Offshore Business Process Outsourcing ("BPO") is a growing industry in Eastern Europe and Asia countries. Typical BPO include customer and support call centers, payroll, and medical transcripts centers. Philippines ranked second, to India, in business process outsourcing for the year 2005, by producing $1 billion revenue through BPO contracts (compared to $800 million in 2004). Philippines BPO is particularly interesting for United States ("US") business due to its strong English-speaking ability, capable workforce availability, IT infrastructure, and cultural skills to interact with US citizens and other Western cultures (including Spanish-speakers). Yet, is Philippines ready for data protection in the offshore outsourcing industry?
In 2006, the Government of Philippines recognized the significance of data protection laws in their profitable and growing BPO industry and issued 'Administrative Order 8' that contains the Guidelines for the Protection of Personal Data in Information and Telecommunication System in the Private Sector ("Guideline 8"). The objectives of Guideline 8 are to encourage and provide support to private entities to adopt personal data protection policies, and provide rules for data protection certifiers in Philippines. BPO entities must comply with Guideline 8's principles and rules, including lawful access, confidentiality obligation and security.
Some of the principles for the protection of personal data require that personal data be, (i) collected for specified and legitimate purposes determined before collecting the personal data and processed in compliance with those purposes; (ii) processed accurately, fairly an lawfully; (iii) accurate and, when appropriate, up-to-date. Inaccurate or incomplete data must be corrected, supplemented or destroyed; (iv) identical, adequate and according to the purposes for which it is collected and processed; (v) kept in a form that allows identification of the data subject, and for no longer than it is necessary for the purposes for which it was collected and processed.
This Philippines Administrative order allows the processing of personal data in four conditions only. When the data subject unambiguously authorized; the personal data processing is the result of the data subject contractual obligation; the data processing is ‘vitally important' to protect the data subject, including life and health; and when the data controller requires to process personal data in compliance of his/her lawful obligations and only to the extent authorized by the parties.
Lawful access, confidentiality obligation and security are just few of the obligations imposed by Guideline 8 and to be followed by BPO as well. The Lawful access rule says, "[a]ccess to personal data in an information or communications system shall only be authorized in favor of the individual or entity having a legal right to the possession or the use of the file and solely for the authorized purpose. It shall not be made available to any person or party without the consent of the individual or entity in lawful possession, or in the absence of court order." This is a very useful customer protection rule that indirectly prohibits selling personal data to no-authorized parties and when outside the data collection purpose.
Section 7 Guideline 8 establishes the confidentiality principle. Under this principle, any person who gets access to personal data in an information or communication system, pursuant to powers conferred under E-commerce law, ‘shall not convey or share the same with any other person.' This confidentiality rule will have an important impact in the Philippines' Medical Transcription BPO market. Philippines is a major player in offshore Medical Transcription services and confidentiality is paramount in the medical field.
Guideline 8, section 8, addresses the issue of Security of Data. In Philippines, data controllers must implement organizational and technical means to assure protection of personal data from destruction, alteration or disclosure. If data controllers use the services of data processors, the first one must assure data processors follow the organizational and technical protection means established by the company and data controllers must provide data processors with specific instructions on processing personal data. This security rule also imposes data processors and those data controller's employees a confidentiality duty even after the employment is terminated.
