Print Email

One of the biggest assets of IAOP is the wealth of knowledge and experience of its members, individually and collectively. One of my goals, as the newly appointed Managing Director of Thought Leadership, is to harness this knowledge and create a fountain of experience for us all. I have noticed that the IAOP network, when active, is a valuable resource and means for dialog, and I’d like to encourage members to get involved. For some of us more senior people, perhaps we can learn from our kids how to use networking tools to gather information and share knowledge! (IAOP network tool is only the beginning of Outsourcing You Tube tm or MySpace tm)!

Let me start this dialog with a discussion on the topic of Privacy of Information and how to protect it. I plan to address this topic in the next 2 issues and hope that members will pick up the discussion among themselves.

This issue-protecting private information- is receiving tremendous media attention especially as it concerns the politically hot topic of outsourcing. The truth is that an enormous amount of private information has been shared in offshore agreements for decades. Data entry of private information has been around as long as keypunching has existed. Checks were “keyed in” long before imaging processes existed, airline tickets were data entered prior to computerized “e-tickets”, and medical records were input into billing programs before the federal HIPPA Act was passed. Over the years, much of this work was outsourced and even outsourced offshore. Caribbean and Central American nations, as well as India, have been destinations for this type of data entry for years. In fact, several giant IT services companies in India got their start by providing just such data entry services. So, is the issue of protecting the privacy of information based on a new threat or just a new spotlight on the work process?

Before we discuss the protection of privacy of information, let’s briefly examine the legal issues involved.

Privacy Issue – Legal Basis

Privacy protection is widely understood as the right of individuals to control the collection, use and dissemination of personal information that is held by others.

This central principle has been adopted in U.S. law, in privacy laws outside of the United States and in many international agreements such as the 1980 OECD (Organization for Economic Cooperation and Development) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD Privacy Guidelines and privacy laws are based on a set of Fair Information Practices that describe the obligations of organizations that collect personally identifiable information and the rights of individuals who give up their personal information.

There are multiple US federal acts that govern the privacy of information:

• Privacy Act of 1974 (5 U.S.C. § 552a )
• Graham-Leach-Bailey act for financial institution
• Health Insurance Portability and Accountability Act (HIPPA) of 1996
• Telecommunications Act of 1996 – Section 222 dealing with Customer Proprietary Network Information (CPNI)

Additionally, the European Economic Union has passed several laws regulating data protection and transmission of information and has extended these laws to non-EEU countries conducting business with member states. The so-called “Safe Harbor Act” requires non-EEU countries and individual businesses to implement policies and procedures that comply with requirements of the act in order to obtain a “safe harbor” designation. Ironically, the United States, as well as offshore processing destinations such as India and China, have not yet complied with this regulation. However, individual businesses have taken steps to comply with the act.

Protecting Privacy of Information in an Outsourced Environment

Protecting the privacy of information is the legal obligation of the entity that is collecting and processing the information. If work is outsourced, it is still the legal responsibility of the company outsourcing the work to protect that information. This requires that outsourcing arrangements be structured (legally and process-wise) to assure that the data is properly identified as “private” and processes are put in place to protect it. In subsequent articles (and I am hoping that on going dialog through the network), we will examine the best practices in assuring those arrangements. However, if the outsourcer is processing information within the US, all applicable US laws are extended to the outsourced company. This is one of the fundamental tenets of the Graham-Leach-Bailey act.

Additional Considerations in an Offshore Outsourced Environment

Since the jurisdiction of US privacy acts does not extend to offshore locations, additional steps must be taken, first legally, and then through effective governance, to extend the principles and practices of these acts to the foreign locations and service providers. The contractual agreement and due diligence must also assure that there are no foreign legal barriers that would prohibit extension of these legal principles to those specific businesses and countries.

Let the dialog begin... In the next issue, I will talk about a framework for managing information, followed by a discussion on discipline it takes to establish environments where privacy of information is protected.

Jag Dalal is Managing Director, Thought Leadership, International Association of Outsourcing Professionals (IAOP)

Send us your comments on this article: (please include your email address)


Email: