The Information Commissioner is launching an investigation into outsourced data centres after a television programme exposed security breaches at Indian call centres.

Channel 4's Dispatches was offered individuals' banking details for as little as £8 by criminal networks in India.

"It appears that some mobile phone companies' call centres in India are being targeted by criminals intent on unlawfully obtaining UK citizens' financial records and this will be the focus of our investigation," said David Smith, deputy information commissioner.

"We are concerned by any breaches of security particularly if they involve confidential banking details. We provide clear guidance to organisations that outsource overseas to help them ensure people's personal information is secure and is processed in line with data protection principles."

The ICO could prevent some companies sending their data outside the UK for processing, forcing them to carry out back office functions in the UK. "Depending on the outcome of our investigation we will consider whether we need to use our formal enforcement powers to prevent incidents like this happening again in the future," said Smith. "Ultimately, this could include ordering a company to stop processing personal information outside the UK."

The Dispatches programme showed one man who claimed to be prepared to sell the credit card details of 200,000 people to the programme's reporter. Another claimed to be able to sell the mobile phone details of 8,000 people to the programme. Some of the information was available for as little as £8 per person.

UK organisations are responsible for the security of their customer information. If they use an outsourced call centre, whether in the UK or India, the Data Protection Act requires them to ensure that adequate security is in place.

Smith said companies which outsource their data processing or any back office functions are entirely responsible for that data and its security. It is not permissible, he said, for a company to simply pass blame on to a contractor.

"UK organisations are responsible for the security of their customer information. If they use an outsourced call centre whether in the UK or India, the Data Protection Act requires them to ensure that adequate security is in place in the call centre," he said.

Employee fraud is increasingly a problem for all companies. Fraud consultancy BDO Stoy Hayward reported earlier this year that employee fraud levels had almost tripled between 2003 and 2005 to almost £1bn in the UK. Financial services companies were the hardest hit, the report said.

Smith said the problem was by no means solely an Indian one. "This issue – where people sell on personal information for a price – is not confined to India," he said. "As our report "What Price Privacy?" shows, it happens in the UK and it is a criminal offence. Where we find evidence of breaches of the Data Protection Act we do have powers to take formal action and we do bring prosecutions."

See: The Information Commissioner's Office

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Related stories

• Indian call centre credit card 'scam' exposed (20 March 2009)
• Call centre manager in the frame over ID scam (20 January 2009)
• T-Mobile suspends staff discount scheme (7 December 2006)
• Indian data theft 'exposed' (5 October 2006)
• India takes on offshoring naysayers (26 July 2006)
• Outsourced data must be protected, says privacy chief (12 July 2006)
• Man cuffed in Bangalore call centre scam probe (28 June 2006)
• FTC sues over mobile phone records sale (4 May 2006)
• Euro unions eye Indian closed shop (3 March 2006)
• Comment How much does a security breach actually cost? (15 July 2005)
• Offshoring jobs threat 'exaggerated' - WTO (5 July 2005)
• India acts on call centre fraud (13 April 2005)
• Indian call centres ‘pose security risk’ (5 April 2004)