Insights Header image
Insights Header image
Insights Header image

Data Protection Agreements

July 2015 Privacy Bulletin 2 minute read

Outsourcing and sub-contracting often make good sense from a business perspective. However, when an organization transfers personal information (“PI”) about customers, employees or other individuals to a third party, it remains responsible for protecting such PI and ensuring that it is handled in accordance with applicable privacy laws.

The Personal Information Protection and Electronic Documents Act (“PIPEDA”) explicitly provides that: “An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”[1] (emphasis added) Similar explicit or implicit requirements exist under substantially similar provincial legislation.

Therefore, before transferring any PI to a contractor or service provider, organizations should ensure that appropriate steps have been taken to protect such information. This can include reviewing the privacy policies and past practices of contractors or service providers, as well as requesting information about prior privacy complaints and data breaches. It should also include appropriate contractual protections, either in the form of a full data protection agreement or privacy provisions in the service agreement itself.

Although such contracts should be customized in every case, to reflect the relationship between the parties, the nature of the services, and the amount and sensitivity of PI involved, generally such agreements should address the following:

  • Ownership of PI
  • The amount, type and nature of PI that will be transferred between the parties
  • The purposes for which PI can (and cannot) be collected, used and disclosed
  • Confidentiality obligations
  • Restrictions on access to PI
  • Physical, technological and organizational safeguards required to protect PI
  • Updating, correcting and deleting PI
  • Auditing, inspection and/or monitoring rights
  • Restrictions on sub-contracting, or provisions governing terms upon which sub-contracting is allowed
  • Compliance with applicable privacy laws
  • Notice requirements and obligation to co-operate in the event of an access request
  • Requirements to disclose government access requests or other disclosure orders (where permitted by law)
  • Breach notification requirements
  • Procedure upon termination of contract/relationship (e.g., requirement to return or irrevocably destroy PI)
  • Timelines for compliance with the above obligations
  • Consequences of failure to comply with data protection obligations in contract and/or applicable privacy laws (e.g., indemnities)

This list is not intended to be all-inclusive. Depending upon the circumstances, additional terms may be required. For example, in some cases the organization may want to restrict cross-border transfers of information (or at least require consent to, or notice of, such transfers), and/or require segregation of PI from other information held by the service provider.

In addition, specific provincial laws should be taken into account. For example, Quebec legislation contains specific requirements related to placing technology-based documents in the custody of a service provider.

In an era of increasing focus on privacy and rising class actions for data breaches, organizations cannot afford to ignore the information handling practices of their service providers and sub-contractors. Given their continued responsibility for protecting PI, all organizations would be well-advised to review their contracts with third parties to ensure that such agreements contain appropriate provisions governing privacy and security.

by Lyndsay A. Wasser, CIPP/C, Co-Chair Privacy

1 PIPEDA Article 4.1.3.

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2015

Insights (5 Posts)View More

Featured Insight

Sanctions Enforcement Rising: Border Seizures and Forfeitures, Administrative Penalties and a New Reporting Obligation for Sanctions Evasion Offences

Changes to Canada’s sanctions regime under Bill C-59 will add reporting requirements for importers/exporters, create AMPs, and grant new CBSA seizure powers.

Read More
Jun 13, 2024
Featured Insight

Goodbye CDOR, Hello CORRA: CDOR’s Final Month and CORRA Loan Trends

CDOR will cease being published after June 28, 2024; CORRA is now used in credit agreements with certain trends developing in its use.

Read More
Jun 11, 2024
Featured Insight

Anonymization of Personal Information under Quebec Law

On May 15, 2024, Quebec published its final regulation on anonymization which establishes specific guidelines on how to properly anonymize personal information.

Read More
Jun 5, 2024
Featured Insight

Far from being FARA – Canada’s Proposed Foreign Influence Transparency Registry Law Leaves the Details for Another Day

Canada's proposed foreign agent registry doesn't mirror the problematic aspects of FARA, but many details are left to future regulations and guidance.

Read More
Jun 5, 2024
Featured Insight

Building Uniformity: Saskatchewan’s Franchise Disclosure Act Receives Royal Assent

First introduced last fall, Saskatchewan’s Bill 149, The Franchise Disclosure Act, received Royal Assent on May 8, 2024 (the “Act”).[1] In doing so, Saskatchewan now joins British Columbia, Alberta, Manitoba, Ontario, New Brunswick, and Prince Edward Island as the seventh Canadian province to enact franchise-specific legislation.

Read More
Jun 4, 2024