Bookmark and Share

 



Eyes on Trade

Public Citizen's Global Trade Watch blog on globalization and trade

 

What's New - Global Trade Watch


View 'What's New' Archives


Public Citizen | Offshoring and Privacy Protection - Offshoring and Privacy Protection

Offshoring and Privacy Protection

In This Section:
1. Health Care Records
2. Financial Information

3. The Legislative State of Play


Serious privacy issues surrounding offshored work have been highlighted through numerous high-profile incidents and accusations. While these privacy concerns unquestionably also plague outsourcing of government work to private companies in general, they are particularly problematic with regard to overseas providers. U.S. law does not apply overseas and obtaining redress in the U.S. civil justice systems in cases of abuse involving overseas companies is potentially very difficult. Even though increased offshoring by U.S. companies means that an unprecedented amount of sensitive personal data is being shipped overseas, U.S. privacy protections effectively end at our borders. In sharp contrast, European consumers are afforded considerably greater protection by a European Union (EU) law that permits personal data to be sent offshore only to countries whose privacy laws have been deemed to provide equivalent privacy protections and that have been found to have strong enforcement capabilities. Because most countries cannot meet these "safe harbor" requirements, European jobs that involve the handling of confidential information have been offshored at a far slower rate than in the United States.

There are already numerous examples of confidential information being mishandled in offshore situations:

  • In Ohio, allegations that citizens’ birth records had been sent to a facility in Sri Lanka led to the U.S. company that had offshored the work (and thus exposed the confidential information) being barred from state contract work for 15 months.
  • In 2003, a medical transcriber in Pakistan threatened to post patients’ records online unless the University of California San Francisco (UCSF) Medical Center paid the wages owed to her by the U.S. subcontractor that had sent the work to her.
  • Indian workers at Heartland Information Services, an Ohio-based company that offshores medical records work to India, threatened to release confidential records unless they received a cash payoff from the company.

Further Reading:

  • "Mishandling birth records gets company barred from state business," Associated Press (4/19/02)
  • "Missent Birth Data Were For Adults, Not Babies," The  Columbus Dispatch (9/7/01)
  • "A Tough Lesson on Medical Privacy," San Francisco Chronicle (10/22/03)
  • "Extortion Threat to Patient' Records," San Francisco Chonicle (4/02/04)

 

Health Care Records

In 2001, the federal Department of Health and Human Services adopted nationwide privacy protections for medical information in the "Privacy Rule," mandated by the Health Insurance and Portability and Accountability Act (HIPAA) of 1996. This law prevents health care companies from selling information to third parties, such as telemarketing firms. However, the protected health information of a patient can be processed internally by a HIPAA-regulated "Covered Entity." These entities can transfer protected health information to certain third-party service providers, such as insurance companies, research facilities, transcriptionists or radiologists, with no requirement that the patient’s prior consent be obtained. The offshoring of such information was most likely not contemplated when HIPAA was designed; nothing in the statute forbids the transfer of information to overseas locations for third-party services.

 

Financial Information  

Other work that involves sensitive personal information has also been offshored in financial sectors, most prominently accounting. An estimated 150,000-200,000 individual tax returns, both federal and state, will be prepared in India in 2004. Tax returns contain personal information including Social Security numbers, addresses, employer information, stock holdings and credit information. In response to questions about security, some firms such as Massachusetts-based Datamatrix have established self-enforced security measures such as not permitting writing materials, printers, or even e-mail access in offshore offices where tax preparation is done. But none of these measures are required of firms that offshore work – or are necessarily sufficient to prevent violations of consumer privacy.

Tax preparation, and any consumers’ financial transactions and information are afforded some protection in the United States under the Title V of the Gramm-Leach-Bliley Act, the 1999 law that protects personal financial information held by banks, securities firms and insurance companies, as well as non-traditional financial institutions such as credit reporting agencies. As with HIPAA protections, Gramm-Leach-Bliley does not prevent financial institutions from sending customers’ personal information to overseas vendors. This omission is particularly troublesome in light of the large number of major financial institutions that already have outsourced a significant proportion of their operations overseas. Recent press reports also indicate that two of the three major credit-reporting agencies in the United States are planning to outsource operations abroad.

