Managing Privacy with Third Parties

By: Constantine Karbaliotis
Many companies utilize third parties in the handling and processing of personal information. This can range from marketing campaigns, to handling mail and fulfilment, to outsourcing of data processing. And most companies address the issue of personal information as a sub-set of that catch-all term, ‘confidential information.’

But is the standard approach enough? Confidentiality is not the same as privacy. A third party may keep the information confidential – but the privacy of your customers may not be protected if they:

Utilize the information for its own purposes
Move the information to a jurisdiction that has less legal protections
Share the information with others
Cannot retrieve it when it is required, allow errors to affect the accuracy of the information, or cannot delete it when requested.
The ultimate failure of course, is to simply fail to keep the personal information secure, which can then be compounded by a failure to recognize or act appropriately in the event of a breach.

Analyzing and assessing the risk of third parties will increasingly become an issue for companies handling personal information. The Massachusetts Data Protection law, due to come into effect January 1, 2010, puts specific obligations on companies to ensure their vendors are complying with security expectations. Increasingly the European Data Protection Authorities will be turning their attention to ‘onward transfers’, which arise from outsourcing.

Contract terms to address privacy and security are increasingly important to address and mitigate these risks, but strong contract language is by itself not enough. Certainly, while contract terms can help to address liability, they cannot by themselves show due diligence in the protection of personal information. It is arguable that many companies are setting themselves up through their contracts for a successful law suit – for instance, by requiring audits of third parties in contracts, but never actually asking for the audit results, or reviewing them.

In fact, an effective information strategy around procurement should start with much more basic questions:

Should this task be outsourced at all – can we do this internally? Outsourcing may not yield the savings that it initially offers, if one factors in the need to obtain audits and conduct verification activities, and in fact, may be entirely offset by the lack of legal protection for your customers’ data in the jurisdiction in which the third party operates.
Can we minimize the number of parties with whom we share our data, i.e. an existing supplier who has already passed our security and privacy reviews? Companies need to look at the sheer number of vendors with which they share data, as a risk in and of itself – the more parties you deal with, the greater the risk that one of them will fail.
Does all this information need to be shared -can we anonymize it, or provide only a subset, for the third party to fulfil its task?
How do we ensure that the third party is putting appropriate security around this data – and do we know all the forms of data that they collect from our customers? If the suppliers do not have mature security and privacy programs – a common problem with smaller suppliers – then it is questionable whether any sensitive information should be shared.
How do we verify that the third party is honouring its obligations – an independent audit? Our own audit or risk assessment? Spot audits?
It is critical to remember that while your company can outsource a task, it cannot outsource a liability. Privacy is the obligation of the company under whose name the data is collected, and the problems of your suppliers and outsourcing partners, become your own.

Constantine Karbaliotis is a privacy leader and strategist. He is currently an Information Privacy Lead at Symantec Corporation.