Consider privacy implications when outsourcing functions to a third party

June 27, 2019

Office of the Privacy Commissioner of Canada Privacy Alerts are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.

Issue:

Contracting out programs or services can raise certain risks for privacy. It’s important to consider the privacy implications carefully when contemplating outsourcing and when developing a contract with a third party.

There is nothing in the Privacy Act that prevents outsourcing. That being said, even if a federal institution employs a private-sector service provider to take over certain functions, it cannot contract out of its Privacy Act responsibilities.

In addition to the Privacy Act, institutions must follow relevant Treasury Board Secretariat (TBS) policies, directives and guidelines.

Advice for institutions:

• Before outsourcing a function, thoroughly consider whether there may be any privacy implications. Federal institutions must develop Privacy Impact Assessments (PIA) for any new or substantially modified programs or activities that use personal information for making decisions that directly affect individuals. Therefore, if an institution were to consider outsourcing some of its functions, it may prepare a PIA that describes the impact on the personal information of Canadians. Institutions must also develop PIAs when contracting out or transferring a program or activities to another level of government or the private sector results in substantial modifications to the program or activities.
• If you contract out a function to a third party, the terms of the contract, including obligations related to protecting personal information, should be spelled out in a written agreement. This agreement should include measures to ensure the institution's ability to audit compliance of the contractor's management of the information collected.
• Federal government institutions are accountable for information collected under contract with outside suppliers. In drafting contracts, institutions should include the following provisions:
  • define ownership of the information – that is, all information collected as part of the contract belongs to the contracting department or agency and should be turned over to it at contract end;
  • recognize individuals' rights of access to their personal information collected during the contract;
  • restrict further uses of the personal data;
  • protect the information against unauthorized disclosure; and
  • establish retention and disposal criteria.
• Protected B, Protected C and classified Government of Canada electronic data must be stored on approved servers in Canada or within the premises of a Government of Canada department abroad as per the TBS Direction for Electronic Data Residency. If outsourcing certain functions, ensure the company’s data storage practices are in line with your obligations.

For more information:

• Privacy and Outsourcing for Federal Institutions
• Directive on Privacy Practices
• Policy on Privacy Protection
• Taking Privacy into Account Before Making Contracting Decisions
• Policy on Government Security
• Direction for Electronic Data Residency
• Directive on Privacy Impact Assessment

Sign up for future Privacy Alerts by subscribing to our RSS feed. Privacy alerts are also posted on our website.