Partly spurred on by recent UK data losses, the issue of risks associated with outsourcing data has been keenly debated this week by bodies representing software and services companies both in the UK and India.

The National Association of Software and Services (NASSCOM), who held a meeting this week with key members of the outsourcing community, voiced the opinions of the Indian contingent.

Ameet Nivsarkar, vice president of Nasscom, said the discussion had highlighted the global concern around data security and the need to tackle it jointly, rather than in isolation, with industry collaboration involving regulators, customers, suppliers and employees.

Although anti-outsourcing lobbies often voice data privacy and security concerns with offshoring, contracts involving an Indian supplier are upheld by a “strong Indian contract law”, said Nivarkar. Nivarkar also said that there have been no security lapses in India. Nasscom is in the process of setting up the Data Security Council of India (DSCI) to ensure this continues, he added.

The DSCI will work to create awareness on data security and ensure member organisations adopt best practise. “Because the technology industry is constantly changing, the aim of the body is to be tuned into both the industry and customer so the laws are more in tune,” Nivarkar explained. The DSCI hopes to foster a community of security professionals and eventually build capacity to provide security certification for organisations.

A recent survey of 59 global IT executives by consultancy ComRes supported India as a trusted outsourcing destination. While 61 per cent of respondents nominated India as a secure outsourcing destination, only one in five nominated Eastern Europe.

A new white paper from trade body Intellect, to be released in March, will give additional guidance to companies on data security when outsourcing or off-shoring.

Speaking at an Intellect Industry board meeting, Guy Hains, chief executive of Computer Sciences Cooperation European Group, said “the data that has been lost and the way that it has been lost have done the industry a lot of damage. Organisations need best practices and these have to be made explicit.” Hains gave examples of practices such as strong human resources vetting policy and regular checks on rights given to administrative database experts.

Nivarkar pointed to ways in which employees could be encouraged to be more cautious, such as not taking phones or flash drives containing customer data out of the office. He also advised organisations to seclude customer networks from the rest of the organisation.

“The weakest link is the individual and the critical aspect is to encourage organisations to educate employees,” added Nivarkar, making the distinction between security and privacy. While a lot of organisations have concentrated on the former, now organisations need to ensure that only the minimal amount of people see customer data, a need that has been underlined with the loos of the two HMRC discs, he said.