Indian outsourcing gets privacy legislation

India's ministry of information technology and the country's main software trade association are drafting a data protection act...

India's ministry of information technology and the country's main software trade association are drafting a data protection act designed to allay growing privacy concerns in the US and Europe related to offshore outsourcing.

The legislation, expected to be enacted the beginning of next year, would provide legal safeguards to ensure data privacy protection in India, said Kiran Karnik, president of the National Association of Software and Service Companies (Nasscom).

The rules are being drafted primarily to address the European Union's strict privacy requirements, Karnik said.

EU laws prohibit companies from exporting data to or storing data in countries that lack privacy safeguards comparable to the EU's.

"The EU has very stringent laws with regard to data privacy. We are trying to make sure we have a law that meets their minimum requirements," Karnik said.

At the same time, a tougher data privacy law in India stands to benefit US companies that have hired Indian firms to process jobs involving personal data.

"We see this as making it easier for us to do business there," said Karen Allen, vice-president of risk management at Exult, a business process outsourcer for Fortune 500 companies, which opened a data centre in Mumbai.

The company is one in a growing number of US corporations that process personal information on US individuals at offshore locations. Such information often includes Social Security and driver's licence numbers as well as confidential data such as individuals' employment or medical histories.

At present there are no US laws that prohibit that data from being shipped to or accessed from other countries.

"There are no significant differences [in] a company's privacy obligations, [whether it's] conducting an offshore arrangement or a domestic one," said Christopher Ford, a partner at law firm Alston & Bird.

Consequently, it is important for companies to consider a country's data privacy laws when contracting with offshore firms, said Greg Scheuman, chief technology officer at Mercury Insurance Group.

Companies need to ascertain what measures an offshore service provider has taken to ensure data privacy, Scheuman added. That means reviewing the providers' data handling and access control policies, disaster recovery and business continuity processes, and employee screening practices.

It also pays to familiarise employees in offshore locations with US data privacy practices and laws, Allen said.

Exult, for example, has a data privacy certification programme for offshore employees, which ensures that no confidential data is sent overseas. Instead, the data is hosted on US-based systems and accessed in a closely monitored process.

Systems that are used to access the data have some functions disabled to prevent unauthorised copying or downloading of the data, Allen said.

Jaikumar Vijayan writes for Computerworld

Read more on IT outsourcing