The Personal Information Protection and Electronic Documents Act (“PIPEDA”) does not prevent organizations from transferring personal information out of Canada, but instead leaves the decision – and accountability – up to the organization transferring the information.
Examples of transferring personal information out of the country include using service providers in different locations to carry out tasks for the organization, or using a cloud computing service where information is stored on servers outside of Canada. The Office of the Privacy Commissioner of Canada recognizes that an organization may want to outsource in order to run its business in the most productive and cost effective manner, but takes the stance that the Canadian organization is still ultimately responsible for protecting all personal information it collects. An organization must therefore take precautions to protect any personal information that it transfers to foreign service providers. Some precautions include:
- Performing a thorough check on the foreign organization to ensure that it has policies, procedures and safeguards in place to protect any personal information it receives and that it has not had any known issues protecting personal information in the past;
- Evaluating the location of the foreign service provider to determine whether there are any potential social, political, security or other risk factors that may affect the service provider’s ability to provide the services or protect the personal information;
- Ensuring that the foreign service provider agrees to hold any personal information under contract with the organization (which specifically sets out how each party must handle personal information in accordance with PIPEDA);
- Evaluating the sensitivity of the personal information to be transferred and using additional scrutiny when considering foreign service providers for highly sensitive personal information (which may result in not using foreign service providers for highly sensitive information); and
- Informing individuals upon collection of their personal information that it may be processed in a foreign country, and will be subject to the laws of such foreign country.
Given that an organization is ultimately responsible for any issues caused by a service provider misusing information, it is in the best interest of every organization to ensure that it takes the applicable precautions when using any third party service provider, particularly one that is located outside of Canada.