SaaS suppliers must have adequate data protection policies, procedures and checks in place when employees or third parties are handling SaaS customer data or face the risk of being heavily fined by the Information Commissioner’s Office (ICO) for breaches of the Data Protection Act 1998 (DPA).
Torbay Care Trust
A health trust in Torquay was recently fined £175,000 for breaches of the DPA after it accidentally published sensitive date of more than 1,000 staff on its website. The sensitive data contained the names, religion, sexuality, date of birth and National Insurance numbers of employees – which had been collected in an internal diversity response exercise.
Obligations under the DPA
Under the DPA you must have:
- appropriate organisational measures to prevent the unauthorised use of personal data; and
- effective policies and procedures for handling personal data,
The Trust was found to be in breach of both of these obligations, as it had no internal guidance on what should and should not be published online and had no adequate checks in place to identify potential data disclosure problems.
Appropriate Organisational Measures & Effective Policies
In order to avoid similar breaches (and fines) for disclosure of SaaS customer data, SaaS suppliers should have a data protection policy in place that all staff have read, accepted and understood. This should be regularly updated to reflect changes in the law and staff should be provided with basic data protection training on a regular basis.
In addition, SaaS suppliers should have robust procedures in place for managing SaaS customer information. For example access to the customer’s information should be controlled and monitored in order to make the information more secure and thus minimise the risk of any accidental or unauthorised disclosure.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Data Protection – Prism and US Laws
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Renewed Customer Concerns About the Patriot Act
- SaaS Agreements – Data Protection – Data Commissioner – UK Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – FAQs – Security
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code and Object Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – Hosting
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – SaaS, Software on Demand, Confused?
- SaaS Agreements – Cloud Computing and the Legal Cloud
- SaaS Agreements – Cloud based Technology and Services
- SaaS Agreements – Need for an NDA Prior to Signing a SaaS Agreement