Businesses must be aware of risks with outsourcing to other countries activities involving personal information. Over the past couple of months I’ve heard over a dozen organizations express their opinion that if they hire organizations outside the U.S. to do work for them, then those organizations are not bound by U.S. laws. Most were from small to midsized organizations and startups. But it was somewhat surprising to hear also hear this sentiment from an organization with multiple locations and thousands of employees. This has been an incorrect belief of far too many organizations for decades.
I’ve also had clients in other countries ask about the need to comply with U.S. laws, such as for HIPAA compliance, when they provide services for U.S individuals and/or businesses. Many believe they do not need to.
Yes, data protection laws (or more commonly called privacy laws in the U.S.) are created to protect the citizens of the associated country. As such, any organization from anywhere in the world must generally follow the laws of each country from which they collect personal information (PI).
Here are four important points to understand with regard to the PI of U.S. residents, as well as in other countries.
Organizations Outside of the U.S.
Organizations from outside the U.S. that provide services to those in the U.S. generally must comply with the applicable U.S. data protection laws. For example, if a business is based in another country, but provides services that are used by children in the U.S., they must comply with COPPA. Likewise, if a business outside the U.S. is providing healthcare services as defined by the Health Insurance Portability and Accountability Act (HIPAA) to those within the U.S., then they must comply with all HIPAA requirements, and must also ensure their contracted entities (defined as “business associates” under HIPAA) also follow all the requirements. This is the same for many other regulations and laws, in the U.S. as well as worldwide.
Contractors in Other Countries
I shouldn’t be surprised any more, but I still get comments from my vendor management service clients, as well as from folks at conferences and from LinkedIn and other social media sites, stating that they don’t need to worry about their contracted workers in other countries because they believe that U.S. laws don’t apply to them. Dangerous thinking! Generally your responsibility for protecting data follows the data, no matter where in the world you send it for others to provide you services involving that data. Here’s a good example. The associated problems of outsourcing were discovered by a hospital system several years ago when they discovered one of their business associates had subcontracted, several times, PHI processing to another country. When the worker there was not paid, she basically threatened to post it online unless she got her money (the hospital didn’t even know it had been outsourced that many times or to another country). Make sure your contracted vendors know and understand they must also comply with the requirements that apply to you with regard to data protection.
Laws in Other Countries
Laws and practices in other countries can also put PI at risk. Some countries have laws that compel the organizations within them to provide access to personal data from other countries; even if your policies disallow such access. Once it is out of the U.S. jurisdiction it is hard for organizations to compel legal recourse for protecting data they’ve sent into those other countries. Especially when those countries have laws that say the organizations must give access to PI. And new laws providing such access are being implemented worldwide as time goes on.
For example, in July, 2015, Peru enacted a law that grants police warrantless access to real time user location data on a 24/7 basis, and “compels telecom providers to retain, for one year, data on who communicates with whom, for how long, and from where. It also allows the authorities access to the data in real time and online after seven days of the delivery of the court order. Moreover, it compels telecom providers to continue to retain the data for 24 more months in electronic storage.” So, if a business is outsourcing to a Peruvian contractor that possesses such information, it seems by the various legal analyses that the data will basically be sent to the Peruvian police. This could put organizations contracting vendors there in hot water with compliance to regulations in their own country, and certainly to compliance with their own posted privacy notice. Know the data protection laws, and laws involving personal data, of the countries where you are thinking of contracting to before you sign any agreements to do so.
Practices in Other Countries
It may be an accepted practice in some countries for the organizations there to take the data that has been entrusted to them and use it in other ways. For example, one organization I did work for back in the 2002 – 2005 timeframe had contracted their help desk service to a vendor in India. What they did not know, and came as a huge surprise to them when the regulators did an audit of their organization as a result of privacy complaints from their customers, was that the call center had another business unit that sold to outside marketing companies all the data they had been given for customer support. And they actually were making more by monetizing the entire PI to marketing businesses and groups than they were making from call center services. When my client’s lawyers spoke with the call center about it, the call center CEO was very surprised; he said it was a common practice in India (at that time over ten years ago) to sell that data to make additional profits for the call center companies. Thankfully things have changed a lot since then. But businesses still must be just as diligent in ensuring outsourced vendors, in any location, have appropriate security and privacy controls and practices implemented.
Ensure Compliance Prior to Outsourcing
Except for the references to specific U.S. laws, the points discussed above are generally true for most other countries with data protection laws; and many of those countries have even more requirements that are created as a result of sending PI over country borders. Business must be aware of risks with outsourcing to other countries activities involving personal information.
Bottom line is that every organization must understand that, generally, responsibility for complying with data protection requirements follows the data to whatever country within which their outsourced vendor is located. Perform due diligence to make sure your outsourced businesses are, or soon will be by the time you give them access to PI, complying with all the same data protection requirements that you are obligated to follow.
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
Tags: BA management, data protection, data protection law, Dell, due diligence, Information Security, IT compliance, policies and procedures, power more, powermore, privacy, privacy professor, privacyprof, Rebecca Herold, risk management, vendor management, vendor risks