The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
Recent Posts
- Canadian Privacy Law and Video Surveillance
- Discussion: Slashdot notices PIPEDA
- Incident: Shred first, then discard!
- Article: Commish eyes info abuse
- PIPEDA for Law Firms
- Article: Think outside tech box to make 'experienc...
- Article: Australian Privacy watchdog highlights we...
- Article: PIPEDA Author Takes Government to Task - ...
- Article: Credit files riddled with errors
- Watching your PVR watching you
On Twitter
About this page and the author
The author of this blog,
David T.S. Fraser, is a Canadian privacy lawyer who practices with the
firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
Privacy Calendar
Archives
- January 2004
- February 2004
- March 2004
- April 2004
- May 2004
- June 2004
- July 2004
- August 2004
- September 2004
- October 2004
- November 2004
- December 2004
- January 2005
- February 2005
- March 2005
- April 2005
- May 2005
- June 2005
- July 2005
- August 2005
- September 2005
- October 2005
- November 2005
- December 2005
- January 2006
- February 2006
- March 2006
- April 2006
- May 2006
- June 2006
- July 2006
- August 2006
- September 2006
- October 2006
- November 2006
- December 2006
- January 2007
- February 2007
- March 2007
- April 2007
- May 2007
- June 2007
- July 2007
- August 2007
- September 2007
- October 2007
- November 2007
- December 2007
- January 2008
- February 2008
- March 2008
- April 2008
- May 2008
- June 2008
- July 2008
- August 2008
- September 2008
- October 2008
- November 2008
- December 2008
- January 2009
- February 2009
- March 2009
- April 2009
- May 2009
- June 2009
- July 2009
- August 2009
- September 2009
- October 2009
- November 2009
- December 2009
- January 2010
- February 2010
- March 2010
- April 2010
Links
Blogs I Follow
Small Print
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Saturday, February 21, 2004
Article: Outsourcing: Danger to Privacy
Wired News has an interesting article (Wired News: Outsourcing: Danger to Privacy) about the potential risks to personal information caused by offshore outsourcing. This is obviously an American article, but the issues are important here in Canada, as well.
4.1.3 - An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
This should mean that the oursourcer remains responsible for everything that happens to the data, including the obligation to safeguard the data. This responsibility can't be handed off.]
This is from the Wired article: "Outsourcing: Danger to Privacy"
Last year a medical transcriber in Pakistan threatened to post patients' medical records online unless the University of California at San Francisco Medical Center settled a financial dispute. Lubna Baloch, the transcriber, claimed she hadn't been paid the 3 cents a line reportedly promised by a Texas man, who, in turn, had subcontracted the work from a Florida woman. The Florida woman herself had subcontracted the work from Transcription Stat, a firm in Sausalito, California, that was paid 18 cents a line by the medical center for the work. The owner of Transcription Stat said she couldn't respond to questions due to a pending lawsuit in the case.
A hospital spokeswoman said the medical center didn't know or approve of more than one level of subcontracting and was not aware that work was being sent outside the country.
Although the Health Insurance Portability and Accountability Act of 1996 requires medical transcribers in the United States to uphold privacy practices mandated in the bill, the federal law has no reach overseas.
Of course, overseas workers aren't more likely to compromise or misuse sensitive information than workers in the United States. For example, recently, U.S. publications published false rumors that actress Nicole Kidman might be suffering from breast cancer after someone leaked information about her breast exam to reporters.
In addition to sensitive medical data, information shipped to foreign workers can include bank account numbers, Social Security numbers, stock holdings and credit card numbers -- all valuable information to identity thieves.
I guess this was a hot topic at the Privacy and Security Summit in Washington, D.C., because Computerworld has a related article on its website:
A lack of control over data, compliance monitoring and auditing are key issues
Story by Jaikumar Vijayan
FEBRUARY 20, 2004 ( COMPUTERWORLD ) - WASHINGTON -- Outsourcing jobs to offshore destinations can sharply increase data privacy risks and the complexity of managing that risk, several experts at the Fourth Annual Privacy and Data Security Summit here warned this week.
As a result, companies need to ensure that overseas vendors are contractually tied to specific conditions regarding how data is transmitted, accessed, used, stored and shared, they said. Those challenges include regulatory compliance, data protection and access issues, as well as monitoring and auditing issues.
"The risks are enormous to business strategy," said Richard Purcell, founder of Nordland, Wash.-based consultancy Corporate Privacy Group and former chief privacy officer at Microsoft Corp.
I'll also throw in, as an aside, that the Canadian Office of the Privacy Commissioner has taken the position that Canadian privacy law will apply to any personal information "outsourced" to Canada. This includes the processing of American data by an American company if any of it is carried out in Canada. Processing includes the operation of an inbound call centre to provide customer support.
As nearshore outsourcing to Canada is increasing, this raises very important considerations for American companies. Luckily, in the course of advising many US companies that have customer service functions being peformed from Canada, compliance is not as big of a challenge as one might have initially thought. (Complying with PIPEDA also has advantages, because PIPEDA is up to the European Union's standards. Thus, Canada is a good location for outsourcing the processing of both North American and European data.)
Labels: health information, information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.
