Businesses often use third party entities to process customer information or transactions and to then relay portions of that information back to the business. Businesses using third parties in this manner should be aware of the provisions of Canada’s privacy legislation in this regard.
Overview of Canada's Privacy Legislation
Canada’s two predominant privacy statutes are the Privacy Act, RSC 1985 c P-21 and the Personal Information Protection and Electronic Documents Act, SC 2000, c5 ["PIPEDA"]. The former applies to actions of the federal government, while PIPEDA applies to every entity that collects, uses or discloses personal information in the course of commercial activities. Alberta, British Columbia and Quebec have provincial privacy legislation which is, for the most part, substantially similar to PIPEDA.
Compliance with PIPEDA
Any entity collecting personal information for the purpose of a commercial activity must first obtain the consent of the individuals whose information is being collected. It is important to note that personal information includes the names and contact details of individuals, as well as their credit card and other financial information.
PIPEDA provides that "the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting." Therefore, whenever personal information is collected in a commercial context, the individuals whose consent is sought must be informed of the manner in which their personal information will be used and disclosed.
The transfer of information to third parties for processing is considered to be a disclosure of information. It therefore follows that when seeking someone’s consent for collection of his or her personal information, the entity collecting the information should outline that the information will be shared with third parties for processing. Furthermore, if the third party is in another country, specific risks such as the possibility of foreign officials obtaining the information, should be disclosed to the individuals whose consent is being sought.
In summary, a business seeking to use third party processors of customer information or payments should so advise any individuals whose personal information will be collected and should outline for those individuals the potential risks of the collection and disclosure of the personal information by and to, the third party. The third party processor should ensure that the necessary consent has been obtained and that its contract with the business provides for indemnification by the business should issues arise as a result of the collection and processing of the personal information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.