Without going into details, we've done a fair few jobs involving UK systems with BPO (Business Process Outsourcing) to India as well as other countries and in pretty much every case we were able to smuggle Personally Identifiable Information (PII) out of the remote estate or access things that shouldn't be accessed.
I should note that this is not something against Indians, most of the time it was due to the problems with working across two security boundaries and the lack of acceptance of the problems and realities of doing so, combined with what were effectively unrealistic promises and a complete lack of understanding of the two cultures, gaps and overlaps.
To put it another way, any system where data is held in trusted environment A, but accessed from partially trusted environment B is dependent on the security of both A and B. However, while environment A is fully trusted, environment B isn't, and for (sometimes) good reason. The problem arises when instead of proper controls what happens is a bizarre form of security theatre starts to arise, and subsequently gaps start popping up all over environment B that would be otherwise considered acceptable in environment A.
It is not realistic to securely manage information with a strong trust requirement in an untrusted environment on a permanent basis. It is even less realistic to do so on the basis of contractual obligation as an alternative to routine checks and balances.
I now add to my list of reasons NOT to outsource overseas (time zone, language, culture, currency, work ethic, lag, import/export restrictions) this new item: data security standards.
Er, right.