Privacy is changing outsourcing in Canada
TERRY MCQUAY
Special to Globe and Mail Update
Outsourcing in Canada is changing because of privacy
laws, changes in government outsourcing policies and
business concerns resulting from the USA PATRIOT Act.
Increasingly, Canadian service providers are finding
themselves with a competitive advantage simply because
they keep their customers' data in Canada. Conversely,
U.S.-based service providers are finding themselves
at a disadvantage, often scrambling to move their data
processing to Canada.
Background
Privacy laws in Canada provide consumers with the ability
to file complaints on organizations located in Canada
with provincial and/or federal privacy commissioners'
offices. Complaints typically result from real or perceived
mishandling of the consumer's personal information by
the organization, but consumers can file complaints
even if they are not directly subject to the privacy
issue or breach.
Privacy laws also provide the privacy commissioners'
offices with the power to investigate consumer complaints
and an obligation to identify, expose and where possible
influence privacy issues that have an impact on Canadians.
Over the past year, privacy commissioners in Canada
have increased their focus on cross-border transfers
of personal information. This privacy issue results
from personal information being sent to locations that
don't have the same level of legislated privacy protections
as Canada does.
Although offshore transfers to countries like India
(that don't have privacy laws) might seem like the logical
target for this increased focus on cross-border transfer
of information, they're not. Organizations that outsource
to India typically have contractual and other means
to secure personal information, thus providing more
than adequate privacy protections. The focus is on the
U.S. The USA PATRIOT Act is considered by some to be
anti-privacy because it provides U.S. federal authorities
seemingly unfettered access to any personal information
held by U.S. firms, whether it is on U.S. citizens,
Canadians, or anyone.
Cross-Border Privacy Concerns
Privacy laws give consumers the ability to complain,
and provide privacy commissioners the powers to investigate
these complaints. But do consumers really care if their
personal information is transferred to the U.S.?
As a Canadian, ask yourself these questions:
"Would I like my personal information reviewed
by a U.S. authority, like the FBI?"
"Would I like my purchasing habits, my medical
information and my resume accumulated and accessed by
U.S. government agencies?"
If you answered 'no' to these questions, you are not
alone. According to a survey published in June 2005,
and conducted by EKOS Research Associates on behalf
of the Privacy Commissioner of Canada, 64 per cent of
Canadians have serious concerns about companies transferring
their personal information to the U.S.
Privacy Commissioners Influence Corporate Outsourcing
Policies
Cross-border transfers of personal information are
a major concern of privacy commissioners across Canada,
and they have taken many steps to build the awareness
of this issue. The Office of the Privacy Commissioner
of Canada has stated on several occasions:
"At the very least, a company in Canada that
outsources information processing in this way should
notify its customers that the information may be available
to the U.S. government or its agencies under a lawful
order made in that country."
In a recent precedent-setting finding from the federal
commissioner's office about a complaint of an organization's
transfer of personal information outside of Canada,
the finding stated that an organization must comply
with the Personal Information Protection and Electronic
Documents Act (PIPEDA), the law that governs all customer
personal information transferred to the U.S. by corporations
in Canada.
Principle 4.1.3 of Schedule 1 states: "An
organization is responsible for personal information
in its possession or custody, including information
that has been transferred to a third party for processing.
The organization shall use contractual or other means
to provide a comparable level of protection while the
information is being processed by a third party."
Principle 4.8 states: "An organization shall
make readily available to individuals specific information
about its policies and practices relating to the management
of personal information."
To comply with PIPEDA, the Commissioner's finding states:
"What the Act does demand is that organizations
be transparent about their personal information handling
practices and protect customer personal information
in the hands of foreign-based third-party service providers
to the extent possible by contractual means."
Transparency requires providing notice to consumers
that their information will be located outside of Canada.
Thus, organizations have only two viable options:
- Provide notice to consumers that their personal
information is being transferred to the US and is
subject to US laws; or
- Keep the data in Canada.
Outsourcing Rules are Changing
Organizations are avoiding this issue completely by
keeping personal data in Canada. The location of the
data is now one of the decision factors when selecting
a new service provider for an outsourcing contract.
Many, if not most, government organizations are demanding
personal information remain in Canada. Banks, insurance
companies and healthcare providers are pressuring their
current suppliers to keep personal information in Canada,
and selecting new suppliers that keep their data in
Canada. Privacy has changed outsourcing in Canada.
Competitive Advantage for Canadian Service Providers
Canadian companies are finding they have a competitive
advantage, simply because the data remains in Canada.
One such company is ThinData, a Canadian e-marketing
solutions provider. Wayne Carrigan, vice-president of
Client Services at ThinData explains: "We are
a Canadian company and we have always processed our
customers' data in Canada. We never expected privacy
laws and concerns about the USA PATRIOT Act would provide
us a competitive advantage, but it has."
As for customer demand, Wayne says, "We are
increasingly responding to proposal requests that specifically
ask if we keep clients' data in Canada. Our customers
have stated that one of the reasons they have chosen
ThinData is they want their data to remain in Canada".
Similarly, Gabe Mazzarolo, Chief Privacy Officer of
Workopolis, Canada's biggest job site, says "Almost
every piece of information contained in an individual's
resume is personal information. Both our corporate clients
and Jobseekers feel more secure knowing their information
remains in Canada."
Nymity, a privacy research firm, has seen substantial
growth in both its training and its subscription services
as both U.S. and Canadian organizations are looking
for pragmatic solutions to mitigate the impact of privacy
on outsourcing, or looking for a means to capitalize
on this privacy issue. Jin Shin, Nymity's General Counsel
explains: "Outsourcing personal information
to the U.S. can be done in compliance with PIPEDA, but
doing so doesn't mitigate all privacy risks, and in
some cases it introduces new privacy risks. For example,
although providing Notice is required, it can have unanticipated
results. A few of Nymity's customers have provided Notice
that resulted in complaints to the Federal Privacy Commissioner's
office."
Linda Drysdale, a privacy expert at PricewaterhouseCoopers,
says "We foresee huge growth in service providers
conducting audits against the new Generally Accepted
Privacy Principles (GAPP) from the AICPA/CICA, partially
due to their customers' concerns related to transfers
of personal information outside of Canada."
Conclusion
Privacy is changing outsourcing in Canada. Government
policies virtually mandate personal data remain in Canada
and corporate Canadian is finding it best to simply
avoid the issue completely by keeping their customers'
data in Canada.
The bottom line for services providers is: Canadian
service providers have a competitive advantage —
U.S. service providers have a business risk.
|
