Outsourcing, a business practice that emerged in the post-WW2 boom decades, is today still evolving in form and function. Originating in 1950s and 60s, outsourcing’s first wave mostly involved a contractual agreement between two firms, located in the same city and time zone, with Firm A contracting Firm B to deliver a non-core function, such as legal services or payroll management. With the arrival of the Internet revolution, the next wave of outsourcing made its way up the beach of business, washing away geographic, language and time zone limitations. In the 1980s and 90s, offshore outsourcing took off. Firms on different continents contracted across a much wider range of business activities, including in vertical (such as a business unit) and horizontal (such as a business process) ones. Used across all sectors of the economy, outsourcing evangelists promise businesses everything from efficiency and quality improvements to profitability, innovation and greater consumer choice.
But within the sea of outsourcing, a perfect predator lurks – one that when ignored will readily sink its jaws into the vulnerable, fleshy shape of personal information handling. The decision to outsource is not only a business decision; it’s also a privacy decision. Outsourcing adds compliance complexities to a firm’s privacy program, particularly where the outsourced vendor accesses, and possibly even manages, personal information held by the firm.
Outsourcing does not absolve a firm of responsibility and accountability for privacy. The legislation is clear: you’re still on the hook. When the only instrument used to keep an outsourced vendor in check is a contract or service agreement, then don’t be surprised when a predatory shape appears in the water beneath you.
So, what’s wrong with only having a vendor contract?
Some entities fall into the trap of thinking only a watertight contract with a vendor is needed to meet your privacy compliance obligations. They assume that once the ink has dried on an outsourcing contract, privacy obligations can be ignored until contract renewal time. While an executed contract with your vendor is crucial, it is neither the first nor the sole instrument needed to manage your vendors.
Vendor management lifecycle
Vendor management is about managing your vendors throughout the lifecycle of their engagement with your entity, using a holistic, repeatable process.
Let’s briefly touch on key activities at each phase of the vendor management lifecycle.
Vendor selection – Who’s the fairest of them all?
Vendor management starts with vendor selection. You need to choose the most suitable vendor to competently fulfill your entity’s service needs, one that complies with privacy obligations proportionate to the personal information handling practices of the outsourced service. Assessing prospect vendors’ privacy programs is an essential, but often neglected, first step to choosing the right one.
Assess and benchmark prospective vendors by using a questionnaire or set of questions (in a request for quote or proposal) focused on the scope of the privacy protections for the outsourced service. Examples of questions to ask include:
- “How many notifiable data breaches has your organisation been responsible for over the preceding twelve months?”
- “How many dedicated privacy resources exist in your organisation?”
- “What privacy training do you offer to your staff?”
Asking a prospective vendor to submit evidence of their privacy programs and competences is also advisable.
Assign a score or weighting to each question. Some questions will be more important than others and should be weighted more.
Once prospect vendors have submitted their questionnaires, review their responses and any relevant evidence. Look critically at the artefacts submitted by a vendor for their privacy policy, privacy management plan, data breach response plan, privacy awareness training program, and the like.
In some instances, it may be necessary to undertake more stringent vendor assessment measures, such as conducting an audit or detailed assessment on the vendor’s privacy management system or reviewing a recent audit report (with emphasis on the word ‘recent’).
Conduct your own, independent research on prospect vendors, too. Tap into your networks, search online or scour publicly available resources, to look for information not ordinarily included in a vendor’s glossy brochure or RfP. Form your own view on each vendor’s privacy capacity.
Privacy assurance activities don’t typically occur in a vacuum. A firm’s security team are often asked to assess the vendor’s security systems, protocols and controls. Other compliance departments will undertake similar assessments, such as financial and insurance checks, reviews of other management systems, including services, quality, and workplace health and safety.
Vendor onboarding – Doin’ the dance
Once a suitable vendor is selected, and your contract folk and theirs start the dance of contract negotiations, it’s essential to check that the current privacy clauses in the contract are as comprehensive, but equally unambiguous, as possible.
Like me, you may have come across contract clauses that seem impossible to comprehend. Cryptic and / or ill-defined privacy clauses are a breeding ground for misinterpretation or compliance gaps.