Further reading:

  • "Foreign Accountants Do U.S.Tax Returns," Associated Press (2/22/04)
  • "Known Around the World; Private Records May be at Risk," Boston Herald (11/30/03)

 

The Legislative State of Play  

Bills are pending in several states that would prohibit overseas outsourcing where personal information is involved. Personal information is typically defined as including, but not limited to, Social Security numbers, medical and financial information, dates of birth, and names of relatives.

At the federal level, an amendment submitted by Sen. Hillary Clinton (D-NY) to the “Jumpstart Our Business Strength” (JOBS) Act on March 23, 2004, would regulate the transmission of personally identifiable information (including bank account information, Social Security numbers, addresses, phone numbers, passwords, mother’s maiden name and age) to foreign affiliates and subcontractors both before and after a customer relationship is established. The amendment would require businesses and private, nonprofit organizations to obtain prior consent from an existing customer or potential customer before their information is sent to a foreign affiliate or subcontractor.  Second, such entities would be held liable for any misuse of a customer’s personal information by a foreign affiliate or subcontractor. In addition, the amendment requires that the Federal Trade Commission certify countries and make available to the public a list of countries that have adequate privacy laws. Sen. Clinton also introduced this proposal as a separate bill, co-sponsored by Sen. Dayton on April 9, 2004.

On the House side, Rep. Edward Markey (D-MA), co-chair of the congressional Privacy Task Force, has been a prominent advocate of extending privacy protections to offshored service contracts. He introduced H.R. 4366, a companion bill to the Senate version described above, on May 13, 2004.

In letters to the Comptroller of the Currency and sevaral major banks, Sen. Diane Feinstein (D-CA) noted how third-party vendors abroad technically are subject to U.S. privacy laws but expressed concern over the "unique regulatory challenges" involved in overseas enforcement. She asked the Comptroller numerous questions about outsourcing practices and specifically requested that he identify the number of foreign vendors who have gained access to private personal information by banks under the OCC’s jurisdiction.

Further reading:

  • "Feinstein Questions Privacy Protections in Outsourcing," Congress Daily (3/04/04)

Copyright © 2014 Public Citizen. Some rights reserved. Non-commercial use of text and images in which Public Citizen holds the copyright is permitted, with attribution, under the terms and conditions of a Creative Commons License. This Web site is shared by Public Citizen Inc. and Public Citizen Foundation. Learn More about the distinction between these two components of Public Citizen.


Public Citizen, Inc. and Public Citizen Foundation

 

Together, two separate corporate entities called Public Citizen, Inc. and Public Citizen Foundation, Inc., form Public Citizen. Both entities are part of the same overall organization, and this Web site refers to the two organizations collectively as Public Citizen.

Although the work of the two components overlaps, some activities are done by one component and not the other. The primary distinction is with respect to lobbying activity. Public Citizen, Inc., an IRS § 501(c)(4) entity, lobbies Congress to advance Public Citizen’s mission of protecting public health and safety, advancing government transparency, and urging corporate accountability. Public Citizen Foundation, however, is an IRS § 501(c)(3) organization. Accordingly, its ability to engage in lobbying is limited by federal law, but it may receive donations that are tax-deductible by the contributor. Public Citizen Inc. does most of the lobbying activity discussed on the Public Citizen Web site. Public Citizen Foundation performs most of the litigation and education activities discussed on the Web site.

You may make a contribution to Public Citizen, Inc., Public Citizen Foundation, or both. Contributions to both organizations are used to support our public interest work. However, each Public Citizen component will use only the funds contributed directly to it to carry out the activities it conducts as part of Public Citizen’s mission. Only gifts to the Foundation are tax-deductible. Individuals who want to join Public Citizen should make a contribution to Public Citizen, Inc., which will not be tax deductible.

 

To become a member of Public Citizen, click here.
To become a member and make an additional tax-deductible donation to Public Citizen Foundation, click here.