Front Lines is a guest viewpoint section offering perspectives on current issues and events from people working on the front lines of Canada's technology industry. Terry McQuay is the President of Nymity, a privacy research firm that provides privacy education, risk mitigation subscription solutions and research services for corporations and not-for-profit organizations.
Outsourcing in Canada is changing because of privacy laws, changes in government outsourcing policies and business concerns resulting from the USA PATRIOT Act.
Increasingly, Canadian service providers are finding themselves with a competitive advantage simply because they keep their customers' data in Canada. Conversely, U.S.-based service providers are finding themselves at a disadvantage, often scrambling to move their data processing to Canada.
Background
Privacy laws in Canada provide consumers with the ability to file complaints on organizations located in Canada with provincial and/or federal privacy commissioners' offices. Complaints typically result from real or perceived mishandling of the consumer's personal information by the organization, but consumers can file complaints even if they are not directly subject to the privacy issue or breach.
Privacy laws also provide the privacy commissioners' offices with the power to investigate consumer complaints and an obligation to identify, expose and where possible influence privacy issues that have an impact on Canadians. Over the past year, privacy commissioners in Canada have increased their focus on cross-border transfers of personal information. This privacy issue results from personal information being sent to locations that don't have the same level of legislated privacy protections as Canada does.
Although offshore transfers to countries like India (that don't have privacy laws) might seem like the logical target for this increased focus on cross-border transfer of information, they're not. Organizations that outsource to India typically have contractual and other means to secure personal information, thus providing more than adequate privacy protections. The focus is on the U.S. The U.S. PATRIOT Act is considered by some to be anti-privacy because it provides U.S. federal authorities seemingly unfettered access to any personal information held by U.S. firms, whether it is on U.S. citizens, Canadians, or anyone.
Cross-Border Privacy Concerns
Privacy laws give consumers the ability to complain, and provide privacy commissioners the powers to investigate these complaints. But do consumers really care if their personal information is transferred to the U.S.?
As a Canadian, ask yourself these questions:
"Would I like my personal information reviewed by a U.S. authority, like the FBI?"
"Would I like my purchasing habits, my medical information and my resume accumulated and accessed by U.S. government agencies?"
If you answered 'no' to these questions, you are not alone. According to a survey published in June 2005, and conducted by EKOS Research Associates on behalf of the Privacy Commissioner of Canada, 64 per cent of Canadians have serious concerns about companies transferring their personal information to the U.S.
Privacy Commissioners Influence Corporate Outsourcing Policies
Cross-border transfers of personal information are a major concern of privacy commissioners across Canada, and they have taken many steps to build the awareness of this issue. The Office of the Privacy Commissioner of Canada has stated on several occasions:
"At the very least, a company in Canada that outsources information processing in this way should notify its customers that the information may be available to the U.S. government or its agencies under a lawful order made in that country."
In a recent precedent-setting finding from the federal commissioner's office about a complaint of an organization's transfer of personal information outside of Canada, the finding stated that an organization must comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), the law that governs all customer personal information transferred to the U.S. by corporations in Canada.
Principle 4.1.3 of Schedule 1 states: "An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party."
Principle 4.8 states: "An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information."
To comply with PIPEDA, the Commissioner's finding states: "What the Act does demand is that organizations be transparent about their personal information handling practices and protect customer personal information in the hands of foreign-based third-party service providers to the extent possible by contractual means."
Transparency requires providing notice to consumers that their information will be located outside of Canada. Thus, organizations have only two viable options:
- Provide notice to consumers that their personal information is being transferred to the US and is subject to US laws; or
- Keep the data in Canada.
Outsourcing Rules are Changing
Organizations are avoiding this issue completely by keeping personal data in Canada. The location of the data is now one of the decision factors when selecting a new service provider for an outsourcing contract.
Many, if not most, government organizations are demanding personal information remain in Canada. Banks, insurance companies and healthcare providers are pressuring their current suppliers to keep personal information in Canada, and selecting new suppliers that keep their data in Canada.
Privacy has changed outsourcing in Canada.
Competitive Advantage for Canadian Service Providers
Canadian companies are finding they have a competitive advantage, simply because the data remains in Canada. One such company is ThinData, a Canadian e-marketing solutions provider. Wayne Carrigan, vice-president of Client Services at ThinData explains: "We are a Canadian company and we have always processed our customers' data in Canada. We never expected privacy laws and concerns about the USA PATRIOT Act would provide us a competitive advantage, but it has."
As for customer demand, Wayne says, "We are increasingly responding to proposal requests that specifically ask if we keep clients' data in Canada. Our customers have stated that one of the reasons they have chosen ThinData is they want their data to remain in Canada".
Similarly, Gabe Mazzarolo, Chief Privacy Officer of Workopolis, Canada's biggest job site, says "Almost every piece of information contained in an individual's resume is personal information. Both our corporate clients and Jobseekers feel more secure knowing their information remains in Canada."
Nymity, a privacy research firm, has seen substantial growth in both its training and its subscription services as both U.S. and Canadian organizations are looking for pragmatic solutions to mitigate the impact of privacy on outsourcing, or looking for a means to capitalize on this privacy issue. Jin Shin, Nymity's General Counsel explains: "Outsourcing personal information to the U.S. can be done in compliance with PIPEDA, but doing so doesn't mitigate all privacy risks, and in some cases it introduces new privacy risks. For example, although providing Notice is required, it can have unanticipated results. A few of Nymity's customers have provided Notice that resulted in complaints to the Federal Privacy Commissioner's office."
Linda Drysdale, a privacy expert at PricewaterhouseCoopers, says "We foresee huge growth in service providers conducting audits against the new Generally Accepted Privacy Principles (GAPP) from the AICPA/CICA, partially due to their customers' concerns related to transfers of personal information outside of Canada."
Conclusion
Privacy is changing outsourcing in Canada. Government policies virtually mandate personal data remain in Canada and corporate Canadian is finding it best to simply avoid the issue completely by keeping their customers' data in Canada.
The bottom line for services providers is: Canadian service providers have a competitive advantage — U.S. service providers have a business risk.
