Skip to main content

Departmental Data Protection

Volume 471: debated on Thursday 31 January 2008

To ask the Secretary of State for Transport what minimum demonstrable security standards are required by her Department of an outside organisation before it is allowed to handle personal information. (176938)

The Department and its agencies are required to follow the principles of the Department’s procurement manual. The general terms and conditions, as set out in the procurement manual, for the procurement of services from outside organisations, require the contractors to comply with the Data Protection Act. In the case of contracts where the processing of personal data is a key part of the service to be provided (i.e. where the contractor will act as our ‘data processor’) tenderers are required to provide specific guarantees about the technical and organisational security measures they have in place to ensure compliance with the seventh principle of the Data Protection Act, which if they are successful should form part of the contract. The general terms and conditions also set out a general duty of care for contractors.

The Department and its agencies set additional security standards on a case by case basis during the procurement process depending on the nature of the service to be provided.