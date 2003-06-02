India's Ministry of Information Technology and the country's main software trade association are drafting a data protection act designed to allay growing privacy concerns in the U.S. and Europe related to offshore outsourcing.

The legislation, expected to be enacted around the beginning of next year, would provide legal safeguards to ensure data privacy protection in India, said Kiran Karnik, president of the National Association of Software and Service Companies, known as Nasscom, in New Delhi.

The new rules are being drafted primarily to address the European Union's strict privacy requirements, Karnik said. EU laws prohibit companies from exporting data to or storing data in countries that lack privacy safeguards comparable to the EU's. "The EU has very stringent laws with regard to data privacy. We are trying to make sure we have a law that meets their minimum requirements," Karnik said.

At the same time, a tougher data privacy law in India stands to benefit U.S companies that have hired Indian firms to process jobs involving personal data.

"We see this as making it easier for us to do business there," said Karen Allen, vice president of risk management at Exult Inc., a business process outsourcer for Fortune 500 companies that last week opened a data center in Mumbai. The company is one in a growing number of U.S. corporations that process personal information on U.S. individuals at offshore locations. Such information often includes Social Security and driver's license numbers as well as confidential data such as individuals' employment or medical histories.

Currently there are no U.S. laws that prohibit that data from being shipped to or accessed from other countries. But companies are increasingly being required to comply with industry-specific and state laws such as the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act and California's pending SB 1386 identity-protection law. U.S. companies must comply with those laws regardless of where the data is processed or stored, legal experts said.

"There are no significant differences [in] a company's privacy obligations, [whether it's] conducting an offshore arrangement [or] a domestic one," said Christopher Ford, a partner at law firm Alston & Bird LLP in Washington.

Consequently, it's important for companies to consider a country's data privacy laws when contracting with offshore firms, said Greg Scheuman, chief technology officer at Mercury Insurance Group in Brea, Calif.

The need to comply with Gramm-Leach-Bliley and California's SB 1386, which goes into effect July 1, has made privacy standards at Mercury "very significantly different from even a year ago," Scheuman said. India's initiative is therefore a positive one for Mercury, which outsources some development and maintenance work there, he said.

Companies need to ascertain what measures an offshore service provider has taken to ensure data privacy, Scheuman added. That means reviewing the providers' data handling and access control policies, disaster recovery and business continuity processes, and employee screening practices, he said.

It also pays to familiarize employees in offshore locations with U.S. data privacy practices and laws, Allen said. Exult, for instance, has a data privacy certification program for offshore employees. The company also ensures that no confidential data is sent overseas. Instead, the data is hosted on U.S.-based systems and accessed in a closely monitored process. Systems that are used to access the data have some functions disabled to prevent unauthorized copying or downloading of the data, Allen said.

"The focus of a U.S.-based company should be to look closely at the terms of their contract with outsourcers and insist that terms be imposed for very strong control over personal information," said Donald Harris, president of HR Privacy Solutions Ltd., a New York-based identity management consultancy.