The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Saturday, February 21, 2004

Article: Outsourcing: Danger to Privacy 

Wired News has an interesting article (Wired News: Outsourcing: Danger to Privacy) about the potential risks to personal information caused by offshore outsourcing. This is obviously an American article, but the issues are important here in Canada, as well.

[I note that Schedule I of PIPEDA requires companies to take measures to protect personal information when it is the subject of outsourcing:

4.1.3 - An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

This should mean that the oursourcer remains responsible for everything that happens to the data, including the obligation to safeguard the data. This responsibility can't be handed off.]

This is from the Wired article: "Outsourcing: Danger to Privacy"

Last year a medical transcriber in Pakistan threatened to post patients' medical records online unless the University of California at San Francisco Medical Center settled a financial dispute. Lubna Baloch, the transcriber, claimed she hadn't been paid the 3 cents a line reportedly promised by a Texas man, who, in turn, had subcontracted the work from a Florida woman. The Florida woman herself had subcontracted the work from Transcription Stat, a firm in Sausalito, California, that was paid 18 cents a line by the medical center for the work. The owner of Transcription Stat said she couldn't respond to questions due to a pending lawsuit in the case.

A hospital spokeswoman said the medical center didn't know or approve of more than one level of subcontracting and was not aware that work was being sent outside the country.

Although the Health Insurance Portability and Accountability Act of 1996 requires medical transcribers in the United States to uphold privacy practices mandated in the bill, the federal law has no reach overseas.

Of course, overseas workers aren't more likely to compromise or misuse sensitive information than workers in the United States. For example, recently, U.S. publications published false rumors that actress Nicole Kidman might be suffering from breast cancer after someone leaked information about her breast exam to reporters.

In addition to sensitive medical data, information shipped to foreign workers can include bank account numbers, Social Security numbers, stock holdings and credit card numbers -- all valuable information to identity thieves.

I guess this was a hot topic at the Privacy and Security Summit in Washington, D.C., because Computerworld has a related article on its website:

Offshore outsourcing poses privacy perils:
A lack of control over data, compliance monitoring and auditing are key issues

Story by Jaikumar Vijayan

FEBRUARY 20, 2004 ( COMPUTERWORLD ) - WASHINGTON -- Outsourcing jobs to offshore destinations can sharply increase data privacy risks and the complexity of managing that risk, several experts at the Fourth Annual Privacy and Data Security Summit here warned this week.

As a result, companies need to ensure that overseas vendors are contractually tied to specific conditions regarding how data is transmitted, accessed, used, stored and shared, they said. Those challenges include regulatory compliance, data protection and access issues, as well as monitoring and auditing issues.

"The risks are enormous to business strategy," said Richard Purcell, founder of Nordland, Wash.-based consultancy Corporate Privacy Group and former chief privacy officer at Microsoft Corp.

I'll also throw in, as an aside, that the Canadian Office of the Privacy Commissioner has taken the position that Canadian privacy law will apply to any personal information "outsourced" to Canada. This includes the processing of American data by an American company if any of it is carried out in Canada. Processing includes the operation of an inbound call centre to provide customer support.

As nearshore outsourcing to Canada is increasing, this raises very important considerations for American companies. Luckily, in the course of advising many US companies that have customer service functions being peformed from Canada, compliance is not as big of a challenge as one might have initially thought. (Complying with PIPEDA also has advantages, because PIPEDA is up to the European Union's standards. Thus, Canada is a good location for outsourcing the processing of both North American and European data.)

Labels: ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs