Language selection


Privacy and outsourcing for businesses

January 2014

The Personal Information Protection and Electronic Documents Act (PIPEDA)—Canada’s federal private-sector privacy law – requires organizations to take privacy consideration into account when considering outsourcing to another organization.

There is nothing in PIPEDA that prevents organizations from outsourcing the processing of data.

However, regardless of where information is being processed—whether in Canada or in a foreign country—organizations subject to PIPEDA must take all reasonable steps to protect that information from unauthorized uses and disclosures while it is in the hands of the third-party processor.

Organizations must also be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times.

Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in clear and understandable language. Ideally they should do it at the time the information is collected. Once an informed individual has chosen to do business with a particular company, they do not have an additional right to refuse to have their information transferred.

When personal information is in the hands of a third-party service provider operating on foreign soil, it is subject to the laws of that country and no contract can override that. This could mean, for instance, that the organization may be obliged to respond to a subpoena or other mechanism that would give law enforcement officials access to personal information.

For more information:


Guidelines for Processing Personal Data Across Borders


Interpretation Bulletin - Accountability

Cloud Computing

News Release: Privacy commissioners call on small- and medium-sized businesses to look before they leap into the cloud

Guidance: Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations

Introduction to Cloud Computing

Reaching for the Cloud(s): Privacy Issues related to Cloud Computing

Report on the 2010 Office of the Privacy Commissioner of Canada's Consultations on Online Tracking, Profiling and Targeting, and Cloud Computing

Other Documents

What Canadians Can Do to Protect Their Personal Information Transferred Across Borders

PIPEDA Findings

Complaint under PIPEDA against Accusearch Inc., doing business as

Bank’s notification to customers triggers PATRIOT Act concerns

Responsibility of Canadian financial institutions in SWIFT’s disclosure of personal information to US authorities considered

Outsourcing of e-mail services to U.S.-based firm raises questions for subscribers

Credit card information printed on paper airline tickets not a proper safeguard; transfer of personal information to travel wholesaler questioned

Canadian-based company shares customer personal information with U.S. parent

Airline agrees to amend privacy policy

Bank accused of non-consensual disclosure to debtor’s employer

Date modified: