India's ministry of information technology and the
country's main software trade association are drafting a data
protection act designed to allay growing privacy concerns in the US
and Europe related to offshore outsourcing.
The legislation, expected to be enacted the beginning of next
year, would provide legal safeguards to ensure data privacy
protection in India, said Kiran Karnik, president of the National
Association of Software and Service Companies (Nasscom).
The rules are being drafted primarily to address the European
Union's strict privacy requirements, Karnik said.
EU laws prohibit companies from exporting data to or storing
data in countries that lack privacy safeguards comparable to the
EU's.
"The EU has very stringent laws with regard to data privacy. We
are trying to make sure we have a law that meets their minimum
requirements," Karnik said.
At the same time, a tougher data privacy law in India stands to
benefit US companies that have hired Indian firms to process jobs
involving personal data.
"We see this as making it easier for us to do business there,"
said Karen Allen, vice-president of risk management at Exult, a
business process outsourcer for Fortune 500 companies, which opened
a data centre in Mumbai.
The company is one in a growing number of US corporations that
process personal information on US individuals at offshore
locations. Such information often includes Social Security and
driver's licence numbers as well as confidential data such as
individuals' employment or medical histories.
At present there are no US laws that prohibit that data from
being shipped to or accessed from other countries.
"There are no significant differences [in] a company's privacy
obligations, [whether it's] conducting an offshore arrangement or a
domestic one," said Christopher Ford, a partner at law firm Alston
& Bird.
Consequently, it is important for companies to consider a
country's data privacy laws when contracting with offshore firms,
said Greg Scheuman, chief technology officer at Mercury Insurance
Group.
Companies need to ascertain what measures an offshore service
provider has taken to ensure data privacy, Scheuman added. That
means reviewing the providers' data handling and access control
policies, disaster recovery and business continuity processes, and
employee screening practices.
It also pays to familiarise employees in offshore locations with
US data privacy practices and laws, Allen said.
Exult, for example, has a data privacy certification programme
for offshore employees, which ensures that no confidential data is
sent overseas. Instead, the data is hosted on US-based systems and
accessed in a closely monitored process.
Systems that are used to access the data have some functions
disabled to prevent unauthorised copying or downloading of the
data, Allen said.
Jaikumar Vijayan writes for Computerworld