Outsourcing and Privacy 

    by Marilyn Prosch, PhD, CIPP/US 

    Outsourcing and Privacy: 10 Critical Questions Top Management Should Ask

    Two top managers discuss outsourcing and privacyIn today's business environment where corporate governance structures are examined under a microscope, management needs to minimize many types of risk, including privacy risk. Because many organizations operate in an environment where outsourcing business processes is commonplace, attention increasingly focuses on the quality, or lack thereof, of third-party data processors. Cost-cutting pressures and the ease with which electronic data can be transferred push many outsourcing activities outside U.S. borders.

    Many times, these offshore outsourcing activities may occur without the organization for which the data is processed ever knowing it actually occurs. Consider a 2009 case when a Pakistani data entry clerk attempted to extort money from the University of California at San Francisco's (UCSF) Medical Center. In this particular case, the Center outsourced the processing of its medical transcripts (physician notes) to a U.S.-based company that outsourced the records to yet another company in the United States. The second outsourcing company, in turn, sent the records to Pakistan for processing.

    The Pakistani clerk was having trouble getting paid for her work, so she contacted the University, attached some of the medical data she had as proof and demanded payment, threatening that she would post all of the medical records on the Internet if she did not receive the money. The UCSF Medical Center asserted it was not even aware that sensitive medical records were processed offshore.

    Although this is only one case and one industry, the impact is huge. Considering that the medical transcriptions industry is a $20 billion-a-year business in the United States, and the share of data processing being sent offshore by many other businesses is largely unknown, the sheer enormity of the numbers throughout the business marketplace is enough to make a tremendous case for increased scrutiny. And, if an organization chooses to outsource a business process that contains personal information —and a security breach occurs —the organization that outsourced the data will be held accountable for the actions of the outsourcing company in the court of public opinion and may be found negligent in a court of law. There also may be numerous statutory requirements such as the Gramm-Leach-Bliley Act (GLBA) or state laws (California SB 1386, for example) that come into play.

    The bottom line is this: Although an organization may outsource some of its business processes, and with it part of its responsibility for privacy, the organization cannot outsource its accountability for privacy. In this article, we will pinpoint 10 critical questions management should ask about outsourcing and discuss specific privacy concerns associated with outsourcing. Finally, we will explore how outsourced personal data can be protected by implementing good privacy practices using the relevant criteria in the Generally Accepted Privacy Principles (GAPP) developed by the American Institute of CPAs and the Canadian Institute of CAs (AICPA/CPA Canada).

    10 Critical Questions

    The key privacy concerns related to outsourcing are the same for onshore and offshore outsourcing activities. When poor practices are in place in either location and a privacy breach occurs, the results are similar: a loss of consumer trust and potential litigation from the injured party. The public's perception is somewhat fed by the media, who tend to treat offshore privacy breaches with more scrutiny and add to the general public's notion that foreign businesses are more mysterious and largely unknown.

    Traditionally, an organization will be best served if it approaches privacy management from a best practices approach. Using good privacy practices provides a consistent approach to protecting personal information in a way that individuals can easily understand. Solid privacy practices also establish a benchmark for organizations of all sizes across all industry sectors.

    An organization that wants to manage its privacy risk and implement a best practices approach to outsourcing should consider the following critical questions:

    1. Who are the outsourcing organizations we contract with and where are they located?
    2. Precisely what data are we sending to, and receiving from, outsourcing organizations?
    3. Is the data "personal information," and have we given notice to our customers of this data transfer?
    4. What are our exposures if the data (both sent and received) is improperly accessed, used or maintained?
    5. What data protection clauses do we have in these contracts?
    6. What evidence do we have that these outsourcing organizations protect our data as outlined in these data protection clauses?
    7. What processes are in place to monitor the outsourcing organizations?
    8. Do these organizations outsource any of their processes in which our data may be further transferred to another organization?
    9. What processes do the outsourcing organizations we contract with use to verify the data protection practices followed by their outsourcing partners?
    10. What are the applicable privacy laws and regulations?