Knowing what to include in a contract is just as important as removing ambiguity. Privacy clauses should reflect the scope of the personal information handling obligations of the outsourced service. Privacy obligations not applicable to the scope of the services should be culled. If, for example, a vendor will not be storing personal information on your behalf, then it is sloppy and unprofessional to include cookie-cutter storage obligations in your contract.
Privacy clauses should also be informed by the results of the first phase of the vendor management lifecycle, namely vendor selection. If your assessment unearthed a potential compliance gap or weakness in a vendor’s privacy program, fleshing out additional privacy provisions and controls in the contract clauses will help address the risk.
Once you’ve landed on the most appropriate, tailored privacy clauses for the vendor contract, it’s over to the contract teams to begin their dance.
Vendor monitoring – finger on the pulse
After the contract is signed and the outsourced service commenced, it’s too easy to assume your job as a Privacy Pro is done. Right?
Give me an H! Give me an E! Give me an L! Give me an L!
Give me an N! Give me an O!
Monitoring vendors and ensuring that they comply with their privacy provisions is arguably the most important activity in the vendor management lifecycle – and it also happens to be an ongoing task for the full duration of the vendor’s term of engagement.
Monitoring a vendor’s compliance can be as painless or painful as you want to make it.
A vendor might be asked to self-reports to you at a sensible cadence. Periodic completion of a privacy compliance self-attestation, where the vendor attests to continued compliance with their privacy obligations, can be used. Privacy SLAs fit nicely into the ‘less painful’ bucket of monitoring activities.
A higher bar of monitoring activities may include vendor privacy audits, or regularly measuring qualitative or quantitative privacy indicators for your vendor. These indicators should be defined and measured by you and your business stakeholders, and be specific to the scope of the outsourced services. Again, vendor monitoring shouldn’t happen in a vacuum, and Privacy Pros will be wise to slipstream into whatever ongoing monitoring activities your entity has perfected.
You do need to check the output of vendor monitoring activities. There is nothing to be gained in asking your vendor to submit a quarterly self-attestation, but then failing to allocate time to carefully review and analyse their responses. The purpose of monitoring your vendors is to look for early indicators of a potential larger problem, and to take swift and appropriate action at the first hint of an issue.
Know what steps you will take when a vendor begins to veer off track or falls foul of their privacy obligations. Will you implement a ‘one strike, you’re out’ policy? Will you use early intervention escalation pathways when a ‘green’ vendor begins to turn ‘amber’ or ‘red’?
All monitoring activities that require vendor input or engagement should be included in the vendor’s contract.
Vendor offboarding – adios, amigo
Before the vendor’s term of engagement ends, review the end-of-term provisions included in the contract. Is the vendor required to return all personal information at the end of their engagement, or destroy or de-identify it? What assurances do you need to be assured that the vendor has complied with their end-of-term obligations? And what evidence should you retain of same?
‘Rinse Repeat’ cycle – that was fun, let’s do it all again, folks!
When a vendor’s contract is ready to be renewed, take time to review the privacy provisions in their existing contract. Make sure clauses continue to be fit-for-purpose and reflect contemporary privacy provisions and obligations. Don’t be scared to add new privacy provisions to address niggles that came to light under the current term of engagement.
Privacy compliance
Interwoven throughout the vendor management lifecycle is adherence to privacy compliance obligations at each stage of the process. For example, both you and your vendor need to identify and implement reasonable steps to protect personal information from misuse, interference, and loss, and from unauthorised access, modification or disclosure. This is true when you onboard a new vendor, monitor their performance against their contractual obligations, and is still true when you offboard them. A lapse in security controls when a vendor returns personal information during the offboarding stage is not a misstep you want to make.
The OAIC’s Guide to securing Personal Information contains information on reasonable steps that an APP entity can take to protect personal information that it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure, when outsourcing any of its personal information handling to vendors.
Isn’t there a tool for this?
Undoubtedly, and possibly even more than one tool. I am certain that some of you reading this will @me with the names of your preferred end-to-end vendor management process tools and software solutions. I, however, am old-school in my approach to management system fundamentals. My philosophy is: if you haven’t got it working on paper (or whiteboard), there isn’t a tool around that will make it work properly, electronically.