Privacy Law And Outsourcing In Canada – A Current Overview

Originally published in Blakes Bulletin on Privacy and Outsourcing, July, 2007

This is an age of global computer networks and international data flows. Breaches of data security and cases of identity theft frequently make headlines, and privacy protection is an increasingly pressing public policy concern. Canadian governments and their agencies have responded with policies, rulings and legislation. This article provides a current overview of them, as they particularly apply to outsourcing data processing.

Privacy protection laws in Canada are both federal and provincial. At the federal level, the Personal Information Protection and Electronic Documents Act (Canada) (PIPEDA), applies to the collection, use and disclosure of personal information in the private sector. However, PIPEDA exempts from its application organizations or activities in provinces that have privacy laws deemed to provide protections "substantially similar" to PIPEDA. To date, there have been "substantial similarity" rulings made in favour of privacy acts in Québec, Alberta, British Columbia and in respect of Ontario health privacy legislation. PIPEDA will in any event continue to apply, however, to the inter-provincial and international collection, use and disclosure of personal information, and to federal undertakings (banks, railroads, telecommunications, etc.). This means that an inter-provincial and international outsourcing transaction may be subject to a whole patchwork of Canadian privacy laws.

PIPEDA applies to every organization in respect of personal information that:

1. the organization collects, uses or discloses in the course of commercial activities; or
2. is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.

As such, it potentially affects not only the outsourcing of customer data processing, but internal business processes as well.

PIPEDA requires consent for the collection, use or disclosure of personal information unless one of the exceptions in PIPEDA applies.

The most important exception in PIPEDA to the requirement for data subject consent to a disclosure for outsourcing purposes is Principle 4.1.3 of Schedule 1 to PIPEDA, which provides:

• an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

The Office of the Privacy Commissioner of Canada (Canadian Commissioner), has stated that no consent by the data subjects involved is required for a transfer under Principle 4.1.3, provided the processor only uses the personal information for the purpose that it is transferred and the requirements of Principle 4.1.3 are met. It perhaps bears note that only "processing" services qualify for an exemption under Principle 4.1.3. The term "processing" is undefined. It is worth noting that the ability to transfer data implied by Principle 4.1.3 is just that, an implication, and that it is a bit at odds with the more straightforward prohibitions in the statute itself.

Decisions of the Canadian Commissioner and other privacy commissioners in Canada could attenuate the implication of a blanket permission under Principle 4.1.3. Nor would it be surprising if a publicised problem with an international outsourcing arrangement could further limit such implied consent.

Guidance from the Federal Privacy Commissioner on the Meaning of Principle 4.1.3 for Outsourcing and Transborder Data Flows. In two recent Case Summaries released by the Canadian Commissioner, guidance is provided on the meaning of Principle 4.1.3 in respect of outsourcing and transborder data flows. The Canadian Commissioner’s Case Summaries are not binding precedents; they are findings for particular cases. Nonetheless, it is reasonable to treat them as useful guidelines for the future treatment of similar issues. They are available on the Privacy Commission’s Web site.

In Case Summary #313, the Canadian Commissioner received a number of complaints after a bank sent a notification to its VISA customers amending its credit cardholder agreement. The notification referred to the use of a service provider located in the U.S. and the possibility that U.S. law enforcement or regulatory agencies might be able to obtain access to cardholders’ personal information under U.S. law. Complainants primarily objected to the possible scrutiny of their personal information by U.S. authorities within the context of foreign intelligence gathering, in particular under the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act ("US Patriot Act").

In Case Summary #333, the Canadian Commissioner received complaints that a security system provider, a Canadian affiliate of a U.S.-based parent company, was using an inappropriate form of consent with respect to its practice of sharing customer personal information with its parent. The complainants also expressed concern about the possibility of their personal information being accessed under the US Patriot Act. The security systems company had advised its Canadian customers that it intended to share customer contact information with its U.S. parent company by routing incoming home security alarm signals through another monitoring centre in North America in the event of a catastrophe that overwhelmed Canadian monitoring. According to the company, the only personal information that would be shared would be information needed to provide monitoring and security services, such as the customers’ home or business addresses, a phone number and an emergency contact list. No financial credit information would be shared.