    The process of answering these ten questions is the starting point to implement a solid outsourcing privacy environment. To assist in developing and applying good outsourcing privacy practices, elements of the AICPA/CPA Canada's GAPP can be used to address risks or exposures when management collects the necessary information to answer the 10 privacy outsourcing questions listed above.

    GAPP: Generally Accepted Privacy Principles


    The AICPA/CPA Canada GAPP contains ten privacy principles and 73 related criteria that are essential for the proper protection and management of personal information. These privacy principles and criteria are based on internationally known fair information practices included in privacy laws and regulations of various jurisdictions around the world. The criteria can be used by organizations to perform privacy strategic and business planning, privacy gap and risk analysis, and privacy policy design and implementation. While not every one of the criteria is related to outsourcing activities, many are. Here are the principles and specific criteria that can be used in designing good privacy practices for an organization's outsourcing activities. The numbers refer back to specific citations within the GAPP.

    Management

    The Management principle guides your organization in defining, documenting, communicating and assigning accountability for privacy policies and procedures.

    One of the management criteria (1.2.5) requires that your organization's personnel or advisors review all third-party contracts and service-level agreements for consistency with privacy policies and procedures, and address any inconsistencies. Optimally, this step would be done before entering into any contracts or agreements. If your organization is already a party to existing contracts or agreements, the documents should be carefully reviewed. If inconsistencies are found, then you should consider the risks of these inconsistencies and devise a plan to address them. For example, if the risk is high and gaping differences are found, then a new agreement may be necessary, and in extreme cases, early termination of the contract may be considered.

    In addition, management should consider 1.2.11, which requires that changes in business and regulatory environments be identified and addressed. These changes need to be examined for each jurisdiction in which the entity operates. Specifically, your entity needs to have an ongoing process in place to monitor, assess and address the effect on privacy of changes in contracts, including service-level agreements with third parties. For example, changes that alter the privacy and security-related clauses in contracts are reviewed and approved by the privacy officer or corporate counsel before they are executed. Privacy policies and procedures need to be updated for any significant changes found.

    Notice

    The Notice principle ensures your organization provides "Notice" to all customers about its privacy policies and procedures, and identifies the purposes for which personal information is collected, used, retained and disclosed. One of the criteria (2.2.2) requires that notice be given about all entities and activities covered by the privacy policies and procedures. Specifically, the privacy policy should describe any third parties that access or use your personal information, including delivery companies, customer call centers, data entry businesses and payment processing centers. The "Notice" also should describe the types of information that can be accessed or used by the third parties.
     
    Collection

    The Collection principle requires that your organization collect personal information only for the purposes identified in the notice. Specifically, 4.2.3 requires that when personal information is collected from third parties (sources other than the individual), the sources are reliable, and must collect information fairly and lawfully. If data is collected from an offshore third party, then care needs to be taken that data is collected in accordance with your organization's legal jurisdiction, as well as the third-party's legal jurisdiction.

    This process necessitates performing due diligence before establishing a relationship with a third-party data provider to ensure the data is reliable, and fairly and lawfully collected. Due diligence means that your organization will need to review the privacy policies and collection methods of third parties before accepting personal information from them. If your organization is already a partner to such relationships, then due diligence needs to be performed. Any deficiencies found should be addressed or the relationship may need to be re-evaluated.

    Access

    With the Access principle, your organization is required to provide individuals with access to their personal information for review and update. One of the access criteria (6.2.3) requires that personal information be provided to the individual in an understandable form, in a reasonable timeframe and at a reasonable cost, if any. If the personal information is stored by a third party, then your organization's responsibility is to facilitate the retrieval of the personal information in a reasonable timeframe.

    Good outsourcing practices regarding access should be practiced by your organization and its third parties. The GAPP gives the following examples of good access practices.

