Privacy and outsourcing for federal institutions
There is nothing in Privacy Act—the law that covers the personal information-handling practices of federal government departments and agencies—that prevents the outsourcing of data processing.
The Act came into force more than 30 years ago and was not designed for the current digital age that allows for the rapid and easy movement of information around the globe. Our Office has repeatedly asked for provisions around the international transfer of personal data to be subject to a more rigorous legal regime.
The Treasury Board of Canada Secretariat (TBS) has developed guidance documents related to outsourcing for federal organizations.
It is important to note that TBS requires all federal departments and agencies to prepare and publish Privacy Impact Assessments (PIA) for any new or substantially modified programs or activities that use personal information for making decisions that directly affect individuals. Therefore, if an institution were to consider outsourcing some of its functions, it may prepare a PIA that describes the impact on the personal information of Canadians and submit it to the OPC before it implemented the program or service. Our Office would then determine whether the PIA required our review and if so we might provide comments and recommendations to the institution.
For more information:
Treasury Board Secretariat Links
Guidance on Preparing Information Sharing Agreements Involving Personal Information
Guidance Document: Taking Privacy into Account Before Making Contracting Decisions
Directive on Privacy Impact Assessment
Privacy Act Findings
RCMP and private polling firm safeguarded data on gun licensees
Outside psychologist’s notes still “under control of” RCMP
Departments accountable for information collected under contract
Other Resources
Privacy Commissioner expresses support for government's new strategy to deal with trans-border flows of personal information
- Date modified: