IT Offshoring and Data Privacy – Are They Incongruous?

Despite the growing numbers of U.S. companies that turn to service providers in other parts of the world to run some or all of their IT, there are still a few cold, hard concerns that give many IT managers pause. Data privacy is one such reason.

Data privacy has become tantamount for any organization that collects information on customers, and that’s just about every organization out there. Numerous local, state and federal regulations require companies to toe the line to ensure private data stays private, per customers’ wishes. When outsourcing aspects of IT that touch those data stores, companies have to be extra careful the service providers they engage follow the right rules of the law, and the exact policies of their shareholders and/or management. Not doing so can at best create a disruption and at worst result in fines, damaged reputation and even loss of revenue.

Data privacy gets trickier when organizations operate globally, and even trickier when they hand off data management to providers located outside their countries of origin. The good news offshore destinations are taking notice of the many data privacy requirements of their customers.

According to this article in InformationWeek, “India Adopts New Privacy Rules,” India has enacted new privacy rules that aim to further restrict how businesses operating in that country handle personal information. The rules call for organizations to notify individuals when their personal information is collected via letter, fax, or email. The rules also require covered organizations to make a privacy policy available, to take steps to secure personal information, and to offer a dispute resolution process related to the collection and use of personal information. (Do these sound familiar… by and large these are requirements already in place here.)

It is important to note (and important to any company that might outsource to providers in India) that the law applies to all companies in India getting any information from anywhere, according to the InformationWeek article. In other words, it doesn’t matter if the personal data was collected in india, or if it was collected outside of India and then transferred in… the rule applies.

While India’s new privacy data law seems similar to what we have here, one concern raised in the article is that it is unclear to what extent companies will comply, and also it is unclear to what extent Indian authorities will enforce them.

In this article in Computer World, written by Stephanie Overby, Paul McKenzie, managing partner of the Beijing office of law firm Morrison & Foerster spoke with Overby about the data privacy protection laws in China. It’s a great article, and definitely worth a read.

China is known for weak data privacy protection, but surprisingly, proposed guidelines may swing the pendulum too far the other way. McKenzie points to these significant concepts in the proposal:

ˇ        An overarching principle that the holders of personal information keep such information confidential, and a specific requirement that express consent be obtained for all third-party disclosures of personal information;

ˇ        A set of more specific principles to be observed during the collection, processing, use, transfer and maintenance of personal information;

ˇ        Application of such principles specifically to personal data on computer networks (as opposed to other data storage media in hard copy form);

ˇ        Restrictions on outsourcing the handling of personal information;

ˇ        Prohibition on the export of personal information unless expressly permitted by law or otherwise approved by government authorities.

So what do you all have to say on this subject? What concerns do you have about data privacy and IT offshoring? Drop a note, and share your thoughts. Don’t be so private…