Outsourcing the management of personal data to another company doesn't mean a business is out of the woods when it comes to security lapses, it was claimed today.

That's the message from a Birmingham law firm which says there are lessons to be learnt.

"Hardly a week has gone by in recent months without news of yet another high profile data security breach," said Caroline Egan, a data protection expert at Hammonds in Birmingham.

"Comment has largely focused on the technological failings that have prevented personal information from remaining private and as it has been the owner of the data who has been at fault, attention has naturally focused on them."

Yet Mrs Egan warns that businesses all over the country risk carrying the can for data security lapses by the organisations they have hired to handle their customers' or employees' data for them.

She said: "Businesses use a huge number of contractors who process data for them on a daily basis. But if they don't take some simple but essential steps, they, and not their contractors, will be in the firing line if security lapses occur."

The Data Protection Act puts responsibility for keeping data safe on the owner of the data, known as the data controller in law, and not the data processor. It states that a business is breaching the law if it does not adequately assess the security procedures of any company appointed to process data on its behalf. The law also stipulates a requirement for a written contract to be put in place putting responsibility for security on the company processing the data.

"Breaches of the Data Protection Act can have serious financial and reputational consequences," Mrs Egan added.

"Individuals who suffer financial loss as a result of a breach of the Act can sue the data controller for their loss and for distress caused. If there is a major security leak, allowing identity theft, the sums involved can be huge. And this is without calculating the impact of the loss of trust amongst customers and employees and investigations by the Information Commissioner - who is currently calling for tougher penalties on businesses that don't take their data protection obligations seriously.

"Put the right contracts in place, make the right checks and businesses will be in a very different position when a problem occurs, particularly if they are seen to act quickly.

"It is not uncommon for data processors to keep quiet about a breach, or report it significantly after the event. But if a contract requires the company processing data to report actual or suspected breaches as soon as they occur, the business which owns the data will be in the best position to minimise the consequences."

Mrs Egan added: "Businesses would be wise to check what contracts they currently have in place that involve access to personal data.

"These might include payroll processing, website hosting, software support. or, for pensions trustees, for example, it would include their administrators.

"Taking these steps now will make it less likely that problems will occur. But if they do, then it's likely to be a drama, not a crisis."