Question

*NOTE: I don't really know what subject this would be considered. It's from my business law class.

Outsourcing specialized operational tasks has become a common practice. When outsourcing involves the transfer of personal information, issues of security and privacy are raised. Customers may consent to the collection of personal data without realizing that their information could be shared with another company located halfway around the world and subject to different disclosure and protection rules. In recognition of international privacy concerns, the Organization for Economic Co-operation and Development (OECD) created guidelines to enhance privacy protection during trans-border data exchanges. Guideline 10 suggests that personal data should not be used or disclosed without the consent of the owner or authority of law.

Canadian outsourcing to the United States has become even more controversial since the enactment of the USA PATRIOT Act.15 This legislation allows US law-enforcement officials to obtain personal records or information from any source in the country without the data owner knowing. As a result, there have been several Canadian challenges of personal data outsourcing to the United States. In B.C.G.E.U. v. British Columbia (Minister of Health), union members argued that the Ministry of Health was violating patients’ rights to privacy under section 7 of the Charter by outsourcing physician billing data that contained personal patient information to a private U.S. company.16 The BC Supreme Court disagreed, holding that as long as the contractual arrangement authorized under the Canada Health Act ensured that a reasonable expectation of privacy was protected, the practice was acceptable. Since then BC., Nova Scotia, and Alberta passed legislation that restricts public (not private) sector trans-border outsourcing.17

The Privacy Commissioner rejected a similar complaint against the Canadian Imperial Bank of Commerce. The bank outsourced the processing of credit card transactions to an American company. The specific confidentiality and security contained in the outsourcing agreement were approved by the Office of the Superintendent of Financial Institutions, and this satisfied the Commissioner. Both decisions turned on the specific terms of the outsourcing agreement and prior regulatory approval of the terms.

When considering sending sensitive information across the border and outsourcing to American firms, businesses should:

• Undertake a security analysis of the American company prior to contracting;

• Inform the affected customer data owner;

• Include specific confidentiality, security, and reporting provisions in the outsourcing agreement;

• Seek regulatory approval of the agreement, if available; and

• Regularly audit the privacy practices of the outsourcing company.

Increased privacy concerns can be anticipated as the transnational public cloud computing industry replaces user owned software, desks, and laptops as the primary custodians of personal information. “By 2017, enterprise spending on cloud computing will amount to a projected $235.1 billion, triple the $78.2 billion spent in 2011. ….(in 2014) global business spending for infrastructure and services related to

the cloud will reach an estimated $174.2 billion, up 20 percent from the amount spent in 2013.”

Question (1): Are there certain types of information that should remain within Canadian borders? If Canadian data is at greater risk of disclosure when transferred to the United States, why not ban all public and private outsourcing to the United States? Discuss.

Question (2): How can personal information be protected when stored on a transnational cloud server?

Answer 1

Answer(1):
Certain types of information that should remain within Canadian borders which includes the transfer of personal information, issues of security and privacy are raised. Customers may consent to the collection of personal data without realizing that their information could be shared with another company located halfway around the world and subject to different disclosure and protection rules. In recognition of international privacy concerns, the Organization for Economic Co-operation and Development (OECD) created guidelines to enhance privacy protection during trans-border data exchanges
If Canadian data is at greater risk of disclosure when transferred to the United States, they do not ban all public and private outsourcing to the United States because, When considering sending sensitive information across the border and outsourcing to American firms, businesses should:

• Undertake a security analysis of the American company prior to contracting;

• Inform the affected customer data owner;

• Include specific confidentiality, security, and reporting provisions in the outsourcing agreement;

• Seek regulatory approval of the agreement, if available; and

• Regularly audit the privacy practices of the outsourcing company.

Answer(2):
Personal information can be protected by replacing user owned software, desks, and laptops as the primary custodians of personal information when stored on a transnational cloud server.A greater concern with cloud storage, though, relates to who consumers can hold accountable for the security of their personal information. Current laws provide guidelines for companies that maintain personal information. The laws address how personal information must be protected, used, and ultimately destroyed, as well as penalties for failure to protect that information. Those laws include provisions for ensuring any third party that company gives information to also protect it as the company would itself. But when personal information is stored in the cloud it can become virtually impossible for a consumer to know who actually compromised their personal information. In other words, everyone involved in a data breach could potentially be able to shrug their shoulders and say, “It’s not our fault.”