Protecting the Privacy of Information in Outsourcing

Data entry of private information has been around as long as keypunching has existed. Checks were ‘keyed in’ long before imaging processes existed, airline tickets were data entered prior to computerized e-tickets, and medical records were input into billing programs before HIPAA was passed. Over the years, much of this work was outsourced and even outsourced offshore. So, is the issue of protecting the privacy of information based on a new threat or just a new spotlight on the work process? Should companies not consider outsourcing due to the fear of violating some privacy act?

Certainly, companies should not be cavalier about dealing with the issue and should take available precautions – through policies and practices – enforced through contracts. But before we discuss the protection of privacy of information, let’s briefly examine the legal issues involved.

Privacy issue: legal basis

Privacy protection is widely understood as the right of individuals to control the collection, use and dissemination of personal information that is held by others.

This central principle has been adopted in US law, in privacy laws outside of the United States and in many international agreements such as the 1980 Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD Privacy Guidelines and privacy laws are based on a set of fair information practices that describe the obligations of organizations that collect personally identifiable information and the rights of individuals who give up their personal information.

There are multiple US federal acts that govern the privacy of information:

• Privacy Act of 1974
• Graham-Leach-Bailey act for financial institution
  
• Health Insurance Portability and Accountability Act (HIPAA) of 1996
  
• Telecommunications Act of 1996 – Section 222 dealing with Customer Proprietary Network Information (CPNI)

Additionally, the European Economic Union has passed several laws regulating data protection and transmission of information and has extended these laws to non-EEU countries conducting business with member states. The so-called Safe Harbor Act requires non-EEU countries and individual businesses to implement policies and procedures that comply with requirements of the act in order to obtain a ‘safe harbor’ designation.

Protecting privacy of information in an outsourced environment

Protecting the privacy of information is the legal obligation of the entity that is collecting and processing the information. If work is outsourced, it is still the legal responsibility of the company outsourcing the work to protect that information. This requires that outsourcing arrangements be structured (legally and process-wise) to assure that the data is properly identified as ‘private’ and processes are put in place to protect them. Later in this article, we will examine the best practices in assuring that. However, if the outsourcer is processing information within the US, all applicable US laws are extended to the outsourced company. This is one of the fundamental tenets of the Graham-Leach-Bliley act.

Framework for protecting private information

The attached figure outlines the framework for protecting the privacy of information in an outsourced environment:

Policy:
Policy must exist that defines the privacy requirements-data that must be protected and the consequences for not protecting the information. This policy will be the basis for the legal agreement between the business and the off shore service provider.

Processes:
Processes must be pre-defined by which the transfer of information will take place and protected while under the jurisdiction of the service provider. The IT environment, physical security requirements, and workforce background checks are some of the processes that should be defined and contractually binding for the service provider. Later, as a part of the on-going governance, these processes must be tested for compliance and weaknesses addressed.

Practices:
Practices are the instructions and procedures that ensure day-to-day compliance of policy and operations. These include on going training of new staff, refresher training for team leaders, employees and security staff. Public display of policy and processes also assists in ensuring that employees are constantly reminded of their responsibilities in securing the work environment and protecting the information available to them.

Persistence:
As in any business, constant vigilance and discipline are important in assuring compliance with policy and processes. Violations must be reviewed and root-cause analysis completed so that the policy, processes and practices are revised for greater effectiveness in protecting the information.

Lessons learned

Companies have been outsourcing information for many years. Although, there have been some instances of abuse and misuse of protected information, generally, experience has shown that there are very few breaches of privacy in outsourced processing. Outsourcing providers are most vigilant when it comes to protecting information and providing for security in general. Protecting their reputation in the marketplace is the main driver for this vigilance. Their clients must have trust and confidence in their ability to manage and maintain a secure environment and comply with regulations. Their very survival depends upon it. The last thing any provider wants is to have the company name splashed across CNN or a Financial Times story involving fraud or abuse. I also believe that generally, there is a far greater degree of compliance with the four Ps (policy, processes, practices and persistence) in an outsourced environment. This is not just because of concern for reputation but the result of a greater propensity to be disciplined and compliant to rules and laws. Outsourced centers generally have a greater commitment to the quality program that requires discipline and continuous compliance to processes and practices. The following are some of the lessons learned we have observed regarding the overall protection of information in an outsourced environment:

• Not considering privacy issues and protection requirements while developing outsourcing strategy and making it one of the key drivers for sourcing of service
  
• Not creating and maintaining a well-defined policy for the protection of information
  
• Not providing adequate identification of the ‘protected’ information
  
• Insufficient preparation prior to entering into an agreement and subsequently not defining all of the aspects of security in the contract with the service provider
  
• Not conducting a thorough due diligence and performing risk analysis before the contract is completed, so that the contractual provisions can directly address weaknesses and inadequacies in the service provider’s environment
  
• Not implementing a governance program that assures periodic evaluation and degree of compliance to all aspects of the information security
  

Summary

Protection of private information is important to all businesses and is required under foreign laws and US regulations. Outsourcing of business processes (or IT operations), while impacting how information is protected, does not present an inherent problem or weakness in protecting the information. The location of processing centers – off or on shore – does not matter when it comes to managing the protection of private information as long as the security environment is well designed, tested and periodically inspected for compliance. Since, service providers are often more vigilant about security, in order to protect their business reputation, we believe that there is actually a greater opportunity and incentive for fraudulently misusing private information within an organization than in an outsourced environment.