Much More Than Jobs Being Outsourced

Information Management Journal, May/Jun 2004 by Swartz, Nikki

Along with American jobs exported overseas, individuals' personal data is often sent to countries that lack consumer privacy laws.

A growing number of U.S. medical and financial-services firms are shifting information-processing work to lowerwage countries that lack tough privacy laws, leaving their consumers vulnerable to identity theft and possibly other crimes.

According to Gartner, offshore business process outsourcing services, which typically require the transfer of personal data, grew 38 percent last year to just under $2 billion.

Concerns include overseas call-center workers being able to view or manipulate personal records stored in U.S. data centers and having databases of information on their citizens physically located in a foreign country and operated by a third party.

"Outside the U.S., medical privacy doesn't really mean anything," said California Sen. Liz Figueroa, who wants to bar offshore outsourcing of medical and financial records. She is sponsoring bills to require California employers to notify the state and employees if they plan to move 20 or more jobs overseas and to prohibit state contracts from being fulfilled offshore.

Sen. Dianne Feinstein (D-Calif.) has asked the U.S. Comptroller of the Currency to investigate whether banks that process customers' financial data offshore have safeguards to protect that data from unauthorized use. In Arizona, proposed legislation would bar companies from shipping financial data outside the country without written permission from consumers. A proposal in South Carolina would prevent companies from giving "financial, credit, or identifying information" to a callcenter representative abroad without the individual's written permission.

Executives who are counting on offshore operations to lower their costs say safeguards are in place to protect individuals' privacy. Critics say privacy cannot be guaranteed in offshore settings. According to privacy advocates, contract language and security technology are not enough to protect the confidentiality of personal data that has been moved offshore.

For example, last year, a disgruntled Pakistani worker upset about back pay threatened to divulge data about patients at a San Francisco hospital that sent its transcription work abroad, according to Information Week.