Privacy Without BordersPrivacy Without Borders

Companies that outsource the processing of sensitive financial or medical data know they need to overcome customer concerns about protection against inadvertent disclosures. In the coming year, they could face additional legal obstacles as well.

In the first week of January, California state Sen. Liz Figueroa plans to introduce legislation to prohibit confidential medical information and tax returns from being sent abroad, says Elizabeth Fenton, the senator's chief of staff. The proposal stems from an incident in October when a woman doing medical transcriptions in Pakistan threatened to post on the Web data related to patients of the University of California's San Francisco Medical Center. She claimed a subcontractor hadn't paid her for her work.

Medical transcription such as doctors' dictations is just one example of the sensitive data outsourcers handle. Molly Malone, executive director of the Medical Transcription Industry Alliance, a professional association for the industry, says about 45% of hospitals it has surveyed subcontract these jobs. Only 4% say they send work overseas themselves, though those who don't send the work overseas could be working with U.S. outsourcers that subcontract the work abroad.

Protecting privacy, and complying with privacy regulations, isn't a new concern, but it may get greater attention in the coming year, as Figueroa's proposal suggests.

Kaiser Permanente, a large health-care provider with a major California presence, contracts with Covansys, HCL Technologies, Infosys, and Tata Consultancy Services for offshore IT services. The outsourcers have at least a decade of experience with international companies, including U.S. health-care organizations, a Kaiser spokesman says. They do employee background and criminal checks and daily verifications of employee badges and personal belongings.

Hewitt Associates, a human-resources outsourcing and consulting firm, hired full-time staff in India rather than contract through an outsourcing firm in part because its clients were more comfortable limiting access to sensitive information such as salary and health-care records to Hewitt staff.

Companies already must cope with a patchwork of laws, ranging from the Health Insurance Portability and Accountability Act to the European Union's privacy rules. Come January, Canada will toughen its approach with new data-protection policies. Every company operating in Canada will be required to disclose the purpose of their data collection, get consent for its collection and use, and provide individuals with access to personal information files, says Ottawa Law School professor Michael Geist.

"That certainly provides Canadians with greater privacy rights than those enjoyed in the U.S.," Geist writes in an E-mail interview. "Whether there will be full compliance and whether that actually translates into greater privacy protection remains to be seen."

India, too, has new data-protection policies in the works, and other offshore locations are bound to follow. But companies hoping to keep their customers' confidence--and avoid blanket restrictions such as the ones Figueroa is considering--need to focus on a far-higher level of privacy protection than merely legal compliance. "Companies shouldn't just be focused on the law but on how to prevent these things," says Atul Vashistha, CEO of neoIT, an offshore-outsourcing consulting firm. "If you're trying to enforce the law, you already have too many problems."