Sweden has every reason to be sensitive about personal information. Up to 1975, it compulsorily sterilised some 21,000 of its own citizens on the grounds of eugenics. With a problematic misuse of medical data of that kind in its background, you would expect it to take great care with the data it holds.
Yet just two days ago it emerged that sensitive medical data was been handled by outsourced workers who had not been security screened. Some sense of the risks involved had already been gained when the transport agency minister was fired and fined in January for breaching data protection and privacy laws. She had signed a deal with IBM Sweden that waived security clearance for the outsourcer’s workers from the Czech Republic, Serbia and Romania.
It then emerged that, as well as the entire national driver’s licence database, the records being processed by these workers potentially included information on intelligence agents, military and police transport and personnel, people with criminal records and those in witness protection programmes.
Although no data breach has been confirmed, both the interior minister and the infrastructure minister have stepped down and the prime minister, Anna Johansson, described it as an extremely serious security breach. Worst of all, several ministers had known about the failed security arrangements since 2015, but had not told the PM.
The UK has had its own problems with government-run outsourcing contracts and mishandling of citizen’s data, from the DWP being unable to locate two CDs containing its entire database of benefits claimants to the botched care.data launch. But, for commercial organisations, Sweden’s major data protection process failure holds an important lesson.
Third-party contracts exist up and down the data industry, from external data processing to cloud-based services, from ad networks to data enhancements. What a contract can not do, however, is pass responsibility and liability from the first party data controller to a third party data processor. This latter group has its own obligations under GDPR for the first time in any case.
Critically, there is no way to derogate from the requirements of GDPR because it relates to fundamental human rights to data protection and privacy. These belong to every citizen and can not be over-riden, except in cases of national security and law enforcement (and even then subject to specific legal constraints).
Yet many – possibly most – of the contracts under which brands are using outsourcers are likely to contain some elements which are not GDPR compliant. Many will be set up to run across the enforcement date, creating a legal minefield for companies trying to get on the right side of the new law. Even worse, many brands work with business partners (especially agencies) with no formal contract in place.
If you do nothing else in the run-up to next May, setting your legal team to reviewing outsourcing contracts will be at least one step towards identifying critical data protection risks. Whether it is the location of data centres or the physical security measures in place to protect data from theft by contracted workers, this is not an issue than can be ignored. Eventually, as in Sweden, it risks snowballing and taking down senior executives with it.