In dealing with both these complaints and dismissing them as "not well founded", the Assistant Privacy Commissioner of Canada (Assistant Commissioner) held that organizations can outsource to the U.S. (or other countries) provided the Canadian organization "at least" notifies its customers, depending on the sensitivity of the personal information, that their information may be stored or accessed outside of Canada and of the potential impact this may have on their privacy rights. The Assistant Commissioner also held that PIPEDA requires that a Canadian company should ensure that the foreign affiliate adheres to the same level of data protection as the Canadian company by "contractual or other means", and the Canadian company should be transparent about its personal information handling practices.

Points to Note Regarding Federal Regulation Under PIPEDA. Although the Assistant Commissioner held, in Case Summary #333, that an outsourcing transaction could occur without the need for a written agreement when the outsourcing is to the parent company, it is nonetheless prudent to enter into one to ensure that appropriate security safeguards are in place to protect the personal information and to maintain its integrity. The Assistant Commissioner interpreted the reference to "other means" under Principle 4.1.3 of PIPEDA (above), as requiring the outsourcing company and the processor to have the same levels of data protection. Although fact-specific, strategies approved by the Assistant Commissioner in Case Summary #333 are useful examples of acceptable practices. They included having in place a closed private network and a comprehensive strategy and techniques to safeguard the personal information of customers.

The Canadian Commissioner mentions in its PIPEDA Review Discussion Document of July 2006, that the following clauses could be included in a contract between an organization in Canada subject to PIPEDA and a service provider: allowing for the inspection and audit of information management practices of the service provider abroad, including security practices and disposal procedures and how the company will enforce these practices and procedures; requiring the service provider to provide individuals with access to the personal information that it holds about them; prohibiting use and disclosure by the service provider, except as required by law; ensuring that enforcement of the contract takes place in a suitable jurisdiction; and calling for binding arbitration in accordance with international rules of arbitration.

The analysis used in the above Case Summaries in dealing with the transfer of personal information to the U.S. will likely apply in respect of outsourcing to other countries. Although the application of the US Patriot Act raises the potential of disclosure of personal information to U.S. government authorities, these concerns seem minor compared to concerns that could arise in other outsourcing jurisdictions in the developing world. Many of these jurisdictions do not have adequate privacy laws. Already, there have been several instances of breaches of privacy in India, in which employees of call or data centres have, without authorization, taken personal data and attempted to extort economic advantage. While these incidents are relatively known among the outsourcing community, they have not otherwise had a high profile in North America. However, the politics of outsourcing and its attendant shifts in labour market patterns are such that it is hardly inconceivable that a union would someday find it in its interest to better publicize them.

Risks of non-compliance with PIPEDA in an offshore outsourcing should be assessed by undertaking an investigation of whether a "comparable level of protection" exists under the laws of the foreign countries involved and addressing privacy risks by way of strong contractual terms. In addition, the off-shore outsourcing service providers should offer the highest levels of data security, including strict controls on printing, file copying, network access and physical plant access. No case has yet tested the adequacy of contractual protections in a foreign environment. It is perhaps not hard to envision a case in which an inadvertent data disclosure highlights both the inadequacy of the local privacy law as well as, in hindsight, of stipulated security measures in an outsourcing contract, with the result of a successful complaint under PIPEDA.

Neither PIPEDA, nor any Case Summary by the Canadian Commissioner, provides guidance on the required form and content of a notice that a company should provide if it intends to outsource personal information across Canada’s borders. It will be dictated by the circumstances surrounding the specific outsourcing transaction.

A related notice issue is whether there is a duty to notify affected individuals if a security breach of personal information occurs. Currently, with the exception of Ontario’s Health Information Protection Act (OHIPA), none of Canada’s data protection laws include a duty to notify. However, there is on-going discussion about whether PIPEDA and other provincial laws should be amended to include a duty to notify individuals affected after a security breach of personal information, as there is under the laws of certain U.S. jurisdictions, notably California. If implemented, this obligation could extend to third party service providers, meaning an outsourcing organization would have a duty to notify affected individuals if a breach of personal information occurred while the information was with the service provider.

