Documente Academic
Documente Profesional
Documente Cultură
BPOs deal with sensitive and/or private data that needs protection
Internet instrument in flattening of the world level playing field for knowledge and access to ideas*
Ref. Thomas Friedmans The World is Flat
Advantage to India
The US and the EU do not have Comprehensive Privacy or Data Protection Laws
Intellectual property Corporate secrets Confidential Customer
Health Information
Numbers Telephone Numbers Birth Date Drivers License information Credit History Court, and Traffic violation records
4
nature, whether he is a member of a trade union (within the meaning of the Trade Union and Labor Relations (Consolidation) Act 1992, his physical or mental health or condition, his sexual life, the commission or alleged commission by him of any offence, or any proceedings for any offence
Privacy Development
In the US the US Supreme Court interpreted the Constitution and found a right to privacy
Introduction
US v EU
United States and the European Union share the goal of enhancing privacy protection for their citizens
Different approach to Privacy: The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. The European Union relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin.
Effect: hampered U.S. companies ability to engage in many trans-Atlantic transactions.
Monday, April 15, 2013 7
Established a committee of experts on data protection that reported its findings in early 1979. Was enacted for the Protection of Individuals with regard to Automatic Processing of Personal Data, 1981. Came into force on 1985 after five States ratified it. Set forth the individual data subjects right to privacy Enumerates a series of basic principles for data protection Provides for transborder data flows Finally lead to the European Union Directive 95/46/EC
Monday, April 15, 2013 9
The European Parliament confirmed the existence of a network of supercomputers operated by the secretive United States National Security Agency, an agency responsible for intercepting communications across the world for the benefit of American business and Government.
Monday, April 15, 2013 10
personal data
personal data Subject to limited exceptions Burden of proof is on the data controller
12
Fairly and lawfully processed; Processed for limited purposes; Adequate, relevant and not excessive;
4.
5. 6. 7. 8.
Accurate;
Not kept longer than necessary; Processed in accordance with individuals' rights; Kept secure; Not transferred Monday, April 15, to countries outside without adequate protection. 2013 the European Economic Area
13
The EU Directive
Applies tp personal data includes customer,
agencies)
14
Switzerland, Canada, Argentina and the UK territories of Guernsey and the Isle of Man, all recognized by the EU as offering adequate data protection.
Adopt Standard Contract Clauses Obtain Unambiguous Consent to transfer from affected individuals Negotiated Protections acceptable in the UK Codes of Conduct Direct Compliance/registration with EU Authority Some EU countries require that a copy of the executed agreement with the standard clauses be deposited with the regulatory authority this is not the case in the UK.
Safe Harbor
Result of the US and EUs expressed commitment to
bridging different approaches to privacy while maintaining data flows and high level of privacy protection. position
U.S Companies made voluntary commitments. EU Satisfied because FTC Act made those
18
Safe Harbor
It recognizes and implements principles of the EU Data Directive. Creates a system of notice, opt-out, opt-in for certain sensitive information, control of subsequent transfers, data security and integrity systems.
7 privacy principles 15 FAQs EUs adequacy determination Letters between Doc and European Commission
19
Other options
Model ( standard) Contracts: privacy clauses contracts they sign with each other.
The EC has approved two based importers of
personal data can also satisfy the adequacy requirements types of clauses:
Transfers: controller-to-controller
controller-to-processor transfers
The latter concerns transfers between data controllers based in the EU and processors outside the EU.
Model Contracts
Enforcement is in Europe Potentially different interpretation and
Joint and Several Liability Higher Standards than the Safe Harbor
Monday, April 15, 2013 21
Protection Act 1998 The Regulatory Authority who is The Information Commissioner also imposes the penalty
Fines; and
22
must adhere to 7 principles: Notice Choice Onward transfer Security Data integrity Access Enforcement
23
Public attention/positive privacy image Added liability Increased compliance flexibility EU-wide solution Response to customer concerns Dispute jurisdiction Unavailable to financial services firms
Monday, April 15, 2013 24
specified
onerous negotiations
25
Some US Laws
Graham-Leach-Bliley Act (GLBA) Fair Credit Reporting Act The Sarbanes-Oxley (SOX) Act
26
The Drivers Privacy Protection Act: Restricts the ability of Motor Vehicle Department to disclose
motor vehicle operator permits, motor vehicle titles and motor vehicle registrations.
27
to know what information the Government collects from them, why it is collecting, who has accessed the information Allows to receive a copy of the information. Governs the activities of federal agencies with regard to why they may or may not collect certain pieces of data.
28
parties
29
GLBA
Organizations must: Deliver Privacy Policies to each customer
Provide a Reasonable Opportunity to Opt-Out of certain information sharing arrangements Develop, Implement and maintain a comprehensive information security Program.
Program must include administrative, technical and physical safeguards appropriate to the
30
FCRA
FCRA sets standards for: Collection; Communication; and Use of credit related information FCRA requirements include:
Furnishing consumer reports only for
permissible purposes Maintaining high standards Ensuring accuracy Enabling individuals to correct misinformation Resolving customer disputes
32
scandals, has a significant impact on US companies as well as auditing firms. restore investors confidence.
firms have internal controls in place to comply with SOX and other regulations.
Sarbanes Oxley
Legislation is wide ranging and establishes
new or enhanced standards for all US public company Boards, Management, and public accounting firms.
from additional Corporate Board responsibilities to criminal penalties. Requires Security and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law.
privacy protection for health care information. offer health plans, doctors, hospitals and other health care providers and in turn the Medical Transcription Industry
Limits the use of patient information In most cases would extend to the
HIPAA Contd.
Information may be disclosed to a
business associate if
business associates to agree to the same obligations that apply to the covered entity.
HIPAA Compliance
Self-assessments, employee training, and
Must reasonably safeguard from any intentional or unintentional use or disclosure that is in violation of the standard
facsimile machine to deliver unsolicited advertisements. prerecorded messages to residences from a particular company, that company may not call that consumer.
38
lines, health care facilities, paging services, cellular telephones, and any service for which the called party is charged for the call
A National Do-Not-Call registry It includes all telemarketers (with the exception of certain nonprofit organizations) Covers both interstate and intrastate telemarketing calls Consumers can place their telephone numbers on the registry through one telephone call or one Web click.
Enforcement
39
Other US laws
The Fair and Accurate Credit Transactions Act
40
More US Laws
The Video Privacy Protection Act
Forbids a video rental or sales outlet from disclosing information concerning what tapes a person borrows/buys ore releasing identifiable information. Enforced through civil liability action.
Prohibits the unauthorized interception or disclosure of many types of electronic communications including telephone conversations and electronic mail, although disclosure y one of the parties to the communication is permitted. Applies both to the Government and private persons and entities. Violations are subject to civil and criminal penalties.
41
electronic banking services to inform their consumers of the circumstances under which automated bank account information will be disclosed to third parties, in the ordinary course of business. Violators are subject to civil and/or criminal penalties. Enforced by the Federal Revenue Board.
Monday, April 15, 2013 42
Mandates that the Federal Government present proper legal process or formal written request to inspect an individual financial records kept by a financial institution including credit card companies Gave simultaneous notice to the consumer to provide him/her with the opportunity to object. Provides for civil liability. The Cable Communication Policy Act as amended by the Cable Television Consumer Protection Act Establishes written disclosure requirements regarding the collection and use of personally identifiable information by cable television service providers prohibits the sharing of such information without prior consent.
Monday, April 15, 2013
43
Communications Act
Requires the Telecommunication Commission to
by customers
Penalties
Each violation of (COPPA) The Childrens Online Privacy Protection Act invokes a penalty of $11,000. Penalty actual damages, statutory damages up to $1000, punitive damages per violation (no cap on class action damages, attorney fees and civil penalties up to $2,500
45
Penalties-HIPAA violations
Certain violations attract a US$100 penalty for each violation Total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed US$25,000. Knowing wrongful disclosure invokes penalty of US$ 50,000 and/or imprisonment up to one year False pretenses, the offender may be fined up to US$ 1000,000 and/or imprisoned up to 5 years, the penalty is increased respectively to US$ 250,000, and 10 years if the offense is committed with intent to gain commercial advantage for violating HIPAA.
46
Penalties
The penalties for violating GLBA are steep and cost up to $11,000 per day Penalties for violation of FACTAs (Fair and Accurate Credit Transactions Act) rule of disposal, which affects most businesses, - actual damages, statutory damages, punitive damages per violation, attorneys fees and penalties up to US$ 2,500 and imprisonment of not more than 2 years.
Penalties for violation of FCRA (Fair Credit Reporting Act) - damages of not less than $ 100 and civil penalty of not more than $2,500 per violation or punitive damages and imprisonment up to 2 years.
47
Bills or recent laws that curtail the granting of state contracts to Non-US workers or restrict performance of state contracts outside the US
New York; Maryland;
Massachusetts;
Texas; Oregon;
Missouri; and
Nevada
Pennsylvania;
Florida;
49
personal information becomes aware of a breach of security must disclose the breach to every resident of California whose unencrypted personal information was, or is believed to have been, accessed by an unauthorized person.
GLBA requires affirmative opt-in for sharing of information with third parties, provides for optout for sharing with affiliates unless in the same line of business under the same name.
50
having personal information of a California resident must give list of categories of information shared with third parties with the names and contact information of the third parties, OR provide a conspicuous privacy statement with a cost free opt out prior to the disclosure.
51
permission of a customer before sending any financial, credit or identifying information to a foreign country.
Create friction and hurdles in commercial activities Effective measures to stifle meaningful outsourcing US companies will be less competitive and will put even more jobs in danger if they cannot benefit from service cost arbitrage
Deterrent to American companies from offshoring medical, accounting, financial consulting or other information-based services overseas
Absence of legal ramifications does not alleviate the harm to public image
on the European regime, are aimed at data controllers or processors without regard to any employment relationship.
