Bank ensures openness and comparable protection for personal information transferred to third party

PIPEDA Findings #2020-001

August 4, 2020

---

Description

A former employee of TD Canada Trust (TD) complained that TD had outsourced aspects of its fraud claims processing services to a third party service provider in India without getting customers’ consent or offering the choice to opt out. We found that TD is not required to obtain additional consent for this activity and that it was appropriately open to current and potential customers about its oursourcing. We also found that TD remained accountable for the personal information of its clients through a strong contract and monitoring approach.

Complaint under the Personal Information Protection and Electronic Documents Act (the Act)

Overview

The Complainant, a former employee of the TD Fraud Claims Department, became aware through her employment that TD had outsourced aspects of its fraud claims processing activities to a third-party service provider in India. She submitted a complaint to our Office alleging that TD did not obtain consent for, or allow customers to opt-out of, the transfer of personal information to a service provider in a foreign jurisdiction. The Complainant further alleged that TD had not been sufficiently open with respect to this practice. Finally, our Office also investigated whether TD was being accountable, by ensuring that its third-party processor provided a level of protection of personal information comparable to that required under PIPEDA.

First, we found that the third-party service provider was using TD customers’ information to manage fraud claims for TD, a purpose for which TD had originally collected the information. Noting that TD’s consent for the use of customers’ information for fraud claims management was not at issue in this complaint, in our view, TD was not required to obtain separate consent for, or to provide customers the choice to opt out of, the transfer of customers’ personal information to the third-party service provider for that same purpose.

Secondly, in our view, TD was sufficiently open about this transfer for processing. TD provides customers with information pertaining to its transfers of personal information, including to service providers in other jurisdictions, in account opening agreements. It also makes this information available through its various privacy resources, in bank branches and on its website.

Finally, we found that TD had been accountable with respect to the information it transferred to the third party in question, ensuring a comparable level of protection for that information via a robust contract as well as other methods, including regular audits to ensure compliance with contractual requirements.

We therefore found each of the matters we investigated to be not well-founded.

Complaint

1. The Complainant alleged that TD Canada Trust (“TD”) was outsourcing and transferring personal information to a third party service provider located in India for the processing of fraud claims without the customer’s knowledge and consent. More specifically, the Complainant alleged that TD:
   1. did not allow customers to opt-out of this activity; and
   2. was not being open about its outsourcing practices in relation to fraud claims processing.
2. Given that the allegations relate to the transfer of personal information across borders, our Office also investigated whether TD was being accountable with respect to outsourcing certain services, by ensuring that its third-party processor provided a level of protection that was comparable to that required under the Personal Information Protection and Electronic Documents Act (“PIPEDA”, or the “Act”).

Background

3. The Complainant is a former employee of the TD Fraud Claims Department.
4. In 2013, TD entered into a contractual relationship with a service provider (“service provider” or “provider”) to assist its fraud claims investigation team. The service provider is a large multinational IT service and consultancy firm that offers numerous products and services. In the circumstances of this case, the service provider has employees located in India.
5. The service provider performs specific functions to support TD’s Canadian fraud investigation team. These functions relate to the processing of transaction disputes relating to debit fraud, Visa debit non-fraud (merchant disputes), and credit card fraud claims. The functions that the service provider performs include, but are not limited to, preparing customer dispute forms and other supporting documents for TD to send to cardholders, issuing temporary/provisional credit on transactions approved as fraud claims and investigated for recovery, and adjudicating customer disputes.
6. While the service provider performs other services for TD, the scope of our investigation was limited to only those services relating to fraud claims processing for Canadian clients.
7. At the outset, we note that this complaint focused on TD’s general practices around the use of a third party service provider in a foreign jurisdiction to process personal information. The Office of the Privacy Commissioner of Canada (“OPC”) has no evidence of any breaches of security safeguards relating to TD’s outsourcing of fraud claims processing activities, nor has the Complainant alleged that the service provider is failing to meet the privacy and security obligations set out under its contract with TD.

