Privacy and Outsourcing (Private Sector)
The Personal Information Protection and Electronic Documents Act (PIPEDA)—Canada’s federal private-sector privacy law – requires organizations to take privacy consideration into account when considering outsourcing to another organization.
There is nothing in PIPEDA that prevents organizations from outsourcing the processing of data.
However, regardless of where information is being processed—whether in Canada or in a foreign country—organizations subject to PIPEDA must take all reasonable steps to protect that information from unauthorized uses and disclosures while it is in the hands of the third-party processor.
Organizations must also be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times.
Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in clear and understandable language. Ideally they should do it at the time the information is collected. Once an informed individual has chosen to do business with a particular company, they do not have an additional right to refuse to have their information transferred.
When personal information is in the hands of a third-party service provider operating on foreign soil, it is subject to the laws of that country and no contract can override that. This could mean, for instance, that the organization may be obliged to respond to a subpoena or other mechanism that would give law enforcement officials access to personal information.
For more information: