A whole bunch of episodes have demonstrated how bad many organisations are at protecting secret or personal data, especially those in the public sector. This is particularly apparent when data is mobile, or allowed outside the premises of the organisation, say on a laptop, memory stick or burnt onto a CD.

But what if it is simply outside the direct control of the organisation and into the hands of an onsite partner? The most recent security lapse in the UK public sector was centred on such a third party. While one would like to assume that both government department and the consultancy company involved have their own strong policies and procedures for protecting secret or private information, clearly something fell between the cracks.

In between, at the boundaries, individual company policies can fail to protect information sufficiently - especially if they lack interface agreements and suitable control protocols.

This can happen anywhere, and with different levels of consequence. At a recent visit to a major US vendor for a briefing at one of their UK offices, on arrival at reception in addition to name, company and car registration, they took my photograph.

Out of curiosity I asked about the protection and management of my private data. Perhaps there was a policy or web site to point me to? No, the receptionist did not know, and sent me to the security guys. They worked for another company - a security specialist - but they could not tell me how my data would be protected. As for policy, they suggested I ask the host company.

When I did - through its web site - they responded promptly and efficiently. They have stopped taking photos of visitors on reception pending a complete review of procedures.

I'm sure both companies have good internal practices, but like government departments and others, there is at least a communication problem at the interface. Perhaps when policies were first defined few of the business processes were outsourced and most data was kept within organisational boundaries, and relationships with partners did not need to be worked out to such a detailed level.

However, business practices are no longer so insular and isolated. While it might be good commercial practice to outsource services to reduce or manage costs, all consequences need to be taken into account. This is not only necessary to protect the security of the organisation and the internal information it holds, but also what passes through its boundaries.

Interfaces and protocols are not only something for technologists to worry about. Their original commercial meanings still apply and organisations in both the private and public sectors need to sharpen up their acts when their outsourcing plans add to security risks.

By Rob Bamforth