Analysis

8. Our analysis of this matter was informed by our Office’s Guidelines for processing personal data across borders^{Footnote 1} (the “Guidelines”).
9. These Guidelines note that PIPEDA does not prohibit organizations from transferring personal information to an organization in another jurisdiction for processing.
10. That said, organizations remain accountable for the protection of personal information under any outsourcing arrangement. Principle 4.1.3 of PIPEDA states the following:

    An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

11. As a preliminary matter, TD has asserted that it does not “transfer” customer personal information to the service provider in India. Rather, TD says that the service provider has only limited remote access to personal information stored in Canada via a secure TD-managed portal.
12. We accept TD’s submissions that the personal information in question is not being stored on servers in India. However, TD acknowledges in its submissions that personal information is accessed and processed by the employees of a service provider located in India to carry out specific tasks on behalf of TD. In our view, therefore, TD does “transfer” personal information to a third party for processing within the meaning of Principle 4.1.3 of PIPEDA such that it remains accountable for that customer information.
13. In this case, we specifically considered:
    1. Consent: if TD was required to obtain consent for, or allow customers to opt-out of, the transfer of personal information for the processing in question;
    2. Openness: if TD was sufficiently open with respect to its transfer of personal information to a third party service provider in a foreign jurisdiction for processing; and
    3. Accountability: if TD ensured a comparable level of protection while personal information was being processed by the service provider.

ISSUE 1: Consent

14. In our view, and for the reasons that follow, TD does not require additional consent for its transfer of customers’ personal information to the service provider for purposes of fraud claims management. Nor is TD required to provide its customers with the choice to opt out of this transfer.
15. Principle 4.3 of Schedule 1 of the Act states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
16. As described in our Office’s Guidelines, when an organization transfers personal information to a third party for processing, the third party can only use the personal information for the purposes for which the information was originally collected. If the information is being used for a purpose for which it was originally collected, additional consent for the transfer is not required.^{Footnote 2}
17. The Complainant did not question whether TD itself could collect and use personal information for the purpose of investigating and resolving fraud claims. The Complainant instead takes issue with TD’s practice of transferring personal information to a third-party service provider in a foreign jurisdiction for processing, rather than TD processing the personal information in question in Canada.
18. While the Complaint did not question TD’s initial collection of personal information, we nevertheless examined the purposes that TD identifies when it obtains consent at the outset of the customer relationship in order to determine whether the service provider was using information for the same purpose, such that additional consent for the transfer of personal information would not be required.
19. TD submitted to our Office that it obtains consent to use customer information for the processing of fraud claims via its account opening agreements, which include the TD Privacy Terms (the TD Privacy Agreement^{Footnote 3} and TD Privacy Code^{Footnote 4}). These documents identify a number of purposes for which customers’ information is collected.
20. TD submitted that all of its account opening agreements contain substantially similar descriptions of the purposes for which customers’ personal information is collected, used, and disclosed. For example:
    1. Within the TD Privacy Agreement, the ‘Collecting and Using Your Information’ section identifies that:

       We will limit the collection and use of Information to what we require in order to serve you as our customer and to administer our business, including to: […] help protect you and us against fraud and error…^{Footnote 5} [Emphasis added.]

    2. TD’s Cardholder and Electronic Financial Services Terms and Conditions identifies in section 30, ‘Consent to the Collection, Use and/or Disclosure of Your Information,’ that:

       You agree that, at the time you request to begin a relationship with us and during the course of our relationship, we may share your Information with our world-wide affiliates, and collect, use and disclose your Information as described in the Privacy Agreement on td.com, including for, but not limited to, the purposes of […] protecting us both from fraud and error…^{Footnote 6} [Emphasis added.]