    1. Provides personal information to the individual in a format that is understandable (for example, not in code, not in a series of numbers, not in overly technical language or other jargon) and in a form convenient to the individual and entity.
    2. Makes a reasonable effort to locate the personal information requested and, if personal information cannot be found, keeps sufficient records to demonstrate that a reasonable search was made.
    3. Takes reasonable precautions to ensure that personal information released does not identify another person, directly or indirectly.
    4. Provides access to personal information in a timeframe similar to the entity's normal response times for other business transactions, or as permitted/required by law.
    5. Provides access to personal information in archived or backup systems, and media.
    6. Informs an individual of the cost of access at the time the access request is made or as soon as practical after that time.
    7. Charges the individual for access to personal information at an amount, if any, that is not excessive in relation to the entity's cost of providing access.
    8. Provides an appropriate physical space to inspect personal information.

    Another criteria within Access, 6.2.5, requires that individuals be able to update or correct personal information held by the entity. If practical and economically feasible, your organization should provide such updated or corrected information to third parties that previously were provided with the individual's personal information. In some cases, your organization and an individual may disagree whether the data is correct. In such cases, the next access criteria point, 6.2.6, provides guidance. First, your organization should inform individuals, in writing, about the reason a request for correction of personal information was denied and how they may appeal. Next, your organization should notify third parties (who were previously provided with personal information) that there is a disagreement. 

    Security for Privacy

    The Security for privacy principle requires your organization to protect personal information against unauthorized access (both physical and logical). One of the criteria (8.2.1) requires that a security program has been developed, documented, approved and implemented. This security program includes administrative, technical and physical safeguards to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction. Your organization should ensure that third-party organizations confirm (initially and at least annually) their understanding of, and agreement to, compliance with the entity's privacy policies and procedures related to the security of personal information. This means that their security principles, including user authentication, encryption of data and other areas, are the same caliber or stronger than your organization. GAPP provides many illustrations of good security practices to protect personal information.

    Quality

    In general, the Quality principle requires your organization to maintain accurate, complete and relevant personal information for the purposes identified in the notice. The issue related to outsourcing is covered by 9.2.1 on the accuracy and completeness of personal information obtained from —and used by —third parties. As a result, your organization needs to implement processes to verify the quality of transferred and received personal information.

    Specific Third-Party Considerations

    While GAPP has many principles and criteria relating to third parties, one of the 10 is devoted to third-party relationships. This principle requires your organization to disclose personal information to third parties only for the purposes identified in the notice, and with the implicit or explicit consent of the individual. The criteria designed for the sole purpose of providing guidance for relationships with third parties are listed below.

    Communication to individuals is one of the third-party criteria (7.1.1) requiring that your organization inform individuals that their personal information will be disclosed to third parties only for the purposes identified in the notice. It also requires that the individual has provided implicit or explicit consent for these specific uses of their personal information. Exceptions are allowed where a law or regulation specifically allows or requires otherwise. An important aspect of this communication is the disclosure of any limitations known on the third-party's privacy practices and controls. If your organization does not have any requirements on limitations, then the communication should indicate that the third-party's privacy practices and controls meet or exceed those of the entity.

    7.1.2 states that your organization's privacy policies are also communicated to third parties to whom personal information is disclosed. When you supply the third parties with your organization's privacy policies, your organization should obtain a written agreement from the third party that its practices are substantially equivalent to your organizations.

    Once your organization has communicated to individuals your policy on sharing personal information with third parties, and has communicated these privacy policies with third parties, then your organization needs to ensure that personal information is disclosed to third parties only for the purposes described in the "Notice" (7.2.1). Your organization should set up processes that formally documents and tracks the nature and extent of personal information disclosed to third parties. Then, periodically, you should test whether disclosure to these third parties is in compliance with your organization's privacy policies and procedures. Also, if any new uses of the personal information are planned by the third parties, then implicit or explicit consent of the individual is required before implementing the new uses (7.2.3). Note that explicit consent is given either orally or in writing, is unequivocal and does not require any inference on the part of the entity seeking consent. Implicit consent may reasonably be inferred from the action or inaction of the individual.

    Security of personal information is of significant importance. As such, 7.2.2 specifically requires that personal information is disclosed only to third parties who have agreements with the entity to protect personal information, including protection from loss, misuse, unauthorized access, disclosure, alteration and destruction. Obtaining evidence that a third party actually protects personal information may be accomplished through assurance services, such as a privacy audit and auditor’s report, or other representations made by the third party through contractual obligations or confirmations.

