Under the Personal Information Protection and Electronic Documents Act (PIPEDA), there is nothing that prevents organizations from outsourcing the processing of data inside or outside of Canada—however, organizations must take all reasonable steps to protect that information from unauthorized uses and disclosures when it is in the hands of third party processors. This is where accountability, the first principle in PIPEDA, comes in; and there are obligations to meet regarding training staff that are highly relevant.
What is accountability under the Principle 1? Accountability means that an organization is responsible for personal information under its control and must designate an individual or individuals who are accountable for the organization’s compliance with a set of principles.
The first principle is that accountability rests with the designated individual(s), even though other individuals within the organization may be responsible for the day–to–day collection and processing of personal information. However, other individuals within the organization may be delegated to act on behalf of the designated individual(s). Also, the identity of the individual(s) designated by the organization to oversee the organization’s compliance with the principles must be made known upon request.
The organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. Organizations have a large responsibility—they must use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
To accomplish this goal, organizations must implement policies and practices to give effect to the principles, including: implementing procedures to protect personal information; establishing procedures to receive and respond to complaints and inquiries; training staff and communicating to staff information about the organization’s policies and practices; and developing information to explain the organization’s policies and procedures.
The Privacy Commissioner provides a guideline on this principle. Generally speaking, courts ensure that organizations are held accountable for their failure to comply with the obligations under Principle 1. Most interestingly, organizations can be held accountable for the wrongful actions of their employees contrary to Principle 1, especially where the employee trying to cover up the wrongful conduct.
In regards to third-party service providers, organizations are recommended to use contracts or other means (such as non–contractual oversight and auditing mechanisms) when using third–party service providers to ensure a comparable level of protection of personal information. These organizations need to have guarantees of confidentiality and security of personal information and allow for oversight, monitoring, and auditing of the services being provided. However, even with a contract in place, organizations can still violate Principle 1 if they cannot confirm what happens to personal information after it is provided to a third party service provider.
Things that can become even more complicated when there is a subcontractor—organizations must address third–party providers and any subcontractors in any contracts attempting to ensure a comparable level of protection of personal information.
That said, it is important to note that if there is cross–border outsourcing between a parent and an affiliate company, a separate contract between the two organizations is not necessary, and the main requirement is that both companies adhere to the same level of data protection.
How do organizations deal with this issue practically when they know they will be transferring information outside of Canada? The Privacy Commissioner recommends that, at the time of information collection, organizations use clear and understandable language to explain that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction.
Is important to note that personal information under the control of third-party service providers in other countries is subject to the laws of that country (for example responding to a subpoena in that country), regardless of any contract to the contrary.
In fact, the Office of the Privacy Commissioner has created guidelines explaining how PIPEDA applies to transfers of personal information to a third party (including to a third party outside of Canada) for processing.
The guidelines refer to the first principle in Schedule 1 of PIPEDA, and elaborate on terms such as “transfer”, “processing”, and “comparable level of protection”. This is because organizations are expected to ensure a comparable level of protection when there is a transfer of information for processing.
The guidelines state that a “transfer” is a use by the organization—when an organization transfers personal information for processing, it can only be used for the purposes for which the information was originally collected. “Processing” means any use of the information by the third party processor for a purpose for which the transferring organization can use it. A “comparable level of protection” requires that the third party processor must provide protection that can be compared to the level of protection the personal information would have received had it not been transferred.
Again, it is important for organizations understand that they must take all reasonable steps to protect the information from unauthorized uses and disclosures while in the hands of the third party processor, typically via a contract and other means where appropriate. Organizations must be satisfied that the third party has policies and procedures in place and sufficiently trains staff to ensure that the information is properly safeguarded.