21. TD submitted to our Office that the personal information it transfers to the service provider is used only to fulfill specific tasks relating to processing fraud-related claims – in other words, for the same purpose for which TD collects the information. The supporting documentation provided by TD, including its contract and Statement of Work with the service provider, is consistent with this assertion. We further note that the Complainant did not allege that the service provider was using personal information for any purposes other than supporting TD’s fraud-related activities.
22. Considering that the service provider uses personal information provided by TD for the same purpose as that identified for the purpose identified to customers when TD obtains consent for its collection and use of customers’ information, we are of the view TD is not required to obtain separate consent for the transfer of customer information to the service provider.
23. The Complainant also complained that customers could not opt out of the transfer of their information to India for fraud claims purposes.
24. We note that our Guidelines explain that “once an informed individual has chosen to do business with a particular company, they do not have an additional right to refuse to have their information transferred.”
25. It is our view that TD is not obligated under PIPEDA to allow its customers to opt-out of the transfer at issue in this investigation.
26. Accordingly, we find this aspect of the complaint, with respect to Principle 4.3 of Schedule 1 of the Act, to be not well-founded.

ISSUE 2: Openness

27. In our view, TD is sufficiently open about its transfers of personal information for processing.
28. Principle 4.8 of the Act requires that organizations make readily available specific information regarding how they manage personal information.
29. Our Office’s Guidelines say that individuals should expect transparency on the part of organizations when it comes to transfers to foreign jurisdictions, including acknowledging that no contract can override the criminal, national security or other laws of a country to which information has been transferred. The Guidelines provide that:

    Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in clear and understandable language. Ideally they should do it at the time the information is collected. [Emphasis in original.]

30. TD submits that it provides information to customers up-front, in its account opening agreements and the TD Privacy Code, that it may transfer personal information to third parties for processing in other jurisdictions, and that that personal information may be subject to disclosures pursuant to the laws of foreign jurisdictions.
31. For example, the TD Privacy Code includes the following statements:
    1. the ‘When we release your information’ section identifies that:

       …we may release your information to parties outside TD in certain circumstances, which include -
       […]
       We give a limited amount of information, only as necessary, to our suppliers and agents […] who provide goods and services to you, through us. These suppliers and agents may be located in Canada or other jurisdictions or countries and may disclose information in response to valid demands or requests from governments, regulators, courts and law enforcement authorities in those jurisdictions or countries.^{Footnote 7}

    2. the ‘Why we share your information’ section also identifies that:

       Your information may be shared, stored or accessed in Canada or other jurisdictions or countries. Your information may be disclosed in response to valid demands or requests from governments, regulators, courts and law enforcement authorities in those jurisdictions or countries.^{Footnote 8}

32. Within the TD Privacy Agreement, the ‘Disclosing your information’ section also identifies that:

    We may disclose Information […] to suppliers, agents and other organizations that perform services for you or for us or on our behalf.^{Footnote 9}

    TD says that although the subject matter of this complaint – the outsourcing arrangement – did not involve a “disclosure” of personal information, this language is nevertheless indicative of TD’s efforts to ensure that customers understand how their personal information may be accessed by service providers.
33. The ‘Privacy Highlights’ webpage includes the following statements under ‘Uses’:

    We may release your information to parties outside TDBG [TD Banking Group], such as regulators, and our suppliers and agents who assist us in serving you and who may be located in Canada or other jurisdictions or countries and may disclose information in response to valid demands or requests.^{Footnote 10}