    Another best practice falling under this set of criteria is to specify how and when third parties are to dispose of, or return, any personal information provided by your organization. The disposal or return of personal information becomes particularly important at the end of an outsourcing relationship. The terms of how this will occur should be clearly delineated and communicated, and should be specified in writing, preferably in a contractual format.

    Finally, your organization needs to stand behind its privacy policies and the practices of third parties by taking remedial action (7.2.4) in response to misuse of personal information by third parties. Specifically, your organization should consider these four practices:

    1. Monitor complaints to identify indications of any misuse of personal information by third parties.
    2. Respond to any knowledge of a third party using or disclosing personal information in variance with the entity's privacy policies and procedures, or contractual arrangements.
    3. To the extent practicable, mitigate any harm caused by the use or disclosure of personal information by the third party in violation of the entity's privacy policies and procedures.
    4. Take remedial action in the event that a third party misuses personal information (contractual clauses address the ramification of misuse of personal information, for example).

    Applying GAPP to your Assessment

    It contains guidance that your organization can use to develop good third-party management policies and procedures. As you answer the 10 questions for your organization, these are the specific criteria you should reference.

    1. Who are the outsourcing organizations we contract with and where are they located?
      (2.2.2) Notice be given about all entities and activities covered
    2. Precisely what data are we sending to, and receiving from, outsourcing organizations?
      (4.1.2) Types of personal information collected and methods of collection
    3. Is the data "personal information," and have we given notice to our customers of this data transfer?
      (2.2.2) Notice be given about all entities and activities covered
      (7.1.1) Communication to individuals about third parties
      (7.2.3) Implicit or explicit consent of new uses of the personal information by third parties
    4. What are our exposures if the data (both sent and received) is improperly accessed, used or maintained
      (4.2.3) Personal information collected from third parties is reliable, and lawfully and fairly collected
      (6.2.5 and 6.2.6) Ability to update or correct personal information held by the third party and give a reason for denial of an update request
      (9.2.1) Accuracy and completeness of personal information obtained from and used by third parties
    5. What data protection clauses do we have in these contracts?
      (1.2.5) Review all third-party contracts and service-level agreements
      (7.1.2) Your organization’s privacy policies are also communicated to third parties and agreement obtained of equivalency
      (7.2.2) Specifically requires that personal information is disclosed only to third parties who have agreements with the entity to protect personal information
    6. What evidence do we have that these outsourcing organizations protect our data as outlined in these data protection clauses?
      (6.2.2) The identity of individuals who request access to their personal information is authenticated before they are given access to that information
      (7.2.2) Personal information is disclosed only to third parties who have agreements with the entity to protect personal information
      (8.2.1) A security program has been developed, documented, approved and implemented
      (8.2.2) Logical access to personal information is restricted by specific procedures
      (8.2.3) Physical access is restricted to personal information in any form
      (8.2.4) Personal information, in all forms, is protected against accidental disclosure due to natural disasters and environmental hazards
      (8.2.5) Personal information is protected when transmitted by mail, and over the Internet and public networks
    7. What processes are in place to monitor the outsourcing organizations?
      (1.2.11) Changes in business and regulatory environments be identified and addressed
      (7.2.4) Taking remedial action in response to misuse of personal information
    8. Do these organizations outsource any of their processes in which our data may be further transferred to another organization?
      (2.2.2) Notice be given about all entities and activities covered
      (7.1.1) Communication to individuals about third parties
      (7.2.3) Implicit or explicit consent of new uses of the personal information by third parties
    9. What processes do the outsourcing organizations we contract with use to verify the data protection practices followed by their outsourcing partners?
      (6.2.3) Personal information is provided to the individual in an understandable form, in a reasonable time frame and at a reasonable cost
      (8.2.1) A security program has been developed, documented, approved and implemented
      (8.2.7) Testing the effectiveness of key administrative, technical and physical safeguards that protect personal information
    10. What are the applicable privacy laws and regulations?
      (1.2.2) Consistency of privacy policies and procedures with laws and regulations



    A A A


     
    Copyright © 2006-2014 American Institute of CPAs.