Managing Privacy Conflicts Across Borders – Vendor Awareness and Action

by Sue Rock, Certified Records Manager

Lost hard drives and back-up tapes, stolen identities and unauthorized disclosure of personal information are headlines which scare the trust out of our clients. Vendors have been contracted to provide records services to clients. Clients often do not understand or manage their privacy obligations implicit in the records they entrust to vendors.

Managing privacy issues inherent in business records requires leadership from the vendor community. Understanding and implementing privacy requirements begins within the vendor's business itself. Implementation of a privacy program reaps the following rewards for the vendor:

Demonstrable leadership in efficient business rules.
Visible corporate social responsibility.
Maintenance of trust among clients, partners and employees.

What are the privacy components of records stored or shredded by vendors? What are privacy conflicts? Why should they be managed? Who should manage them?

Let's review the history of international privacy initiatives which form the foundation for discussing privacy issues. Notice that the lofty goals of privacy protection of seem to be subverted to economic rules for commerce!

Table 1 Privacy – a history fraught with drama:

Date	Title	Author	Highlights
1980	Protection of Privacy and Transborder Flows of Personal Data	OECD	International agency “Organization for Economic Cooperation and Development” Supports trade, development 30 nations, incl. US and Canada Canada signs in 1987 US NOT a signatory to these guidelines.
1995	EU Data Protection Directive	European Union	Disallows transfer of personal data to non-EU countries who don't have an “adequate level of protection.
1996	CSA Model Code for the Protection of Personal Information	CSA	Canadian Standards Assoc. Standard privacy principles
1998	European Union showdown with the US	EU v US	EU refuses to send any personal information to the US for a week. $379b trade at risk.
2000	Safe Harbor Provisions	US to EU	US companies voluntary register under Federal Trade Commission Ensures adequate privacy protection to personal information coming from EU. Does not extend to non EU countries, e.g., Canada , Australia...
2001	Personal Information Protection and Electronic Documents Act, 2004 (PIPEDA)	Canada	Enable E-commerce with Europe. In effect for private sector 2004.
2001	USA PATRIOT Act: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act	US	Lowers the threshold for FISA (Foreign Intelligence Surveillance Act) from specific reasons to an authorized investigation. Removes FISA orders from specific industries to any industries. Enables FBI “national security letters” to compel disclosure.

Conflict across borders arises when we examine the purpose and scope of both the Canadian PIPEDA legislation and the USA PATRIOT Act. In short, PIPEDA protects individual privacy and ensures authorized access to information; the USA PATRIOT Act protects national security and ensures unbridled access to information.

It's the potential application of the USA PATRIOT Act that exacerbates the cross-border commerce issue as it relates to records. Under the USA PATRIOT Act, FISA (through court) could order a US located corporation to produce records held in Canada that are under the US corporation's control. FISA orders are issued in secret. FBI National Security Letters can compel financial institutions, phone companies and internet service providers to disclose information about their customers. Conclusion: we're all affected, regardless of border.

In addition to this legislative outreach, it's safe to assume that every business and every individual within a business is subject to fraud and invasion.

How does a vendor know if its business is potentially subject to cross-border information transfer? If the vendor operates in the following business areas:

outsourced data entry service
e-shipping of documents across borders
industry sectors subject to merger, acquisition, sale
media vaults and physical storage
shredding services.

What can a vendor do to demonstrate due diligence in addressing potential privacy conflicts? Implement a privacy program within the vendor business itself. Daily practice of privacy principles within business will keep a vendor aware and alert as new conflicts in the international arena of privacy arise.

The first step is to understand the scope of personal information which a vendor has an obligation to protect.

Personal information is defined in the Canadian PIPEDA legislation as: “Personal information” means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.” The “does not” exclusion is often referred to as “business card information”.

A rule-of-thumb method to determine when personal information requires safeguard against unauthorized disclosure is to use the “2 pieces” method – two pieces of information used together could identify an individual beyond consent.

