Patchwork quilt of privacy laws confuse outsourcing agreements
In giving up direct control you may not know when a breach happens
Written by Vawn Himmelsbach, on Wed-June-2008
While it can save money and create efficiencies, outsourcing is often regarded as a significant risk facing privacy management. And privacy in an organization is further at risk when the outsourcer is in a different country that may be subject to different privacy laws — or none at all.
Privacy is the right of an individual to control the collection, use,
storage and destruction of his or her personal identifiable
information, which may or may not include business contact information.
But, federal and provincial privacy acts don’t use the same definitions — and that’s a problem, because there are so many exceptions.
“Business contact information may seem like a small issue, but that can
fundamentally impact the obligations of your service provider,” says
Richard Austin, general counsel with EDS Canada, at the International
Association of Privacy Professionals (IAPP) conference held inToronto May 21.
There’s a concern that personal information may be at risk of
disclosure if stored in other jurisdictions, so outsourcing contracts
should specify restrictions and responsibilities. “If it goes out to
satellites, you’re toast,” he said. But if you’re serious about storing
and processing your information in Canada, this isn’t a simple thing to
do.
“There is a patchwork quilt of laws,” says Austin, including
international, federal and provincial laws, with different obligations
for different types of data – and there is an obligation to comply with
applicable laws.
Some statutes demand immediate notice of a privacy breach. So, if
you’re outsourcing to a service provider, and that includes information
about non-Canadians, you may have data breach obligations.
“Things are going to go wrong,” said Austin, adding that it’s important
to deal with privacy while preserving the sanctity of underlying
business processes.
When providing services to Canadian organizations, many service
providers store or process personal information outside of Canada. And
there are legal issues in extra-jurisdictional outsourcing, said John
Beardwood, partner and co-chair of the outsourcing practice group with
Fasken Martineau LLP. Take, for example, a multinational company that
collects personal information from individuals across Canada, hosts its
data with a third party in Germany, has a disaster recovery hot site in
France, manages its payroll in California and runs a call centre in
India.
PIPEDA applies to the disclosure of personal information outside of a
province, he said, so it’s important to understand the existing
restrictions on the extra-jurisdictional processing of data. “We have
quite a grocery list across the country.”
In B.C., all personal information in custody of public sector entities
must be stored in and accessible from Canada, unless otherwise
consented to by the applicable individual or permitted under the
Freedom of Information and Protection of Privacy Act (FOIPPA). This was
originally motivated by concerns over the U.S. Patriot Act, he said,
but also applies to storage or processing of personal data in any
non-Canadian jurisdiction – and there is no distinction between nations
using EU directives versus nations with no data protection. This resulted in significant pushback from service providers, since
large corporations with entire hosting infrastructures in other
countries would have to build a new server farm in B.C. As a result,
compromises were made, such as exemptions for individuals temporarily
traveling outside Canada or temporary access for data recovery.
Earlier this year, the federal Treasury Board of Canada Secretariat
released public sector restrictions that outlined limited circumstances
where there is a high level of privacy risk, such as health, income or
financial information. In such cases, the guidelines state that data
must be stored or processed only in jurisdictions where the laws do not
override, conflict with or impede the application of the Privacy Act
and PIPEDA.
“How damnably hard it would be to interpret that task,” said Beardwood.
“That seems to suggest service providers would have to continuously
monitor the law, so in practice it’s very difficult to apply. It seems
to be designed by someone who doesn’t understand how to apply that
test.”
Alberta recommends that personal information only be outsourced within
Alberta first, Canada second and anywhere else third, depending on the
circumstances. “There’s paranoia that if it’s not Canada, it’s bad,
which in a global economy makes no sense whatsoever,” he says.
In 2006, the federal Office of the Privacy Commissioner (OPC) stated
that the 2006 legislative review of PIPEDA would develop further
privacy protection measures regarding trans-border information sharing
by the private sector. One of these measures would require a Canadian
organization that outsources information processing to notify its
customers that the information may be available to the foreign
government under a lawful order made in that country, but the OPC
finally recommended that no changes be made.
“We have findings out there that suggest we should be notifying
individuals,” says Beardwood. “We seem to be focused only on this
jurisdictional issue.” If you’re outsourcing in the U.S., don’t expect
PIPEDA to act as a shield, he added.
Under PIPEDA, personal data “transferred” by a customer to a service
provider for storage is still in customer custody, and as there is no
disclosure, consent is not required. Contractual provisions, however,
would allow the customer to protect personal information held by the
service provider (no specific details of contractual provisions are
provided under PIPEDA). The key, he said, is that an organization is
responsible for personal information it has in its possession,
including information that has been transferred to a third party for
processing.
The “notification approach” is problematic, says Beardwood, especially
with respect to when it should apply and what the content of such
notice should be. The contractual approach is most optimal – however,
under PIPEDA, it looks like the OPC’s current approach is to adopt the
notification model, despite its problems.
So what should Canadian organizations be doing? Before the deal, ask a
lot of questions and find out about their privacy policy, says John
Wunderlich, director of privacy for Cancer Care Ontario. Identify all
of the personal information in the deal, where that data will live, and
where backup and contingency sites are located. “Don’t outsource what
you don’t know,” he says.
Also, look at how their staff is trained. “That’s even more important
than a privacy policy,” he says. “That will tell you a lot more about
how they actually do privacy.” If a service provider gives you
responses that are security-related, then they don’t get privacy, he
added. Or, be wary if they’re talking at a high level, such as “your
privacy is important to us.” What does that really mean?
Security is not the same thing as privacy, he says. Security includes
confidentiality, integrity and availability, while privacy includes
consent, use and disclosure. And if you haven’t figured that out
in-house, you’re just exporting a problem.
When doing the deal, be specific, and identify data flows and metrics.
Define the legislation that applies and agree on whose privacy policy
rules. Have a back-out strategy, especially for employee information.
“Be absolutely tedious about what you mean,” says Wunderlich. This is
why we’re seeing an emerging market for vendor relationship management
software, because there’s a need to manage vendors as much as customers.
An outsourcer provides expertise, and can help you reduce costs and
focus on core competencies, but you also lose direct control, and risk
increased liability – so finding the right service provider is
critical. “There will be breaches,” says Wunderlich. “The question is,
do you know about them?”
