Saturday, January 14, 2006

No official sanction after security and privacy breach from Indian outsourcer

Last June, I blogged about an incident in which a journalist reported that he had purchased personal information about British residents from the employee of an outsourcing operation in India (see: The Canadian Privacy Law Blog: Undercover UK reporter buys personal information from Indian call centre).

At the time, the UK Information Commissioner said that the banks involved may face prosecution under the Data Protection Act. Following an investigation by the Information Commissioner, it is now said that there is no evidence that any personal information was compromised and there will be no prosecution. (I am not sure if this means there was no evidence or they didn't find any evidence.)

The UK police also said that they did not have any jurisdiction to investigate and financial regulators didn't bother to investigate. Somewhat troubling was the statement at the time that "Our concerns are whether adequate security controls were in place but a determined fraudster is always going to get through."

See: UK banks escape punishment over India data breach - Law & Policy - Breaking Business and Technology News at

Technorati tags: Privacy :: Outsourcing :: India :: United Kingdom :: Data Protection Act :: Data Protection

No comments: