate that when their security providers capture license plate numbers and/or conducts a background check on their behalf, they are processing personal data on their behalf.
Organizations only come to this understanding when they would have completed their data and process analysis and a data flow mapping exercise. Even then without the guidance of an experienced privacy practitioner, not an IT expert, this type of processing may easily be overlooked. It is normal for organizations in certain industries and/or of a certain size to engage security service providers to do the following:
- Conduct background checks of new hires
- Control access to properties and buildings by recording personal data and sometimes taking copies of picture IDs.
- Install and monitor CCTV feeds
Recognizing the amount of personal data being processed by their security service providers and the exposure they are faced with boards very quickly become concerned about their exposure. The question commonly asked is how can we be held responsible for how a private security company, an independent contractor, handles the personal data they process on our behalf and what steps can we take to reduce our liability. The rational business always comes to the same conclusion; only work with security service providers who demonstrate that they are in compliance with the data protection act and have implemented or are in the process of implementing the prescribed data processing standards.
The implication of this is that increasingly private security service providers in order to win big contracts will have to prove that they are data protection compliant, and their employees are trained in data subject rights and privacy/data protection controls. In addition to this, existing contracts will also be brought under scrutiny. The extent to which this happens would be determined by the maturity of the Data Controllers data protection compliance programme. The more mature the programme is the more likely they would require all their service providers but, in this instance, their private security providers to also be compliant with the Data Protection Act.
My interpretation of the services that a private security company offers is that they protect valuable assets of the company whatever those assets may be deemed to be. We now have a scenario where the law has stated the most valuable asset in an organization is the personal data that you are processing. It is our recommendation that instead of viewing the Data Protection Act as threat to the businesses of security service providers it should be viewed as an additional revenue generating opportunity.
In closing, the question of data controllers now being compelled to require certain assurances from their security services providers puts into issue the extent to which a security service provider can give assurances on behalf of independent contractors. This issue begs the question, is the current business model (security company, independent contractor relationship) sustainable and sufficient to meet the requirements of section 30 of the Data Protection Act. To look at the issue another way is, does the imposition of data processing standards and other operational requirements on independent contractors now make them employees as opposed to independent contractors? If the answer to this is no would the client now also need assurances from the independent security guard in light of the fact that he is an independent contractor?
Chukwuemeka Cameron at Attorney with a Masters in IT and Management is a privacy practitioner, trained Data Protection Officer, a certified ISO 27701 lead implementer and the founder of Design Privacy a firm that helps companies comply with privacy laws. Feedback can be sent to email@example.com.