Even where a company intending to outsource has evaluated the risks of privacy breaches in a foreign country, entered into an outsourcing agreement with strict privacy protection, and provided notice of its intention to outsource to its data subjects, its outsourcing transaction may be scuppered by rogues. This risk was specifically identified by the Alberta Privacy Commissioner in his February 2006 Report in respect of public sector outsourcing "Public Sector Outsourcing and Risks to Privacy" (Alberta Report). The Alberta Report mentioned that not all risks are generated solely by entering into an outsourcing agreement. Certain risks are inherent in some measure when a company uses information and communication technologies. These include "computer hackers, rogue employees, property thieves and incidental finders". These risks increase where companies use sub-contractors. As stated in the Alberta Report: "The chain of users becomes only as strong as its weakest link".

A number of provinces have introduced, or are in the process of introducing, legislation to deal with the perceived threats to privacy in outsourcing transactions in the public and private sectors.

British Columbia. In the public sector, the British Columbia Freedom of Information and Protection of Privacy Act (B.C. FIPPA) contains principles that require the public body to ensure that personal information in its custody or under its control is stored and accessed only in Canada, unless (a) the individual the information is about has identified the information and has consented to it being stored in or accessed from another jurisdiction, or (b) it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under B.C. FIPPA, or (c) in certain other discrete circumstances listed in B.C. FIPPA. B.C. FIPPA provides that the head of a public body, its employee or an employee or associate of a service provider must immediately notify the Minister of British Columbia if there is a foreign demand for information, or where there is reason to suspect that unauthorized disclosure of personal information has occurred in response to a foreign demand.

The restrictions in the B.C. FIPPA are wide-reaching and make it very difficult for any organization to provide outsourcing services for the B.C. government or its agencies without setting up a stand-alone Canadian operation. Foreign organizations are taking measures to keep personal information in Canada, including by establishing Canadian subsidiaries.

From recent amendments to B.C. FIPPA, it appears that the provincial government of B.C. recognizes that B.C. FIPPA is excessively rigid and inflexible. New provisions have been included in B.C. FIPPA that whittle away at the rigidity of prohibitions and transfer of personal information across Canada’s borders by including a number of new provisions excepting personal information having to remain in Canada.

In the private sector, the Personal Information Protection Act (B.C. PIPA), regulates the use of personal information. B.C. PIPA provides that an organization is "responsible for personal information under its control, including personal information that is not in the custody of the organization", which seems to make clear that the use of service providers is contemplated, but does not deal with the manner in which such relationships should be structured to ensure compliance with B.C. PIPA.

In a recent decision of the B.C. Information and Privacy Commissioner, Twentieth Century Fox Film Corporation (Fox) collected personal information to establish a person’s residency in B.C. in order to substantiate Fox’s claims for film production tax credits. This personal information was transferred to the U.S. The B.C. Privacy Commissioner, in considering the legality of the transfer of personal information to the U.S., addressed the following questions: if there were reasonable security arrangements in place; the sensitivity of the personal information at stake; the foreseeability of a privacy breach and of resulting harm; generally accepted common practices in a particular sector or kind of activity; the medium and format of the record containing the personal information; the prospect of criminal activity or other intentional wrongdoing; and the cost of security measures. Under the specific circumstances, the B.C. Privacy Commissioner held that Fox was collecting non-sensitive personal information which was stored in the U.S. under lock and key, to which access was limited, and which was shredded following use. In addition, the B.C. Privacy Commissioner held in the circumstances of the case, there was no obligation to notify employees that their personal information might be located in the U.S. or elsewhere.

Québec. Québec has enacted public and private sector personal information privacy laws.

In the public sector, Québec has enacted An Act respecting Access to documents held by public bodies and the Protection of personal information (Public Sector Québec Act). The Public Sector Québec Act applies to documents kept by a public body in the exercise of its duties, whether it keeps them itself or through the agency of a third party. In respect of the disclosure of personal information within Québec, a public body may, without the consent of the person concerned, release personal information to any person or body if the information is necessary for carrying out a mandate or performing a contract for work or services entrusted to that person or body by the public body. In that case, the public body has certain duties such as ensuring that the mandate or contract is in writing, specifying in the mandate or contract which provisions of the Public Sector Québec Act apply to the information released to the mandatary or the person performing the contract, as well as the measures to be taken by the mandatary or person to ensure the confidentiality of the information, to ensure that the information is used only for carrying out the mandate or performing the contract, and to see that it is not kept after the expiry of the mandate or contract.