34. Individuals receive information regarding TD’s privacy practices as part of their account opening agreement. In cases where customers cannot review the full Privacy Terms at the time that they apply for a TD product, such as where an individual applies by telephone, TD submitted that it provides an oral summary and later sends the full privacy agreement to the customer with other account documentation. We also note that individuals can access TD privacy documentation in person at a TD branch, or through the TD website at any time.
35. For example, an individual that wishes to access the TD Privacy Code^{Footnote 11}, TD Privacy Highlights^{Footnote 12}, or other resources that are available on the ‘Our privacy commitments’ webpage^{Footnote 13} can navigate to these pages in the following manner:
    1. from the TD ‘Personal Banking’ main page^{Footnote 14} or other TD webpage such as ‘Investor Relations’^{Footnote 15} or ‘Careers’^{Footnote 16}, navigate to the bottom of the page and select the ‘Privacy and Security’ link in the bottom banner;
    2. from the ‘Privacy and Security’ page^{Footnote 17}, navigate to the ‘Privacy Practices’ heading and select the ‘View our privacy commitments’ link at the end of the section; and,
    3. from the ‘Our privacy commitments’ page^{Footnote 18}, select the ‘TD Privacy Highlights’, ‘TD Privacy Code’, or other TD privacy resources available on the webpage.
36. In her submissions, the Complainant pointed to the example of the TD First Class Travel Visa Infinite Cardholder Agreement and Benefit Coverages Guide.^{Footnote 19} We have reviewed this agreement and note that it contains substantially similar language^{Footnote 20} to that relied on by TD, as described above.
37. In our view, TD makes readily available, and quite prominent, clear and understandable information regarding its transfers of personal information to third-party service providers, including in foreign jurisdictions, for processing.
38. Further, these notices acknowledge that customers’ information may be disclosed in response to lawful demands by authorities within the jurisdictions where information is being processed.^{Footnote 21}
39. We therefore find this aspect of the matter, with respect to Principle 4.8 of Schedule 1 of the Act, to be not well-founded.

ISSUE 3: Accountability

40. In our view, TD has, via contractual and various other means, provided a level of protection comparable to that required under the Act, for customers’ personal information being processed by the third-party service provider for fraud claims management purposes.
41. As noted above, PIPEDA does not prohibit organizations from transferring personal information to an organization in another jurisdiction for processing. However, PIPEDA does establish rules governing transfers for processing.
42. Under Principle 4.1.3, an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
43. Importantly, the wording of Principle 4.1.3 makes it clear that TD remains accountable for personal information, even if it chooses to use a third-party service provider for processing.
44. Though the Complainant did not raise explicitly the issue of accountability in her complaint, we deemed it appropriate to examine this issue during the course of our investigation given its close relationship to the issue at hand and its importance in protecting individuals’ privacy in outsourcing arrangements. This was particularly so considering that the information TD transfers to the third party includes personal information that can be sensitive, such as financial transaction history and associated details.
45. The Guidelines note that the primary means by which organizations protect personal information in the hands of third-party processors is through contract. Robust contracts are especially important when the third-party processor is located in a foreign jurisdiction and may not itself be subject to PIPEDA.
46. TD has asserted that, through its contract with the service provider, and other safeguarding measures, it has established a comprehensive set of privacy and security-related practices that provide a comparable level of protection for customers’ personal information while the service provider in India is processing it.
47. Pursuant to that contract, the service provider is obligated to comply with Canadian privacy laws. This clause would not, on its own be sufficient to ensure a comparable level of protection. Thus, we closely reviewed TD’s contract with the service provider, as well as the supporting documentation that TD provided our Office to demonstrate how it confirms that the service provider is meeting contractual requirements on an ongoing basis.
48. According to the OPC Guidelines, a “comparable level of protection” within the meaning of Principle 4.1.3 means that the third-party processor must provide protection that can be compared to the level of protection the personal information would receive if it had not been transferred. While that does not mean that the protections must be the same across the board, it does mean that they should be generally equivalent.
49. Organizations should be able to demonstrate that they have addressed the PIPEDA principles that are applicable within the context of their processing arrangements with third-party service providers, which will depend on, among other things, the nature of the services provided.
50. In this case, the service provider has only remote access to a limited amount of customer personal information via a TD-managed portal. Employees of the service provider do not interact directly with TD customers, nor do they use information other than what is made accessible by TD.
51. Given the limited nature of the service provider’s access to, and use of, personal information in these circumstances, our Office focused its analysis of “comparable level of protection” for the purposes of Principle 4.1.3 on whether TD’s contract limited collection (Principle 4.4); limited use, disclosure, and retention (Principle 4.5); and appropriately safeguarded its customers’ personal information (Principle 4.7).
52. Our Office’s assessment of privacy protections surrounding transfers to third-party service providers will depend on the facts of each case and the nature of the services being provided. In a different situation, greater emphasis may be placed on different principles under Schedule 1 of PIPEDA.
53. Principle 4.7.1 provides in part that safeguards shall protect personal information against unauthorized use and disclosure. In considering TD’s level of protection while information is being processed by the third party service provider, we note that its safeguards are also the primary mechanism by which it ensures that customers’ personal information is protected in a manner consistent with Principles 4.4 and 4.5.
54. More specifically, we note that the contract provides that the service provider receives access to only the personal information it requires to fulfill specific tasks on behalf of TD, which is stored and maintained in Canada (i.e., it does not otherwise collect any personal information for this purpose). The contract prohibits, and associated safeguards prevent, the service provider from using or disclosing the personal information it accesses for any purposes other than those set out under the contract, and from retaining any personal information in India.
55. In assessing the adequacy of TD’s safeguards, we note that the level of protection of personal information should be commensurate with its sensitivity, per Principle 4.7.2. TD represented to our Office that service provider employees have access to financial information and details of customers’ fraud claims, which we note can be sensitive, meaning that a higher level of safeguards would be required to ensure protection of the personal information accessed by the service provider.
56. Principle 4.7.3 provides further that the methods of protection should include physical, organizational, and technological safeguards. Below, we provide a summary and a non-exhaustive list of examples of the various methods by which TD provides comparable protection for customer information transferred to the service provider in question. The contractual and other measures implemented by TD can be broadly characterized as:
    1. Risk assessment prior to entering into the contract,
    2. Employee background assessment and monitoring,
    3. Employee policies and training,
    4. Work environment controls,
    5. Access and other cybersecurity controls, and
    6. Proactive monitoring and enforcement of contractual obligations.

