Privacy and outsourcing for businesses
The Personal Information Protection and Electronic Documents Act (PIPEDA)—Canada’s federal private-sector privacy law – requires organizations to take privacy consideration into account when considering outsourcing to another organization.
There is nothing in PIPEDA that prevents organizations from outsourcing the processing of data.
However, regardless of where information is being processed—whether in Canada or in a foreign country—organizations subject to PIPEDA must take all reasonable steps to protect that information from unauthorized uses and disclosures while it is in the hands of the third-party processor.
Organizations must also be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times.
Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in clear and understandable language. Ideally they should do it at the time the information is collected. Once an informed individual has chosen to do business with a particular company, they do not have an additional right to refuse to have their information transferred.
When personal information is in the hands of a third-party service provider operating on foreign soil, it is subject to the laws of that country and no contract can override that. This could mean, for instance, that the organization may be obliged to respond to a subpoena or other mechanism that would give law enforcement officials access to personal information.
For more information:
Guidelines for Processing Personal Data Across Borders
Interpretation Bulletin - Accountability
News Release: Privacy commissioners call on small- and medium-sized businesses to look before they leap into the cloud
Guidance: Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations
Introduction to Cloud Computing
Reaching for the Cloud(s): Privacy Issues related to Cloud Computing
Report on the 2010 Office of the Privacy Commissioner of Canada's Consultations on Online Tracking, Profiling and Targeting, and Cloud Computing
What Canadians Can Do to Protect Their Personal Information Transferred Across Borders
Complaint under PIPEDA against Accusearch Inc., doing business as Abika.com
Bank’s notification to customers triggers PATRIOT Act concerns
Responsibility of Canadian financial institutions in SWIFT’s disclosure of personal information to US authorities considered
Outsourcing of canada.com e-mail services to U.S.-based firm raises questions for subscribers
Credit card information printed on paper airline tickets not a proper safeguard; transfer of personal information to travel wholesaler questioned
Canadian-based company shares customer personal information with U.S. parent
Bank accused of non-consensual disclosure to debtor’s employer
Report a problem or mistake on this page
- Date modified: