Let me start this dialog with a discussion on the topic of Privacy of Information and how to protect it. I plan to address this topic in the next 2 issues and hope that members will pick up the discussion among themselves.
This issue-protecting private information- is receiving tremendous media attention especially as it concerns the politically hot topic of outsourcing. The truth is that an enormous amount of private information has been shared in offshore agreements for decades. Data entry of private information has been around as long as keypunching has existed. Checks were “keyed in” long before imaging processes existed, airline tickets were data entered prior to computerized “e-tickets”, and medical records were input into billing programs before the federal HIPPA Act was passed. Over the years, much of this work was outsourced and even outsourced offshore.Caribbeanand Central American nations, as well asIndia, have been destinations for this type of data entry for years. In fact, several giant IT services companies inIndiagot their start by providing just such data entry services. So, is the issue of protecting the privacy of information based on a new threat or just a new spotlight on the work process?
Before we discuss the protection of privacy of information, let’s briefly examine the legal issues involved.
Privacy Issue – Legal Basis
Privacy protection is widely understood as the right of individuals to control the collection, use and dissemination of personal information that is held by others.
This central principle has been adopted inU.S.law, in privacy laws outside of theUnited Statesand in many international agreements such as the 1980 OECD (Organization for Economic Cooperation and Development) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD Privacy Guidelines and privacy laws are based on a set of Fair Information Practices that describe the obligations of organizations that collect personally identifiable information and the rights of individuals who give up their personal information.
There are multipleUSfederal acts that govern the privacy of information:
• Privacy Act of 1974 (5 U.S.C. § 552a )
• Graham-Leach-Bailey act for financial institution
• Health Insurance Portability and Accountability Act (HIPPA) of 1996
• Telecommunications Act of 1996 – Section 222 dealing with Customer Proprietary Network Information (CPNI)
Additionally, the European Economic Union has passed several laws regulating data protection and transmission of information and has extended these laws to non-EEU countries conducting business with member states. The so-called “Safe Harbor Act” requires non-EEU countries and individual businesses to implement policies and procedures that comply with requirements of the act in order to obtain a “safe harbor” designation. Ironically, theUnited States, as well as offshore processing destinations such asIndiaandChina, have not yet complied with this regulation. However, individual businesses have taken steps to comply with the act.
Protecting Privacy of Information in an Outsourced Environment
Protecting the privacy of information is the legal obligation of the entity that is collecting and processing the information. If work is outsourced, it is still the legal responsibility of the company outsourcing the work to protect that information. This requires that outsourcing arrangements be structured (legally and process-wise) to assure that the data is properly identified as “private” and processes are put in place to protect it. In subsequent articles (and I am hoping that on going dialog through the network), we will examine the best practices in assuring those arrangements. However, if the outsourcer is processing information within theUS, all applicable US laws are extended to the outsourced company. This is one of the fundamental tenets of the Graham-Leach-Bailey act.
Additional Considerations in an Offshore Outsourced Environment
Since the jurisdiction ofUSprivacy acts does not extend to offshore locations, additional steps must be taken, first legally, and then through effective governance, to extend the principles and practices of these acts to the foreign locations and service providers. The contractual agreement and due diligence must also assure that there are no foreign legal barriers that would prohibit extension of these legal principles to those specific businesses and countries.
Let the dialog begin... In the next issue, I will talk about a framework for managing information, followed by a discussion on discipline it takes to establish environments where privacy of information is protected.