CASE Outsourcing specialized operational taskshas become a common practice. When outsourcing involves thetransfer of personal information, issues of security and privacyare raised. Customers may consent to the collection of personaldata without realizing that their information could be shared withanother company located halfway around the world and subject todifferent disclosure and protection rules. In recognition ofinternational privacy concerns, the Organization for EconomicCo-operation and Development (OECD) created guidelines to enhanceprivacy protection during transborder data exchanges. Guideline 10suggests that personal data should not be used or disclosed withoutthe consent of the owner or authority of law. Canadian outsourcingto the United States has become even more controversial since theenactment of the USA PATRIOT Act.15 This legislation allows USlawenforcement officials to obtain personal records or informationfrom any source in the country without the data owner knowing. As aresult, there have been several Canadian challenges of personaldata outsourcing to the United States. In B.C.G.E.U. v. BritishColumbia (Minister of Health), union members argued that theMinistry of Health was violating patients’ rights to privacy undersection 7 of the Charter by outsourcing physician billing data thatcontained personal patient information to a private U.S. company.16The BC Supreme Court disagreed, holding that as long as thecontractual arrangement authorized under the Canada Health Actensured that a reasonable expectation of privacy was protected, thepractice was acceptable. Since then BC., Nova Scotia, and Albertapassed legislation that restricts public (not private) sectortrans-border outsourcing.17 The Privacy Commissioner rejected asimilar complaint against the Canadian Imperial Bank of Commerce.The bank outsourced the processing of credit card transactions toan American company. The specific confidentiality and securitycontained in the outsourcing agreement were approved by the Officeof the Superintendent of Financial Institutions, and this satisfiedthe Commissioner. Both decisions turned on the specific terms ofthe outsourcing agreement and prior regulatory approval of theterms. When considering sending sensitive information across theborder and outsourcing to American firms, businesses should: •Undertake a security analysis of the American company prior tocontracting; • Inform the affected customer data owner; • Includespecific confidentiality, security, and reporting provisions in theoutsourcing agreement; • Seek regulatory approval of the agreement,if available; and • Regularly audit the privacy practices of theoutsourcing company. Increased privacy concerns can be anticipatedas the transnational public cloud computing industry replaces userowned software, desks, and laptops as the primary custodians ofpersonal information. “By 2017, enterprise spending on cloudcomputing will amount to a projected $235.1 billion, triple the$78.2 billion spent in 2011. ….(in 2014) global business spendingfor infrastructure and services related to the cloud will reach anestimated $174.2 billion, up 20 percent from the amount spent in2013.”
Question : Are there certain types ofinformation that should remain within Canadian borders? If Canadiandata is at greater risk of disclosure when transferred to theUnited States, why not ban all public and private outsourcing tothe United States? Discuss.
Question : How can personal information beprotected when stored on a transnational cloud server?
