Announcement

August 4, 2020

OPC releases results of investigation into complaint about outsourcing of bank’s fraud claim processing

The Office of the Privacy Commissioner of Canada (OPC) has published its findings in an investigation into a complaint about a bank’s decision to outsource the processing of fraud claims to a third-party service provider in India.

The investigation found TD Canada Trust had provided appropriate information to customers about transfers of personal information. As well, the bank took steps to ensure a comparable level of protection for personal information after it was transferred. For example, it put in place a contract requiring comprehensive security measures and conducted regular audits to ensure compliance with those requirements.

The investigation ultimately concluded TD Canada Trust had met its requirements under Canada’s federal private sector privacy law.

The investigation also addressed issues related to transfers for processing, which was the subject of a recent OPC stakeholder consultation.

As the OPC has previously noted, there are shortcomings in how the Personal Information Protection and Electronic Documents Act (PIPEDA) addresses global data flows.

Such transfers can create significant benefits for consumers and organizations. However, these transfers create inherent risks for privacy that must be addressed through robust legal protections. In our view, existing privacy protections are clearly insufficient and we will be making recommendations to strengthen the protections in a future law.

The TD Canada Trust investigation also highlights several good practices for other organizations that transfer personal information to third parties for processing. The bank adopted a number of measures aimed at reducing the risk to its customers’ personal information. These included:

• Undertaking risk assessments to identify and mitigate potential privacy risks associated with engaging the service provider, prior to signing a contract and then incorporating those findings into the contract.
• Requiring the service provider to control its work environment to prevent copying or sharing information about TD Canada Trust customers or employees.
• Strictly limiting the service provider’s access to, and use of personal information through a contract and robust safeguards.
• Proactively monitoring the service provider’s safeguards and practices to ensure contractual compliance, including via regular audits by an independent auditor. Any issues were to be monitored by the auditor to ensure they were addressed.

More detailed information can be found in the investigation Report of Findings.