Call Centres’ Recordings Stored Outside Canada?
A private correspondent has suggested to me that call centres that record incoming calls ‘for quality assurance purposes’ often store the recordings offshore, including in the US. The correspondent wondered if there was any concern that the information in the calls might therefore be subject to investigation or copying by US law enforcement under the PATRIOT Act.
Both the Canadian and the Ontario Privacy Commissioners have commented on allegations of special risk of having personal information in the US because of that statute. Neither have supported the concerns. A recent summary of the discussion is found in the Ontario IPC’s decision PC 12-39 concerning the Ministry of Natural Resources at pages 5 – 6.
Essentially both commissioners say that there is no more risk of PI finding its way into the ‘wrong’ hands under that Act than under the equivalent Canadian legislation, and the exchange of information across the border by law enforcement agencies is routine.
They also cite privacy experts David Fraser and Michael Geist to the same effect.
Other privacy complaints based on storing PI in the US have failed in the past, in Ontario and British Columbia and probably elsewhere.
Anyone in Canada subject to privacy laws must ensure that third-party recipients (sub-contractors) of that information comply with restrictions equivalent to those in force in the home jurisdiction.
But the fact that the information may be subject to discovery by law enforcement officials is not a reason not to store it in the US. (I do not know if all foreign storage would be as acceptable. Views?)
Does that sound right to you?
Is there any obligation to inform people that their PI will be stored in the US, or otherwise outside of Canada? If so, should it be part of the recorded message (‘this call may be recorded for quality assurance purposes. The recording will be stored in the country with the cheapest bandwidth’)?
I would think so… In Nova Scotia (in 2006) regulatory measures were adopted in response to privacy concerns raised by the USA Patriot Act. These measures are intended to protect the privacy of individuals whose information may be the subject of a disclosure to a foreign jurisdiction. Among other things, the additional restrictions and requirements cover storage of personal information outside of Canada, and access to such information outside of Canada. In this connection, Nova Scotia’s Personal Information International Disclosure Protection Act (PIIDPA) also impacts on private sector organizations and employers who contract with a public body to provide services involving personal information transferred or made available to them by that public body.
So Nova Scotia seems to have panicked despite senior privacy commissioners and practitioners had concluded that the PATRIOT Act concern was much ado about not very much. From the sound of the NS Act, it resulted from public sector unions being concerned about outsourcing data processing (which is what the unsuccessful complaints in BC and ON were about.)
Was it jumping the gun… I am not sure… The USA Patriot has expanded U.S. government surveillance powers, raising privacy concerns well beyond America’s borders. In Canada, these concerns centre on the possibility that personal data entrusted to U.S.-based service providers (and other entities), or even their Canadian affiliates, may be subject to the Act’s production orders. I think it is important that Canadian businesses consider whether these issues might affect them. Having legislation in place such as the one in Nova Scotia is preemtive and in our best interest, instead of reactive.
Read what the Privacy Commissioners have said about it: no more risk under the PATRIOT Act than under Canadian law, and lots of exchange of info across the border, in both directions. Michael Geist points out that the US had similar powers for years before the PATRIOT Act was passed. David Fraser was in McLean’s last week saying concerns about the Act were exaggerated. None of the people saying this are wimps in protecting privacy, au contraire.
The position of Messrs. Fraser, Geist, and the Privacy Commissioner of Ontario might be summarized neatly here: http://blog.privacylawyer.ca/2012/09/ontario-information-privacy.html. As I understand it, they’re saying that there’s no greater risk to storing your data in the US than in Canada because the PATRIOT Act doesn’t really add anything significant to the ability of the US government to obtain your data, even were it stored in Canada — thanks to Canadian laws and international agreements currently operative. But are they saying as well that this is a comfy or desirable situation?
I realize that the issue has legs in large measure because it involves the United States’ government, about which there may be strong feelings. But foreign powers aside, there remains the overarching issue, surely, of government intrusion, particularly warrantless intrusion.
The US Department of Homeland Security seems to disagree.
They publicly claim that they do not require a warrant for non-US citizens, but instead can have unrestricted access to my information without any involvement by a court.
It’s not obvious if this is a true statement, but they certainly seem to believe it (;-))
–dave