Risk assessment prior to entering into the contract

57. TD engaged in a number of risk assessment activities to identify and mitigate the potential privacy risks associated with engaging the service provider prior to signing a contract. These activities included:
    1. following a proprietary risk management process that included a review of the Office of the Superintendent of Financial Institutions (“OSFI”) Guideline, Outsourcing of Business Activities, Functions and Processes,^{Footnote 22} as well as the OPC’s Guidelines for Processing Data Across Borders;
    2. completing an internal privacy impact assessment;
    3. obtaining legal advice on the privacy and information security obligations imposed under Indian law, including India’s Information Technology Act 2000^{Footnote 23}; and,
    4. incorporating the findings of these risk assessment activities in the contract with the service provider.
58. We reviewed portions of these risk assessment activities as part of our analysis of TD’s representations, including the internal privacy impact assessment. We did not review the legal advice that TD received prior to signing a contract with the service provider as TD claimed solicitor-client privilege over this advice.

Employee background assessment and monitoring

59. TD included a number of requirements relating to employee background verification and monitoring within the contract. The service provider is required to:
    1. conduct criminal and other background verification for all current and prospective employees including annual re-verification; and,
    2. remove access to TD systems and information for any service provider employees that fail any aspect of background verification.

Employee policies and training

60. The contract requires the service provider to:
    1. develop and maintain policies and procedures for employees to prohibit copying of TD customer personal information, to ensure that no TD information is stored outside of Canada;
    2. develop and maintain policies and procedures for physical security management;
    3. Provide specified training according to TD accreditation requirements to all employees, including regular refresher training; and,
    4. comply with TD’s Information Security practices.