The public body must also obtain a confidentiality agreement from every person to whom the information may be released unless the person in charge of the protection of personal information does not consider it necessary. A person or body carrying out a mandate or performing a contract for services referred to above must notify the person in charge without delay of any violation or attempted violation of an obligation concerning the confidentiality of the information released, and must also allow the person in charge to verify compliance with confidentiality requirements.

Before releasing personal information outside Québec or entrusting a person or a body outside Québec with the task of holding, using or releasing such information on its behalf, a public body must ensure that the information receives protection equivalent to that afforded under the Public Sector Québec Act. If the public body considers that the personal information will not receive protection equivalent to that afforded under the Public Sector Québec Act, it must refuse to release the information or refuse to entrust a person or a body outside Québec with the task of holding, using or releasing it on its behalf.

An Act respecting the protection of personal information in the private sector (Private Sector Québec Act) applies to the private sector in Québec. The Private Sector Québec Act provides that in the carrying on of an enterprise, authorized employees, mandataries or agents or any party to a contract for work or services may have access to personal information without the consent of the person concerned only if the information is needed for the performance of their duties or the carrying out of their mandates or contracts. However, this access to personal information is restricted to the information necessary for the fulfilment of such contract or mandate. In addition, appropriate contractual measures must be in place between the organization and its agent to ensure the security of the personal information. This agreement must be in writing and must clearly and precisely delineate the mandate, clearly state which type of personal information would be communicated to the agent and for what purpose (establishing that the agent requires the information in the execution of his mandate) and indicate whether the agent can communicate this information to others.

In respect of a transfer of information outside Québec or across Canadian borders, the Private Sector Québec Act provides that an organization carrying on a business in Québec which entrusts a person outside Québec with the task of holding, using or communicating such information on its behalf must take all reasonable steps to ensure that the information will only be used for the purposes for which consent was obtained and will not be further communicated to third parties without such consent. In addition, the Private Sector Québec Act requires the data collector to inform the individual concerned of the location where the file containing his/her personal information will be kept. If the person carrying on an enterprise considers that the information to be provided to an outsourced service provider outside Quebec will not receive the protections required under the Act, then the person must refuse to communicate the information or refuse to entrust to a person or body corporate outside Quebec with a task of holding, using or communicating it.

Nova Scotia. The Nova Scotia legislature passed the Personal Information International Disclosure Protection Act (N.S. PIIDPA) on July 13, 2006. It was proclaimed in force on November 15, 2006 and is binding on public bodies, directors, officers and employees of public bodies and all employees and associates of service providers. It contains similar provisions to B.C. FIPPA, including requiring that personal information in its custody or under its control, is stored only in Canada and accessed only in Canada; and notice requirements to the Minister of Justice where there is a "foreign demand for disclosure". N.S. PIIDPA contains a number of exceptions to the prohibition of disclosure of personal information outside Canada.

Alberta. In Alberta, the Personal Information Protection Act (Alberta PIPA) regulates the use of personal information in the private sector. Alberta PIPA is similar to B.C. PIPA and provides that " ... where an organization engages the services of a person, whether as an agent, by contract or otherwise, the organization is, with respect to those services, responsible for that person’s compliance with this Act".

No public sector legislation similar to B.C. FIPPA and N.S. PIIDPA has been introduced in Alberta. Alberta’s Freedom of Information and Protection of Privacy Act (FOIPPA) does not prohibit outsourcing of personal information across Canada’s borders. FOIPPA is binding on "public bodies". It does not explicitly, unlike the B.C. FIPPA, extend its application to the service providers of public bodies. It does, however, contain some provisions that deal with an "employee". An "employee" in relation to a public body " ... includes a person who performs a service for the public body as an appointee, volunteer or student or under a contract or agency relationship with the public body". FOIPPA, in Part 2, contains some provisions that limit disclosure of personal information in discrete circumstances that may be applicable to an outsourcing transaction.

FOIPPA imposes stiff penalties for contravention of its provisions and, in particular, prohibits a person from wilfully disclosing personal information to which FOIPPA applies pursuant to a subpoena, warrant or order issued or made by a court, person or body having no jurisdiction in Alberta to compel the production of information or pursuant to a rule of court that is not binding in Alberta.

Also, the Alberta Report (see above) recommends the adoption of a mix of statutory provisions, enhanced due diligence in selecting and monitoring contractors, rigorous application of model contract formulations, and transparent testing and audit programs.

