Reference no: EM132152385

Outsourcing specialized operational tasks has become a common practice. When outsourcing involves the transfer of personal information, issues of security and privacy are raised. Customers may consent to the collection of personal data without realizing that their information could be shared with another company located halfway around the world and subject to different disclosure and protection rules. In recognition of international privacy concerns, the Organization for Economic Co-operation and Development (OECD) created guidelines to enhance privacy protection during trans-border data exchanges. Guideline 10 suggests that personal data should not be used or disclosed without the consent of the owner or authority of law.

Canadian outsourcing to the United States has become even more controversial since the enactment of the USA PATRIOT Act.15 This legislation allows US law-enforcement officials to obtain personal records or information from any source in the country without the data owner knowing. As a result, there have been several Canadian challenges of personal data outsourcing to the United States. In B.C.G.E.U. v. British Columbia (Minister of Health), union members argued that the Ministry of Health was violating patients’ rights to privacy under section 7 of the Charter by outsourcing physician billing data that contained personal patient information to a private U.S. company.16 The BC Supreme Court disagreed, holding that as long as the contractual arrangement authorized under the Canada Health Act ensured that a reasonable expectation of privacy was protected, the practice was acceptable. Since then BC., Nova Scotia, and Alberta passed legislation that restricts public (not private) sector trans-border outsourcing.17

The Privacy Commissioner rejected a similar complaint against the Canadian Imperial Bank of Commerce. The bank outsourced the processing of credit card transactions to an American company. The specific confidentiality and security contained in the outsourcing agreement were approved by the Office of the Superintendent of Financial Institutions, and this satisfied the Commissioner. Both decisions turned on the specific terms of the outsourcing agreement and prior regulatory approval of the terms.

When considering sending sensitive information across the border and outsourcing to American firms, businesses should:

• Undertake a security analysis of the American company prior to contracting;

• Inform the affected customer data owner;

• Include specific confidentiality, security, and reporting provisions in the outsourcing agreement;

• Seek regulatory approval of the agreement, if available; and

• Regularly audit the privacy practices of the outsourcing company.

Increased privacy concerns can be anticipated as the transnational public cloud computing industry replaces user owned software, desks, and laptops as the primary custodians of personal information. “By 2017, enterprise spending on cloud computing will amount to a projected $235.1 billion, triple the $78.2 billion spent in 2011. ….(in 2014) global business spending for infrastructure and services related to the cloud will reach an estimated $174.2 billion, up 20 percent from the amount spent in 2013.”

Question (1): Are there certain types of information that should remain within Canadian borders? If Canadian data is at greater risk of disclosure when transferred to the United States, why not ban all public and private outsourcing to the United States? Discuss.

Question (2): How can personal information be protected when stored on a transnational cloud server?