INTRODUCTION:

DATA PROTECTION - means the right of a person to know which data is gathered in regards
to her person, how the data is used, aggregated, protected and where data is transmitted.
Anyone can have access to that data and modify it but in all cases, the person has to give
his/her consent for that data to be used by another person, government or entity.
-

As recognized by Article 8 in the Charter of Fundamental Rights of the European

Union: Protection of personal data: Everyone has the right to the protection of
personal data concerning him or her. Such data must be processed fairly for
specified purposes and on the basis of the consent of the person concerned or
some other legitimate basis laid down by law. Everyone has the right to access to
the data which has been collected concerning him or her and the right to have it
certified.
Data protection is a fundamental right and should be granted and protected as
any other fundamental rights. Many people are not aware that the information
concerning their person is protected which leads to many abuses from authorities,
internet providers, online businesses and many others.

DEFINITION OF TERMS:
-

BACK OFFICE EXAMPLES: Handling documents such as health insurance, SSS,

GSIS, Pag-Ibig, etc.; tax preparation and filing services, accounting functions such
as bookkeeping, accounts payable and accounts receivable services; Call Centers,

FRONT OFFICE EXAMPLES: Marketing: Sending out product samples, customer

satisfaction and product acceptance survey, design and creation of brochures,
booklets and catalogs. Tech Support: Help desk or customer support center,
telemarketing campaigns aimed at generating orders.
ADVANTAGES OF OUTSOURCING:
Outsourcing non-core business processes helps the company focus and
strengthen on its core business process.
Reduced cost. It can lower cost of operation and labor which makes it
attractive.
Swiftness and Expertise: Most tasks are outsourced to vendors who
specialize in their field. Since the outsourced vendors also have
specific equipment and technical expertise, tasks can be completed
faster and with better quality output that the outsourcing organization.
DISADVANTAGES OF OUTSOURCING:
Risk of exposing confidential data: When an organization outsources
HR, payroll and recruitment services, it involves a risk of exposing
confidential company information to a third-party.
Losing management control of business functions. You may no longer
control operations and deliverables of activities that you outsource.
Lack of customer focus and quality control. Since an outsourced vendor
can cater to different business, they might not give 100% time and
attention to a certain company which may result in delays and
inaccuracies in the work output.

SECURITY COMPONENTS: BPO providers today have the responsibility of not just protecting
their own internal information but also that of their customers.
1. INTEGRITY: it is the assurance that information can only be accessed or modified by
those authorized to do so. Measured taken to ensure integrity are:
Making servers accessible only to network administrators
Keeping transmission media covered and protected to ensure
that they cannot be tapped
Restricting access to data such as passwords, keycards,
biometrics, etc.
Creating disaster recovery plans for occurrences such as power
outages, server failure and virus attacks
2. AVAILABILITY: ensuring that authorized parties are able to access the information
when needed. Information only has value if the right people can access it at the right
times. Inaccessible data can be very costly. This can be due to computer viruses,
power outages or natural disasters. Measures taken to ensure availability are:
Back-up. Having off-site location ready to restore services in
case anything happens to primary data centers will heavily
reduce downtime in case anything happens.
Maintaining hardware. Performing hardware repairs immediately
when needed and keeping up with system updates.
Maintain a disaster recovery plan.

3. CONFIDENTILITY: protecting information from disclosure to unauthorized parties.

Measures taken to ensure confidentiality are:
Encryption. Encryption ensures that only the right people (who
know the key) can read the information.
Enforcing file permissions and access control list to restrict
access to sensitive information.
Authorized persons should have their own User Ids and
passwords or have biometric verifications.
SECURITY POLICY FRAMEWORK:
-

