Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with Constantine Karbaliotis

August 2005

 

 

Interviewee: Constantine Karbaliotis, Executive Consultant, CGI

Interviewer: Terry McQuay, President of Nymity


Subject: Outsourcing to US-Linked Service Providers

 

 

Nymity: Has Bill 73, and the subsequent changes to FOIPPA, significantly affected US Linked Service providers?


Karbaliotis: There is no question that the increased emphasis on protecting the personal information of BC residents has impacted on how US firms will approach doing business in BC, and in Canada. No doubt, there is a perception that Bill 73 puts insurmountable obstacles in the way of US-based firms. I don't believe that is true. The public perceives the problem to be based in the fact that their government is outsourcing to US-based firms - this was certainly highlighted in the Maximus situation. All companies, regardless of where they are based, must be more aware of and place more emphasis on privacy protection. The risks associated with possible disclosures under the Patriot Act simply examples of risks that must be managed.

Some have said that the bill leaves a 'legally untenable position' for US companies that are faced with a disclosure demand by US authorities while being subject to FOIPPA. I think this misses the point. Bill 73 is, in my opinion, is intended to be a shield for US companies and directors faced with such a disclosure demand, by putting such a jeopardy in place that they will have an effective way to offer US courts and authorities a valid reason for them to not disclose British Columbians' personal information.

 

Nymity: Is the Federal Government changing the requirements for outsourcing personal information to service providers?


Karbaliotis: There is no question that David Loukidelis' report issued in October 2004 has had a major impact on all Canadian governments. In January 2005, in direct response to the risks outlined in that report,Treasury Board issued a requirement to all federal ministries and agencies to commence assessments of privacy risks associated with sub-contracting and outsourcing. At the same time, PIPEDA itself is being reviewed, and public comments of the Privacy Commissioner of Canada (Ottawa Citizen, May 22 2005) suggest a heightened concern with the movement of personal information in the hands of the federal government, presumably with movements to third parties being the primary concern. An audit has been commenced in relation to this issues, in conjunction with the Federal Privacy Commissioner's office. In the meantime, it is unlikely that any federal contact handling personal information will not place an increased emphasis on privacy protection, and in particular where the personal information is being stored.

 

  

 

 

 

 

 

 

 

 
Nymity: Are provincial governments changing the outsourcing requirements?


Karbaliotis: As I mentioned above, the Loukidelis report has had a major impact, and this includes an impact on other provincial governments. With respect to changes, this depends on the province -- Ontario has in the past contractually required (though not as a matter of policy) that personal information remain in the province when dealing with sub-contracting or when outsourcing, although I don't know how consistently that has been done. The provinces have always been sensitive to privacy issues, so it may not change their requirements about where such information is stored. There is no doubt that there is an increased emphasis on looking at all of the risks, not merely that of storage outside the jurisdiction. Certainly at a minimum there is increased emphasis on contractual provisions to ensure outsourcing is done in compliance with applicable privacy legislation.


Nymity: Have you seen public sector entities bringing services in-house?


Karbaliotis: This may be more a matter of meeting a political or strategic imperative with respect to how services are delivered to the public. Some governments have a bias towards outsourcing while others are more biased towards services being provided by public sector employees. Often their choices are driven to their choices by economics and other budget issues. Privacy issues certainly raised the bar on how personal information is managed; and the type of requirements that are imposed to provide adequate protection. To some extent, this is merely reflecting the true cost of properly handling personal information irrespective of whether this falls in the private or public sector. If you don't make the proper investment at the onset you will pay for it later.


Nymity: Have private sector firms, say banks or insurance companies, been changing their outsourcing requirements?


Karbaliotis: Definitely. The well-publicized incidents in the banking community have heightened awareness, and the fact that the Patriot Act and privacy issues have been on the front page. There is a "the shoe has finally dropped" awareness at higher levels of management that failures in the privacy arena can lead to very public, very negative publicity, as well as outright liability. Because many of these problems have arisen due to the failure of third parties, such as sub-contractors, this had led to banks (for instance) conducting audits of their sub-contractors to review their privacy and security measures. Private sector firms are also looking closely at the Patriot Act risks, and some have decided to keep information, as well as outsourcing contracts, within Canada, to reduce the privacy risks. A good 'bad' example of how this was publicized recently was in relation to the privacy breach involving credit cards in the US ; the company which processes credit card information for numerous credit card companies had been holding personal information for research purposes, in violation of their agreements.


Nymity: As CGI is a US-linked Service Provider, has your organization had to make changes to provide services to organizations concerned about the US Patriot Act?


Karbaliotis: Best practices in CGI's outsourcing or subcontracting context already means adherence to principles of limiting access and disclosure to personal information. Because of the Patriot Act, clients are increasingly aware of the importance of this principle, to limit access within Canada for instance, and I feel our interaction with clients in managing privacy and security risks has increased. This is good, because from our perspective, we can only offer half the solution -- privacy (and security) is a chain as good as its weakest link, and this provides a useful opportunity to review the whole of the information flow.


Nymity: As CGI Canada is a Canadian firm, do you feel you feel that Canadian firms have a competitive advantage over US firms when it comes to outsourcing?


Karbaliotis: CGI has an advantage as a global firm, as we are familiar with compliance and privacy requirements in many jurisdictions. The ability to understand and balance the risks and advantages is something we have to do on an ongoing basis. Jurisdictional issues are always there, and CGI's breadth of services as well as presence in many locations, allows us to tailor solutions to our clients' needs.


Nymity: Do Bill 73 changes put FOIPPA in conflict with other Canadian statues? What is the impact on NAFTA?


Karbaliotis: I don't believe so. The BC government put in place something that to a great extent anticipated the recommendations of David Loukidelis, to try to address the risks associated with outsourcing sensitive personal health information. The outcome of that Maximus decision is that Bill 73 reflected a balancing act between privacy concerns and the reality of outsourcing. As with all laws, ultimately a court decision is what is needed for clarity. As to NAFTA, David Loukidelis' report recommends that Canada move towards a multilateral agreement under NAFTA to ensure the adequate protection of privacy. This is not covered by Bill 73, nor could it be. Bill 73 could not address all the recommendations, because some of them must take place at a federal and international level. These are some of the 'action items' we are still left to complete, as a country.

Constantine Karbaliotis, LLB, CIPP

constantine.k@cgi.com

416 945 3686
Learn More

 

Further to BCGEU lawsuit and increasing concern the USA Patriot Act, on October 21st, 2004, the BC government passed Bill 73.  Bill 73 amends the Freedom of Information and Protection of Privacy Act (FOIPPA) to provide an enhanced level of protection for BC citizenry's personal information in the care and control of the BC's public bodies and service providers. 

 

Brief    Full Bill 73    Q&A

 

 

Outsourcing in British Columbia & the USA Patriot Act :  A Primer, by Sara A. Levine and Sarah Gingrich of Fasken Martineau.

 

 

PrivaWorks Subscribers

 

 

PrivaWorks Subscribers visit the USA Patriot Act and Outsourcing Kit

 

 

 

USA Patriot Act Workshop


Understand the competitive advantages the USA Patriot Act has created for Canadian service providers. Visit USA Patriot Act Workshop.

 
 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY