In a recently released report, the Office of the Privacy Commissioner of Canada (“OPC”),has provided organizations with useful guidance on the proper controls and security measures to have in place before outsourcing customer personal information. This guidance is particularly important for organizations that handle sensitive customer financial information.
Before entering into an outsourcing or service agreement supporting the transfer of personal information, you should make sure that your organization has conducted the proper risk assessments and has the necessary robust contractual controls and measures in place. This is especially important where the third-party receiving the information is based outside of Canada and therefore, may not be subject to Canadian privacy law.
A former TD employee submitted a complaint to the OPC alleging that TD did not obtain customer consent before transferring personal information to a third-party service provider in India. TD had used this service provider to aid its fraud investigation team in processing disputes related to debit and credit card fraud. To carry out these functions, TD required the service provider to access and process customer personal information from India; although the service provider did not store any personal information in India. Partly for the reasons below, the OPC concluded the former employee’s complaint was “not well-founded.”
The OPC considered whether TD met its responsibility under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) to ensure that its customers’ personal information remained sufficiently protected. Following PIPEDA, the OPC determined that “TD remains accountable for personal information, even if it chooses to use a third-party service provider for processing.”
While PIPEDA does not prohibit the transfer of personal information to service providers outside of Canada, it does establish rules and principles that ensure organizations remain accountable for personal information even when that information has been transferred to a third party. Principle 4.1.3 of PIPEDA states:
An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
The OPC provided further guidance on the phrase “comparable level of protection” stating that this requires an organization to ensure that, “the third-party processor must provide protection that can be compared to the level of protection the personal information would receive if it had not been transferred.”
This report confirms the OPC’s existing guidelines that no consent is required to transfer personal information to service providers provided appropriate protections are in place (despite the recent consultations and proposed changes on this issue). See our previous post reviewing the OPC’s consultations and previous comments on this issue and a subsequent post reviewing the OPC’s decision to not change its 2009 position.
Appropriate Safeguards and Measures
The OPC reviewed the following measures TD had in place to protect its customers’ personal information:
- TD conducted a risk assessment prior to entering into the contract with the service provider that included conducting a privacy impact assessment, obtaining outside legal advice and reviewing OSFI and OPC guidelines.
- TD required the service provider to have employee background assessments and monitoring in place, which included criminal background checks for all current and prospective employees.
- TD required the service provider to follow TD’s Information Security practices, develop and keep policies and procedures for physical security management and provide employees with regular training.
- TD required the service provider to control the work environment by implementing several specific physical and organization methods designed to prevent employees from storing, copying or downloading personal information.
- TD was able to have access and other cybersecurity controls in place by supplying all the hardware and software the service provider used to aid its fraud investigation team.
- The contract with the service provider allowed TD to conduct regular audits to ensure contractual compliance, gave TD the right of termination for non-compliance, and required the service provider to abide by industry standards.
The OPC determined that the above measures and controls provided a comparable level of protection to the level of protection the personal information would receive if it had not been transferred.
Lessons for Organizations
Prior to transferring customer personal information to third parties, organizations should ensure they have conducted the proper assessments and have strong contractual protections in place to ensure that any personal information transferred is sufficiently protected. Should an organization become the subject of an OPC investigation the OPC will expect similar protections as those outlined above to be in place.
MLT Aikins has the right combination of legal and industry experience to help you navigate the information and privacy landscape. Our legal team has specific experience in the areas of information technology, cybersecurity, IT/IP litigation, privacy and the negotiation of service agreements with IT providers. We can assist your organization by ensuring the proper protections are in place prior to the transfer of your customers’ personal information.