Canada Legislation
Legislation similar to the EU Data Privacy Directive.
Canada - The Personal Information and Protection of Electronic Documents Act, (PIPEDA)
may bring complaints to the Commissioner who has the power to enforce the Act in Canadian Federal Court.
and prohibits disclosure without consent. A strong opt in provision, the Act clearly covers businesses based outside of Canada who collect, use, or transfer data including personal information about individuals within Canada.
Compliance
Conducting an inventory of information collection and disclosure practices; Evaluating agreements with third parties that involve the disclosure of consumer information Establishing mechanisms to handle opt-out elections by consumers Developing or revising existing privacy policies Determining how to deliver privacy notices to consumers (by the data controller in the US)
58
Non-tangible Essentials
Honesty Flexibility Transparency
Supported by contracts that adequately address the risks associated with the outsourced service, be it risk of OSPs capabilities of customers compliance needs
59
Contracts
Service Level Contracts Employee Contracts Limitations on Liability Confidentiality Contracts Third Party Licenses and Service Contracts
Procedures Dispute Resolution Alternate Dispute Resolution Governing Law and Jurisdiction
Service Level
Breakdown
60
Contracts
Aspects of Business
Requirements Confidentiality Choice of law (may be more than one to govern OSPs country different aspects Customers country of the contract
HR Training
61
Contracts Contd.
Adopting the EU model contractual provisions in
contracts to mitigate problems with EU Directive compliance issues OSP and the customer for violations of the rights of third parties and, indeed, liability for punitive damages. indemnity in the contract.
62
Due Diligence by both parties Commitment of negotiating representative and Senior Management Staff to ensure security and compliance Regular and frequent monitoring of the relationship Ensure that knowledge of compliance policies percolates through all operation levels Technical and Physical Security of Infrastructure Operational protection measures - No devices to save data locally - Communication restrictions
63
OSP
(in
the
requirements)
OSPs should configure a complex matrix or capabilities, scale, skills, language, management and infrastructure when making commitments.
Monday, April 15, 2013
64
performance
Improve Business Intelligence Periodically Asses internal controls Record Management and Provisions to Examine
65
Standard Written Internal Company Practices to Enhance Security with Recorded Standard Operating Procedures Manuals
66
Employee Background Checks Centralized Data Bank of all BPO related employees, helps identify prior violators (as initiated by NASSCOM) Need Based Dissemination of Information - Division of process, access and/or control
Technical Measures
68
Establishment of an Independent Governing Body to regulate the industry Independent Certification About Security Standards
Some Certifying Authorities British Standards Institute (BSI) BS 7799 ISO 1799 Det Norske Veritas (DNV) Standardization Testing Quality Certification (STQC- Govt. of India) KPMG Ernst & Young
Self-Regulation and Compliance Training OSP should inform customer about any infractions to mitigate damage
(CISP)
Standard, to safeguard sensitive data for all card brands - result of a collaboration between Visa and MasterCard - creates common industry security requirements endorsed by other card services
Industry
Monday, April 15, 2013
70
Office of Government Commerce (UK) is the most widely accepted approach to IT service management
Monday, April 15, 2013 71
offshore).
Stringent reporting requirements and penalties. Assumption of liability under contract. Choice of law of a foreign jurisdiction automatically
extends liability.
Monday, April 15, 2013
72
Future
Indian-US security Forum to shortly sign an
Industry could lobby with the Government To create an Indian version of the Safe Harbor To provide regulatory authority and frame work like SEBI and SEBI guidelines to Protect Privacy The amendments to the IT Act should be in sync with global laws and trends.
Monday, April 15, 2013 73
Conclusion
Factors that nurture BPOs also spawn crimes. Elaborate, onerous, technical security measures reduce productivity and erode employee motivation. Combination of Best Practices. US Protectionist Measures likely to have an adverse effect upon both the US and the global economy.
74
resides
75
encryption
costs
76
and out-of-reach
77
Develop a Backup Data Protection Program End-to-end chain of custody Need a sound method to track backup media when moved Report daily on tapes sent off-site and those on-site Reconcile between tapes off-site to tapes on-site to account for all media Destroy all media once it has become obsolete-get a certificate of destruction
Monday, April 15, 2013
78
80
business changes
Monday, April 15, 2013
81
Conclusions
Data protection Directive was not conceived with e-commerce in mind and raises numerous problems and legal uncertainty Government control and discretionary authority are inconsistent with innovative information society and consumer choice Data Protection applies even if consumer does not want it, resulting in paternalism. Privacy protection increases risk of fraud EC exports its consumer and data protection regime to the rest of the world, thus reducing availability of e-commerce services and making them more expensive.
82
Conclusions
There is cost to privacy protection
In market setting, cost is self-limiting Governments monopoly over force and absence
83
Thank You
Poorvi Chothani, Esq. LawQuest 36, Maker Tower F Cuffe Parade Mumbai 400 005 E-mail poorvi@lawquestinternational.com Telephone 00 91 22 6654 1671