Intended to help employees determine what information can be disclosed to nonemployees as well as the relative sensitivity of information that should not be
disclosed outside of company without proper authorization.
Security policies should cover not only physical security of computers and
other devices but also cover security of networks and servers since it can
be a way for hackers and viruses to have access important information or
data.
Visible participation and action, ongoing communication and championing
and placing information security high on their agenda. Executives must
serve as role models in placing a high priority on information security and
in setting the stage for an organizations approach to implementing a
program and setting expectations for improved security performance
Routinely assess vulnerabilities. Assessments should be done by a security
specialist. Routinely check all computer systems and network devices to

ensure that they all have the latest updates. Establish security training
program for both IT staff and end users. Weakness and vulnerabilities must
be resolved. Post security banners to remind employees of their
responsibilities and restrictions along with the list of punishments if
violated.
Be aware of where back-ups are maintained, who can access them and
procedures for data restoration and system recovery. Regularly verify
back-ups and media by selectively restoring data.
Duties, responsibilities as well as restrictions of each employee should be
properly communicated. Passwords or keycards should be secured by each
employee and not shared with others.
Have a Computer Security Incident Response Team (CSIRT) to deal with
security incidents. (Duties include: monitoring systems for security
breaches, documenting security incidents, test system and network for
vulnerabilities, promote security awareness within the company)

SECURITY REQUIREMENTS OF BPO VENDORS:

Many security breaches come from within an organization so the fewer the people
with access to internal information of the system, the better.
A rigorous procedure should be in place for granting and revoking rights of access
and granting privileges should be recorded and made available to both client and
BPO partner.
Develop difficult passwords
Data backup and disaster recovery plans, CSIRT and know actions to be taken in case
of a breach.
Have security policies be audited by external professional organizations to assess
effectiveness of security controls and to detect vulnerabilities.
Train employees to integrate the cultures of BPO. May include Language training to
reduce communication barriers, training on laws and customs of BPO buyer, training
on management and leadership, etc.

SECURITY REQUIREENTS OF BPO BUYERS:

Example: ISO IEC 27002. A comprehensive information security standard. Includes

security policies for management which provide management direction and support
and other security policies discussed above. (Personnel Security Management and
Asset Management)
To track processes such as development of software code and authenticity of a
telephone call.
To ensure reliable communication and network security. (Firewall: to block
unauthorized access while permitting outward communication. Data encryption or
cipher text: to read encrypted file, one must have access to a secret key or password
to access it.)

Observe behavior of employees. Vigilant security behavior such as showing

awareness of ones surroundings or engaging with strangers is very hostile. Review
log-ins and outs of employees and track websites that they visit on their computers.
If possible, phones should not be allowed inside the company or provide them with
company phones just to keep them watch. Implement strong security policies and
remind employees of by posting banners/posters.

SECURITY ISSUES BPOs MAY FACE:

Virtual Private Network a method of employing encryption to provide secure access

to a remote computer over the internet. It allows you to connect to a private network
usually the companys internal network. It uses encryption and other security means
to ensure that only authorized users can access the network and that the data cannot
be intercepted. Examples: Can be a specialized software to be installed or Secure
Sockets Layer which allows the user to connect to the private network through the
web browser.
Strong anti-virus programs and procedures should be implemented. Although virus
may not steal information, it may corrupt the database or server itself leading to data
loss.

SOLUTION:

Almost all security breaches happen due to the people. Machines are not so
intelligent today to originate the fraud. So have a good screening mechanism while
recruiting people. HR may be burdened by this but any laxity in checking credentials
of the candidate may become more expensive for the company. Have background
checks, interview previous employers, etc.
Educate customers/clients to not give their private information easily. Provide them
with security policies on which or what type information are only to be given out
through phone or email. Any questions asked beyond the security policies should not
be entertained.
A loophole an inadequacy or ambiguity in a system which can be used to circumvent
or otherwise avoid the intent, implied or explicitly stated of the system. It allows an
individual or group to use some gap in the restrictions or requirements of the law or
contract for personal advantage without technically breaking the law or contract. In
response, lawmakers and regulators work to pass reforms that will close the
loophole. Loopholes exist because it is impossible to foresee every circumstance or
course of conduct that will arise under, or in response to, the law. Loopholes often
endure for a time because they can be difficult to close. Those who benefit from a
loophole will lobby legislators or regulators to leave the loophole open.