General. Privacy regulation in respect of health information is perhaps the most complex and, due to the sensitive nature of the personal information involved, most controversial in Canada.

There are specific statutes relating to personal health information in Alberta (the Health Information Act), Manitoba (the Personal Health Information Protection Act), Ontario (OHIPA), and Saskatchewan (the Health Information Protection Act). The scope of application of these statutes to health sector participants is similar as they contain similar definitions relating to health sector participants and personal health information. OHIPA applies to "health information custodians"; the acts in Saskatchewan and Manitoba to "trustees"; and the act in Alberta to "custodians" (hereafter these are referred to as "health sector participants"). The definitions of personal health information have wide application and parties to an outsourcing transaction that involves personal health information should be aware that they may fall under one of these statutes.

A comprehensive review of health and privacy issues in Canada is beyond the scope of this article, but a brief examination of OHIPA follows. All of the statutes require custodians or trustees to exercise some level of supervision over service providers and agents.

Ontario. OHIPA makes a distinction between "agents" and "providers" relating to health information, and has different provisions that apply to each.

An agent is defined as a person that, with the authorization of the health information custodian, acts for or on behalf of the health information custodian in respect of personal health information for the purposes of the health information custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the health information custodian and whether or not the agent is being remunerated.

A health information custodian is responsible for personal health information in the custody or control of the health information custodian and the health information custodian may permit its agents to collect, use, disclose, retain or dispose of personal health information on the custodian’s behalf, but only if (a) the custodian is permitted or required to collect, use, disclose, retain or dispose of the information; (b) the collection, use, disclosure, retention or disposition of the information, is in the course of the agent’s duties and not contrary to the limits imposed by the custodian, OHIPA or another law; or (c) the prescribed requirements in Ontario Regulation 329/04 (Ontario Regulation) are met.

An agent must also notify the custodian at the first reasonable opportunity if information handled by the agent on behalf of the custodian is stolen, lost or accessed by unauthorized persons. Even though OHIPA does not contain an explicit requirement that custodians enter into written agreements with agents which provide services for them, this requirement has been "read into" OHIPA by the Privacy Commissioner (Ontario) (Ontario Commissioner). Section 50 of OHIPA allows disclosure of personal information outside of Ontario, subject to a number of restrictions. It does not address if disclosure outside Ontario includes disclosure across the borders of Canada.

A person who provides goods or services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain, or dispose of personal health information (Electronic Providers) must comply with the prescribed requirements in the Ontario Regulation. Under the Ontario Regulation, persons are not considered to make the information available or to release it to Electronic Providers for the purposes of the definition of "disclose" under OHIPA, if they (1) use the information only as necessary in the course of providing the services and (2) do not permit their employees or any person acting on its behalf to be able to have access to the information unless the employee or person acting on their behalf agrees to comply with applicable restrictions. As there is no "disclosure" in such instances, the provisions of section 50 of OHIPA in respect of disclosures outside Ontario, do not appear to apply, allowing for a free flow of personal information outside Ontario and across Canada’s borders (subject to the conditions discussed above). Since OHIPA has been deemed to provide equivalent protection, it ousts the requirements of PIPEDA. Therefore, the additional issue, in respect of information governed by OHIPA, as to whether there is a disclosure or permitted use under PIPEDA, should not apply.

In addition to dealing with agents and Electronic Providers, the Ontario Regulation deals with "health information network providers". A "health information network provider" means a person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians. A health information custodian: (1) may not use any personal health information to which it has access in the course of providing the services for the health information custodian except as necessary in the course of providing the services; (2) may not disclose any personal health information to which it has access in the course of providing the services for the health information custodian; and (3) may not permit its employees or any person acting on its behalf to be able to have access to the information unless the employee or person acting on its behalf agrees to comply to the same restrictions applying to the health information custodian.

The Treasury Board of Canada, the main procurement agency for the federal government, released a "Privacy Protection Checklist" the purpose of which is to ensure that privacy requirements are taken into consideration during the preliminary planning and implementation stages of the government contracting process. In October 2006, the Treasury Board of Canada released "Explanatory Notes for the Privacy Protection Checklist" (Explanatory Notes). In respect of transborder data flows, the Checklist requires the determination of whether the contractual agreement should specify (i) the limitations on where the records and the personal information (including back-up tapes and archives) may be processed, stored or maintained by the contractor, or (ii) that the contractor is prohibited from disclosing and/or transferring any personal information outside the boundaries of Canada, or allowing parties outside Canada to have access to it, without the prior written approval of the government.

In respect of (i) above, the Explanatory Notes provide that one mechanism to deal with the risks associated with transborder data flows is to have the work done in Canada and to have personal information segregated to a system not accessible by entities outside Canada, subject to applicable trade laws. The Explanatory Notes also provide that the contract should stipulate whether there are any geographical restrictions related to processing, storing, maintaining, or accessing records containing personal information by the contractor or an affiliate, particularly where the contractor is located in a foreign country or is a subsidiary of a foreign organization. The inclusion of a clause of this nature will depend on the sensitivity of the personal information involved, the type of contract, the work to be performed and whether the government institution has control of the information, the company performing the work, and the level of risk of exposure to U.S.-based or other foreign companies or subcontractors.

In respect of (ii) above, the Explanatory Notes mention that in appropriate circumstances, the contractual agreement may stipulate that the contractor is prohibited from disclosing or transferring any personal information to third parties outside Canada or from allowing such parties to have access to it without the prior written approval of the institution. Once the information goes beyond Canada’s borders, it may be either impractical or impossible for a government institution to prevent any unauthorized use, disclosure, or transfer of that information or even, in some cases, to access its own information.

The likely effect of the Checklist and Explanatory Notes is that government procurement officials will in future closely assess the privacy implications of outsourcing transactions, in particular, where there is the potential of a flow of personal information across Canada’s borders. Outsourcing service providers entering into outsourcing agreements with the Canadian federal government, especially in the software development and computer services areas, will have to take into consideration the practical consequences of these documents on an outsourcing transaction.

Certain statutes that deal with issues other than privacy also contain provisions applicable to outsourcing personal data processing and, in particular, transborder flows of personal information. For example, section 245 of the Bank Act (Canada), requires that all bank records, including Canadian customer personal information, must be stored in Canada unless an exemption is obtained, although such information may be processed outside of Canada in accordance with the regulations. Similar provisions are contained in section 250 of the Trust and Loan Companies Act, section 242 of the Co-operative Credit Associations Act, and section 268(1) of the Insurance Companies Act. The foregoing federal institutions acts also require their boards of directors to establish procedures to protect the confidentiality of customer information and to restrict its use, and to monitor such policies and procedures by a committee of the board. In addition, financial services providers are subject to a high standard of confidentiality of data under the common law.

The Office of the Superintendent of Financial Institutions (OSFI), Canada’s regulator of federally-incorporated and registered financial institutions, issued Guideline B-10 concerning outsourcing. This guideline set standards for contractual terms, risk management and governance for material outsourcing arrangements. Such transactions do not normally require prior notification or approval, except in cases in which data is processed outside Canada.

Some provinces also require that all information in credit reports by credit bureaus originate from databases located in Canada, even if the ultimate source of the information is outside of Canada. These include the Alberta Credit and Personal Reports Regulation made pursuant to the Alberta Fair Trading Act, the Nova Scotia Consumer Reporting Act, and the Ontario Consumer Reporting Act.

Privacy protections applicable to outsourcing transactions in Canada are complex. Some argue that the scales are weighted too heavily in favour of protecting privacy to the detriment of free flows of information and the business realities of globalisation. Others argue that there can never be a compromise on maintaining privacy in personal information. Yet others argue that Canada should be following international privacy precedent in an attempt to facilitate international trade and its attendant data flows.

The views of governments in Canada also diverge. The provinces have followed different models to deal with privacy problems. Some have favoured models in which regulation is achieved exclusively through legislation. Others plan to follow a mix of legislation, contracts and mechanisms dealing with monitoring, due diligence and risk assessment. On the federal government level, the views of the Treasury Board of Canada, which is the main procurement agency of the federal government, appear more liberal than privacy laws regulating the public sector in certain provinces.

Privacy plays a significant role in an outsourcing transaction. Counsel must consider the nature of the personal information involved in the outsourcing transaction, the specific province or provinces from which data originates, the nature of the data, whether the outsourcing is in the public or private sector and whether the personal information flows across Canada’s borders. Also consider if the outsourcing is occurring in a specific industry with particular privacy regulations, such as the health care and financial services industries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.