Saturday, February 21, 2004

Article: Outsourcing: Danger to Privacy

Wired News has an interesting article (Wired News: Outsourcing: Danger to Privacy) about the potential risks to personal information caused by offshore outsourcing. This is obviously an American article, but the issues are important here in Canada, as well.

[I note that Schedule I of PIPEDA requires companies to take measures to protect personal information when it is the subject of outsourcing:

4.1.3 - An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

This should mean that the oursourcer remains responsible for everything that happens to the data, including the obligation to safeguard the data. This responsibility can't be handed off.]

This is from the Wired article: "Outsourcing: Danger to Privacy"

Last year a medical transcriber in Pakistan threatened to post patients' medical records online unless the University of California at San Francisco Medical Center settled a financial dispute. Lubna Baloch, the transcriber, claimed she hadn't been paid the 3 cents a line reportedly promised by a Texas man, who, in turn, had subcontracted the work from a Florida woman. The Florida woman herself had subcontracted the work from Transcription Stat, a firm in Sausalito, California, that was paid 18 cents a line by the medical center for the work. The owner of Transcription Stat said she couldn't respond to questions due to a pending lawsuit in the case.

A hospital spokeswoman said the medical center didn't know or approve of more than one level of subcontracting and was not aware that work was being sent outside the country.

Although the Health Insurance Portability and Accountability Act of 1996 requires medical transcribers in the United States to uphold privacy practices mandated in the bill, the federal law has no reach overseas.

Of course, overseas workers aren't more likely to compromise or misuse sensitive information than workers in the United States. For example, recently, U.S. publications published false rumors that actress Nicole Kidman might be suffering from breast cancer after someone leaked information about her breast exam to reporters.

In addition to sensitive medical data, information shipped to foreign workers can include bank account numbers, Social Security numbers, stock holdings and credit card numbers -- all valuable information to identity thieves.

I guess this was a hot topic at the Privacy and Security Summit in Washington, D.C., because Computerworld has a related article on its website:

Offshore outsourcing poses privacy perils:
A lack of control over data, compliance monitoring and auditing are key issues

Story by Jaikumar Vijayan

FEBRUARY 20, 2004 ( COMPUTERWORLD ) - WASHINGTON -- Outsourcing jobs to offshore destinations can sharply increase data privacy risks and the complexity of managing that risk, several experts at the Fourth Annual Privacy and Data Security Summit here warned this week.

As a result, companies need to ensure that overseas vendors are contractually tied to specific conditions regarding how data is transmitted, accessed, used, stored and shared, they said. Those challenges include regulatory compliance, data protection and access issues, as well as monitoring and auditing issues.

"The risks are enormous to business strategy," said Richard Purcell, founder of Nordland, Wash.-based consultancy Corporate Privacy Group and former chief privacy officer at Microsoft Corp.

I'll also throw in, as an aside, that the Canadian Office of the Privacy Commissioner has taken the position that Canadian privacy law will apply to any personal information "outsourced" to Canada. This includes the processing of American data by an American company if any of it is carried out in Canada. Processing includes the operation of an inbound call centre to provide customer support.

As nearshore outsourcing to Canada is increasing, this raises very important considerations for American companies. Luckily, in the course of advising many US companies that have customer service functions being peformed from Canada, compliance is not as big of a challenge as one might have initially thought. (Complying with PIPEDA also has advantages, because PIPEDA is up to the European Union's standards. Thus, Canada is a good location for outsourcing the processing of both North American and European data.)

No comments: