In a development that affects organizations offshoring the processing of personal information, the Office of the Privacy Commissioner of Canada has recently issued "Guidelines for Processing Personal Data across Borders." The Guidelines are intended to clarify how the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to transfers of personal information to third parties outside of Canada for processing.
The Guidelines indicate that "PIPEDA does not prohibit organizations in Canada from transferring personal information to a third party in another jurisdiction for processing." However, they do note that, under PIPEDA, organizations are responsible for the protection of personal information including information transferred to third parties under outsourcing agreements. While the information is being processed by a third party, organizations are required to use "contractual or other means to provide a comparable level of protection." The Guidelines note that "comparable level of protection" does not mean that the protections offered by third parties are identical on all levels but rather that they should be "generally equivalent."
The Guidelines also state that a "transfer" of personal information is not the same as a "disclosure." Unlike a disclosure, with a transfer, the personal information can only be used for the purpose for which it was originally collected. If it is, the Guidelines indicate that additional consent to the transfer is not required.
The Privacy Commissioner’s Guidelines also reference the guidelines dealing with processing of financial data that have been published by the Office of the Superintendent of Financial Institutions (OSFI). They note that while the OSFI guidelines set a high standard with respect to protection of sensitive financial information by financial institutions, they can also serve as a good benchmark for organizations involved in transferring sensitive personal information across borders.
Finally, the Guidelines also reinforce the need for transparency when dealing with personal information of Canadians. Organizations that engage in transfer of personal information outside Canada should advise their customers that this information may be sent to another jurisdiction for processing and that it may be accessed by courts, law enforcement and national security authorities of that jurisdiction.
McCarthy Tétrault Notes:
As more businesses move to offshore parts of their operations, the need to ensure sufficient protection of customer data becomes a major issue. From a publicity and a legal standpoint, a leak of personal information can be very harmful to businesses that collect sensitive data from their customers.
At the pre-planning stages of any offshoring project, organizations should ensure that any third parties potentially handling this data comply with the organization’s own internal privacy guidelines and that the laws of the foreign jurisdiction allow for such compliance. By referring to the OSFI guidelines, the Guidelines suggest that the Office of the Privacy Commissioner will expect organizations that transfer personal information to international third parties for processing to meet a very high standard of data protection.
In addition, organizations should review their privacy policies to ensure they adequately inform customers that their personal information may be sent to a foreign country for processing and may be accessed by that jurisdiction’s law enforcement and national securities authorities.