The Office of the Privacy Commissioner of Canada has released a decision that clears up some uncertainty surrounding outsourcing in view of Canada’s federal privacy statute, the Personal Information Protection and Electronic Documents Act (PIPEDA). Canadian businesses may outsource the processing of their customer’s personal information to U.S. firms without contravening PIPEDA, even when that information is subject to disclosure to U.S. authorities under the PATRIOT Act1 without the knowledge or consent of the customer. Indeed, in some cases the PATRIOT Act prohibits disclosure of the fact that personal information has been disclosed to U.S. authorities. But the Privacy Commissioner’s decision will only be of comfort when the outsourcing agreement contains sufficient confidentiality and security provisions, and appropriate notice is given to affected customers.
The decision followed the Privacy Commissioner’s investigation arising from complaints by customers of a major Canadian bank. Since 1994, the bank had outsourced the processing of its customers’ personal information to a U.S. service provider. The confidentiality and security provisions of the outsourcing agreement had been approved by Canada’s federal banking regulator, the Office of the Superintendent of Financial Institutions (OSFI). The bank sent a notice to its Visa customers advising them of this outsourcing arrangement and that the information could be accessed by U.S. authorities under U.S. laws. After receiving the notice, several customers of the bank complained to the Privacy Commissioner about the outsourcing. One of the primary complaints the Privacy Commissioner received was that the bank had denied customers’ requests to opt out of the outsourcing arrangement.
The Privacy Commissioner concluded that the outsourcing arrangement did not offend PIPEDA because the confidentiality and security provisions contained in the bank’s outsourcing agreement satisfied the requirement to provide a comparable level of protection of customers’ personal information while in the service provider’s custody.
This decision is significant for several reasons. It includes a clear statement from the Privacy Commissioner that outsourcing the processing of personal information to a foreign service provider is not, per se, prohibited by PIPEDA. Further, the Privacy Commissioner expressed the view that it is possible to create an outsourcing agreement that complies with the requirements of PIPEDA, even though a Canadian company could not prevent, by contract or otherwise, U.S. authorities from gaining access to personal information held by a U.S.-based service provider.
This decision also applies and reinforces the Privacy Commissioner’s earlier comments that a company outsourcing the processing of Canadians’ personal information to the United States should, at a minimum, notify individuals that their information may be available to U.S. authorities under U.S. law. While this has become a best and prudent practice, this decision confirms the Privacy Commissioner’s view that PIPEDA, effectively, requires this practice. Finally, noting that the bank’s privacy brochure states that personal information may be disclosed without consent to a third party for processing, the Privacy Commissioner repeated her position that if a service provider’s services are directly related to the primary purposes for which the personal information was collected, companies need not provide customers with the choice to opt out. The fact that the service provider is in the United States does not change this.
Guidance for Outsourcing Arrangements with U.S.-based Service Providers
This decision offers insight into the Privacy Commissioner’s position on outsourcing to foreign-based service providers, and guidance on how to do so in accordance with PIPEDA. Given this decision, companies intending to outsource information processing to U.S.-based firms should (i) inform customers of that fact, and that the personal information may be accessible to U.S. authorities in accordance with U.S. law; and (ii) ensure that the outsourcing agreement includes adequate privacy provisions, such as
- maintaining the confidentiality of the personal information;
- safeguarding the information, including measures to protect the security of the data from unauthorized use, modification or access;
- anticipating threats or risks to the information’s security or integrity;
- restricting the service provider’s ability to use and disclose the personal information processed, other than as required to provide the contracted services; and
- creating a right of access, inspection, monitoring and audit for the transferring party.
A Note of Caution
OSFI’s prior approval of the outsourcing arrangement clearly influenced the Privacy Commissioner’s finding that the agreement provided sufficient protection for the personal information in the service provider’s custody. The extent to which the Privacy Commissioner would regard similar outsourcing arrangements that were not subject to the rigorous OSFI approval process as meeting PIPEDA’s requirements has yet to be explored. It is clear, however, that the sufficiency of the terms and conditions in the outsourcing agreement relating to privacy protection is a critical factor in effecting an outsourcing arrangement that meets the requirements of PIPEDA.
1. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT Act) Act of 2001.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.