An unnamed Lloyds TSB customer, backed by the Lloyds TSB Group Union, made the complaint. Both customer and union are reported to be considering court action, objecting to, according to the union, "data being accessible in India where the same standards of data protection are not available".
European firms are severely restricted in terms of the Data Protection Directive of 1995 as to what data can be transferred or stored in countries without equivalent rules and enforcement procedures. At present, India has no such regulations, and companies wishing to export their processing must rely on individual contracts negotiated between the main company and the Indian outsourcing contractor.
According to the Financial Times, Lloyds TSB is confident that it is in compliance with the terms of the Act, and that customer details are properly protected.
"The Data Protection Act states that as long as we have measures in place to ensure an adequate level of protection for personal data, we are not required to obtain customers' explicit consent," said the bank. "Security is of the utmost importance to us. We constantly monitor security and compliance within all our operations and have put a number of measures in place to ensure the protection of customer data wherever it is processed."
While not commenting specifically on the case, the Information Commissioner's Office (ICO) told the Associated Press, "There are various bases in law which can be used to legitimise the transfer overseas of personal data, consent from the individual is just one of them".
The ICO continued:
"As far as the ICO is concerned the main issue is that the information that is transferred overseas continues to enjoy an adequate level of protection as if it stayed in the UK.
"Should a data controller, subject to UK law, outsource work outside the EEA (European Economic Area), they will remain responsible for that data, in particular, it must be afforded appropriate security and not be used or disclosed other than for its legitimate business purpose."
