There are a number of commercial risks and legal issues with offshore outsourcing that all organisations should be aware of prior to signing an outsourcing contract.
What is offshore outsourcing?
In an offshore outsourcing model, a company engages a service provider to perform business functions (for example, call centres for a telecommunications company or claims processing for an insurance company) on its behalf, or to store, process and manage the company’s data from overseas locations outside. A company may enter into an arrangement directly with an offshore service provider (such as Infosys), or it may enter into an arrangement with a local multi-national supplier who subcontracts parts of the services to its lower cost subsidiaries (such as Accenture).
Why choose offshore outsourcing?
A company may wish to offshore outsource in a bid to lower its costs, gain better availability of skilled and experienced people, and to get work done more efficiently through a global talent pool.
An innovative example of offshore outsourcing is the UK company who recently outsourced its after hours call handling facility to a New Zealand service provider, which is able to manage the UK company’s after hours calls during business hours in New Zealand due to the time zone differences.
Key offshoring risks
In today’s electronic information economy, one of the biggest risks an organisation faces when offshoring is the security of its data. Broadly, data security is the practice of keeping data protected from unauthorised access and disclosure (whether deliberate or accidental) and corruption (in other words, ensuring that data is readable and usable).
In an off-shoring model there is a risk that offshore contractors in the overseas centre have much less cultural alignment and arguably less allegiance to the procuring company’s values and expectations/legal obligations regarding data security.
This is not the only risk, as issues such as political upheaval, cultural and language differences, and quality control issues can affect the success of offshore outsourcing.
EU Privacy Directive and local laws
For a company headquartered in the EU, data will generally be subject to national and EU law as well as the applicable laws of the country in which it is stored or disclosed to. For example, in Ireland the Data Protection Acts 1998 – 2003 is the main law dealing with data protection.
While the EU generally has strict laws in terms of how personal data is handled, other non-EEA countries, that an organsiation based in the EU may wish to offshore data to, may not provide an adequate level of data protection. This includes those which are popular outsourcing and offshoring locations such as the Philippines and India. The organsiation will usually have to ensure the outsourcing contract contains suitable provisions addressing the protection of personal data by the offshore outsourcing provider. The EU standard contractual clauses for the transfer of data from the EU to a third country can be used for this purpose.
Foreign owned vendors operating in the EU may also be subject to the laws of their own government, essentially enabling foreign governments to try to gain access to data held by the vendor in the EU.
The United States does not have a single ‘catch-all’ data protection and privacy law. Instead, the United States has enacted laws dealing with discrete data privacy issues (such as legislation governing the collection of personal information from children) and laws to regulate how applications of consumer data (such as use of credit reporting data).
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (commonly referred to as the ‘USA Patriot Act’) allows data stored or hosted on servers in the United States to be accessed by the government, if requested. In June 2011 Microsoft admitted that, as a U.S. headquartered company that stores data on servers in the EU could provide details of that data to U.S. authorities without informing users. As such, any data which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by U.S. authorities and this should be considered when engaging a U.S. outsourcing company or other outsourcing company that will host data in the U.S.
The Philippines does not currently have any comprehensive data protection laws.
The statutory aspects of data protection in India are scattered under various acts, such as the Information Technology Act 2000, which addresses electronic data, computer crimes, hacking, damage to computer source code and breach of confidentiality provisions.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (known as the ‘Privacy Rules’) were enacted in India in 2011. The Privacy Rules apply to entities collecting, processing and storing personal data. The Indian Ministry of Communications & Information subsequently released a clarification notice in mid 2011, which stated that an Indian outsourcing service provider supplying services in relation to collection, storage, dealing or handling of personal information to entities situated in India or off-shore will only be subject to collection or disclosure of information requirements, (including the obligation to obtain written consent from subjects) if they have “direct contact” with the data subjects when providing their services. This important ruling means that the Privacy Rules will only apply to Indian companies to the extent that they obtain personal data directly and not as part of an outsourced service provision arrangement.
While off-shoring may provide a number of benefits to businesses by providing cost-effective data storage and processing services, there are a number of legal issues in offshore outsourcing. These include the important data security and legal and regulatory compliance risks (and associated costs) discussed above that businesses need to be aware of and ensure they address first.
Photo credit: 500px