Personal information resides in the following records types. It's a non-exhaustive list:

accounting, financial, investment, tax
human resource records such as employee files, benefits
insurance records
medical files
real estate and land contracts
Legal files.

The next step is to understand the intended outcomes of protection of privacy. In the destruction industry, a client fulfills its own obligation for privacy protection by contracting vendor services to perform adequate legal destruction. The law prohibits the unauthorized viewing of confidential records, even if the information is not used for any harmful purpose. During the destruction process, employees of a destruction firm may view personal information while it is being destroyed. That's part of the contracted service. However, if an employee uses the information for an unauthorized purpose, both the employee and the vendor may be liable for breach of privacy.

How can a vendor proceed with implementation of a simple privacy program within its own business? Begin by conducting a privacy assessment of its current business operations.

Table 2 – Privacy Assessment

Assessment Category / Criterion	Action to Prepare
Privacy Policy / Legal Awareness Is the business unit aware of its obligations under privacy legislation? Is the business unit aware of its legal obligations as they affect the collection, use, disclosure, protection and destruction of personal information within business records? Is the business unit aware of its legal obligations as they affect information disclosed to 3 rd party outsourced business functions? Is the business unit aware of its internal process for handling privacy questions and complaints?	Understand the jurisdiction within which the business unit operates. Then, review the scope / exemptions of legislation. Understand the definition of personal information – traceable to an employee, customer, client, shareholder…then answer the following questions: collection - what, why, current, accurate use – statement of purpose, each field – if not ‘reasonable', may require individual's consent; or, do NOT collect disclosure – to whom, when, how protection - who has access; physical and electronic protection systematic destruction Business unit is responsible. Must ensure outsource party is informed. A privacy officer may be required.
Records Creation What personal information does the business unit collect? Why does the business unit collect this information?	Take a detailed inventory, including record names, media (paper, electronic), location, who has access, etc. Requires a statement of purpose for each data field collected.
Records Maintenance How is the personal information stored and secured? Who has access to the personal information? Are specific and special media requirements satisfied? Is the custodian of particular records specified and known? Are safeguards against improper destruction in place?	Capture this information during the detailed inventory.
Records Disposition How long is the personal information retained? Are procedures in place for disclosure of records relative to investigations? Is the personal information destroyed when it is no longer useful? How (what method) is personal information destroyed?	Check your Classification and Retention Schedule for initial guidance. If there is a legal requirement to keep information, follow this rule. Where there is no legal requirement, recommend an appropriate rule to update the schedule.

Next, a vendor should understand how to implement protection or safeguards in its current business operations:

Ensure records are stored securely.
Limit access by staff on a “need to act” basis
Develop procedures for storage, retention and destruction that comply with the intent of privacy laws
Provide privacy and security training and awareness education for vendor employees.

Review your current client contracts with a “privacy perspective” to identify where the client's information is subject to purchase and sale, where client information contains personal information, and the geographic location of the client's information. Implement a periodic review of client contracts to ensure the client understands how the vendor is helping them meet their privacy obligations. Implement a process of notification if a privacy breach occurs, including swift contact with law enforcement.

Develop a statement of vendor privacy practices and post it for public consumption. It may read along these lines: On behalf of our partners, associates and staff, we assure you that we treat all information in our custody with the utmost care in order to respect the confidentiality of our clients' interests. We do not sell, trade, barter or exchange for consideration any personal information in our custody.

The challenge to address privacy requirements and understand potential conflicts in cross-border commerce remains an opportunity for the vendor community. Outcomes from the following actions will influence client awareness and compliance:

Go beyond mere compliance; demonstrate ethical behaviour.
Educate partners, associates and staff.
Develop standard client contract clauses regarding privacy issues.
Publish a privacy policy.
Implement due diligence in operating procedures. Test and update regularly.

Privacy is valued by society. We care about our personal information – its accuracy and our right to amend it; protection from identity theft; protection from unauthorized access and disclosure.

Everyone has a record and is recorded. Physically, check your wallet. Electronically, view your Internet “cookies”.