This week, the OPC released guidelines for processing personal data across borders. These guidelines explain how the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the transfer of personal information to a third party outside of Canada for processing.
Canadian businesses may choose to work with a third party outside of Canada to process data for a number of reasons, such as the ability to provide better customer service, a lack of capacity to process data in house, cost savings, or other considerations.
Examples can include a company hiring an overseas contractor to process data related to a customer loyalty program, or to provide customer service and support around the clock.
Some online companies operate in a virtual environment, buying computing services and product logistics services from suppliers around the world. This naturally means their corporate data will be transferred across one or more international borders.
In today’s world of integrated markets, the transfer of data from one country to another is more common than ever – and that data may very well contain personal information. It is precisely for that reason the Office has decided to release these guidelines.
So how is an organization who transfers data across borders responsible for your personal information? Well to begin, PIPEDA makes the organization responsible for protecting the personal information under its control.
Moreover, it requires an organization to use contractual or other means to “provide a comparable level of protection while the information is being processed by the third party.”
Organizations also need to make it plain to their customers that their personal information may be processed in another country. In order to be transparent, they need to advise individuals that it could be accessible to law enforcement authorities of that country – in clear and understandable language.
Basically – even if a Canadian organization transfers personal information to a third party for processing – they are responsible for safeguarding that information.
As an individual Canadian citizen, a small business owner or a business executive, It is always a good idea to review an organization’s practices to see what they are doing with your personal information. If in doubt don’t hesitate to ask them – we all have a right to know how our personal information is being used!