India assuages outsourcing fears with Data Protection Bill

Firms will soon be finding it easier and safer to outsource their legal work to India with the nation's first Data Protection Bill slated to come into force within the next 12 months.

The Indian government has joined forces with members of the county's IT industry to develop a two-pronged approach to enforcing security and bolstering its business process outsourcing (BPO) industry through the introduction of the bill and the establishment of the Data Security Council (DSC).

Fox Mandal head of technology Rodney Ryder says: "The DSC will be a self-regulating initiative and will house representatives from top global companies, while the bill is the government-led initiative."

Som Mandal, managing partner at the firm, which also has a stake in legal practice outsourcing (LPO) company Legal Circle, adds that he expects the bill to boost India's LPO market.

The DSC will include representation from a team of 15 experts, including those from high-profile companies such as Citibank, Google and Yahoo!. Indian global trade body the National Association of Software and Service Companies (Nasscom) is spearheading the drive.

The trade group has recruited three of India's top lawyers to the DSC's advisory panel. Head of information, communications and entertainment at Nishith Desai Associates Vaibhav Parikh and eBay India head of legal Deepak Jacob have been appointed alongside Ryder to work on setting standards for the council and to provide advice. Ryder has also put in a proposal for foreign lawyers with data protection expertise to be invited on to the panel.

Firms currently outsourcing their legal work to India, such as Clifford Chance, which has just set up its support service facility in Delhi, and Allen & Overy, who has been outsourcing similar work to Chennai since 2003, have been forced to establish their own piecemeal contracts to ensure data security. Other firms, such as Berwin Leighton Paisner, have been reviewing options on outsourcing.

The firm's head of outsourcing Mark Lewis says that data protection will not affect the decision to outsource to India. "It will depend on the quality of work, staff implications and our clients," he says. "India has managed perfectly well without a data protection law. The only difference will be firms won't have to jump through hoops."

The introduction and implementation of the two directives are thus expected to reduce this contractual barrier to entry that has been posing a threat to India's BPO industry, which is expected to generate $13.8bn (£6.81bn) this year.

"A large number of issues need to be carefully addressed and included in an outsourcing agreement," explains Ryder, who is currently working on the draft bill.

He says the common terms in these contracts include a valid and consistent privacy policy and a 'Personal Data Privacy Compliance Manual', which identifies the duty of confidentiality and liability of the organisation in case of a breach. Firms also draft an employment handbook, which provides for all details regarding the use of personal information and photographs.

The dedicated data protection legislation is expected to give the industry some much-needed consumer confidence following recent high-profile data leaks.

Notable data security breaches include the sale of information from an HSBC call centre that was used to defraud £233,000 from customer accounts. Other banks that have experienced security violations due to Indian outsourcing entities include Capital One and Citibank.

Indian LPO entities affirm that the absence of data protection and privacy laws has been creating obstacles specifically for Indian companies that deal with the EU, as opposed to the US, as the EU Data Protection Directive requires a high level of protection. In fact, the directive requires companies not to transfer data to countries that do not offer an adequate level of protection.

Ryder explains: "As of now, India Inc relies solely on individual contracts negotiated between the European company and the Indian service provider to address data protection issues."

India's protection for its BPO and IT industries currently falls under the Information Technology Act 2000, which includes some data protection provisions, but does not define personal data.

The Data Protection Bill, which is expected to be similar to the EU directive, was announced in January 2006 and is currently being drafted, while the DSC has just moved into its new Delhi office, with two full-time employees ready for action.