Privacy and Outsourcing (Public Sector)
There is nothing in Privacy Act—the law that covers the personal information-handling practices of federal government departments and agencies—that prevents the outsourcing of data processing.
The Act came into force more than 30 years ago and was not designed for the current digital age that allows for the rapid and easy movement of information around the globe. Our Office has repeatedly asked for provisions around the international transfer of personal data to be subject to a more rigorous legal regime.
The Treasury Board of Canada Secretariat (TBS) has developed guidance documents related to outsourcing for federal organizations.
It is important to note that TBS requires all federal departments and agencies to prepare and publish Privacy Impact Assessments (PIA) for any new or substantially modified programs or activities that use personal information for making decisions that directly affect individuals. Therefore, if an institution were to consider outsourcing some of its functions, it may prepare a PIA that describes the impact on the personal information of Canadians and submit it to the OPC before it implemented the program or service. Our Office would then determine whether the PIA required our review and if so we might provide comments and recommendations to the institution.
For more information:
Treasury Board Secretariat Links
Privacy Act Findings