Work environment controls

61. The service provider is required within the contract to control the work environment to prevent employees from storing, copying, downloading, recording, printing, distributing, caching, or maintaining TD information through physical and organizational methods that include:
    1. prohibiting employees from bringing electronic devices, such as mobile devices, removable storage devices, and printers, or writing instruments into the physical workspace (also known as having a ‘clean room’ environment);
    2. requiring the ‘clean room’ to have a physical ceiling and no windows through which the contents, including information, contained in the room may be viewed or identified;
    3. engaging in physical monitoring of the service provider work environment, including through the use of security guards, visual inspections of employees entering the production environment for restricted material, and CCTV cameras; and,
    4. implementing paperless processes.

Access and other cybersecurity-related controls

62. TD represented that it supplies all hardware and software to the service provider, and that it has implemented numerous measures to protect against unauthorized access to information, including:
    1. providing access to the TD environment and information through a remote web-based gateway platform, with all TD information stored and maintained within Canada;
    2. structuring databases that hold TD information to contain only information required for a specific task or business process, and incorporating a role-based access permissions model that limits employee access to only the databases that they require to perform specific tasks;
    3. ensuring that only computers that are physically located within the service provider’s ‘clean room’ environment, as described in paragraph 61, are able to access the TD environment;
    4. implementing two-factor authentication to access the TD environment;
    5. ensuring that service provider employees’ access is limited to visual access on their computer screens and to only the information required to perform their assigned tasks;
    6. partially masking certain sensitive personal information such as a SIN or date of birth, such that employees can only see a portion of those numbers on their computer screen;
    7. limiting activities that service provider employees can conduct – such as restricting access to unauthorized URLs and portions of the external web, allowing emails within the TD environment to be sent only to other email addresses in the TD domain, and disabling any print, cut, copy, screenshot, or similar capabilities;
    8. requiring the service provider to engage in electronic monitoring of employee activities, including through the use of computer access monitoring and audit logs;
    9. requiring the service provider to maintain a formal program to ensure malicious software protection is in place; and
    10. requiring the service provider to perform industry standard security and intrusion testing, including attack and penetration testing, at least annually.
63. In addition, the contract requires the service provider to comply with TD security requirements, which include compliance with industry standards. Specifically, TD provided evidence that the service provider was ISO-27001:2013 certified, and TD verified the service provider’s compliance with those standards via certification by an independent third party. The service provider was initially certified against this standard in 2006 and most recently provided proof to TD of valid certification for the period of June 2019 to March 2021.

Proactive monitoring and enforcement of contractual obligations

64. The contract allows TD to proactively monitor and audit the service provider to ensure contractual compliance.
65. TD engages in monitoring activities including:
    1. regular audits by an independent auditor of the service provider’s practices including, but not limited to, security and access monitoring;
    2. requiring any issues identified during the course of any audit to be monitored by an independent auditor;
    3. requiring the service provider to obtain sign-off by the independent auditor to confirm that all remedial actions have been effective; and
    4. requiring the service provider to attest annually that it meets all contractual obligations.
66. TD provided our Office with several examples of previous audits to illustrate this proactive monitoring process, including cases where deficiencies were identified and corrective measures applied to resolve these deficiencies.
67. We note that the contract contains provisions to address non-compliance with contractual obligations, up to and including a termination clause.
68. We are satisfied that these measures provide TD with the ability to effectively identify and resolve instances of non-compliance with contractual obligations.
69. In our view, TD’s technological controls, coupled with the terms of its contract with the service provider and associated monitoring and enforcement of those contractual provisions do provide a level of protection comparable to that which would be required under PIPEDA if the information was processed by TD, in particular, under Principles 4.4, 4.5 and 4.7, which are most relevant in the context of this case. As a result, we are satisfied that TD has met the requirements of PIPEDA’s accountability principle.
70. We therefore find this aspect of the complaint, with respect to Principle 4.1.3. of the Act, to be not well-founded.

Conclusion

71. Accordingly, we conclude that the matter is not well-founded.