In our digitally interconnected world, most organizations that handle personal information will transfer it to a third party at some stage of the data life cycle. Your company may send personal information (PI) to an external service provider such as PayPal to process customer payments – that’s a data transfer. Perhaps you hired a data disposal company to destroy data at the end of its life span – that’s a data transfer. Your company may outsource payroll – that means you’re transferring employee data. Any sharing or transmitting of data, electronic or hard copy, is considered a transfer.
But remember: all transfers of personal information must be compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA) and any relevant provincial and sector-specific privacy laws. So, be aware that the many business advantages of data outsourcing are offset by increased security risks, as we’ll see below. And when PI flows into another jurisdiction, the situation becomes more complex.
The key take-away is this:
When you transfer personal information, even if it passes into another jurisdiction, you retain accountability for its care.
A common type of data transfer is outsourcing: handing over aspects of the provision and management of data computing and storage to a third party. A cloud database managed by a third party is a common example of data outsourcing. Within a data outsourcing design, data sets are often stored together with an application – this connects to an external server, which can then assume data management.
There are many advantages to delegating a business process to an external service provider; these can include efficiency, lower labour costs, and enhanced quality and innovation. (Data processing is often outsourced offshore, to foreign businesses: this raises other issues, which are addressed in Part II: Cross-border Data Transfers.
However, data outsourcing brings its own challenges and security risks. Can you guarantee that your data processor will not misuse the data in its care? Can you ensure that access controls will be enforced, and policy updates supported, by your processor? Will the processor commit to as rigorous a Privacy Framework as your company has?
The greatest danger with data outsourcing is the risk of a security breach. According to Trustwave’s 2013 Global Security Report, in 63% of global data breach investigations, “a third party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers.”[i] Patrick Thibodeau, senior editor of Computerworld, stresses that companies utilizing the advantages of data outsourcing “need to go through an exhaustive due-diligence process and examine every possible contingency.”[ii]
Encrypting the data to be outsourced can prevent both outside attacks and inappropriate access from the server itself. It’s also helpful to combine authorization policies with encryption methods, so that access control requirements are bundled together with the data.
Before transferring data, think carefully: is the personal information component actually needed? If you can ensure that the data is (irreversibly) anonymized, and keep careful records of having done so, the personal information will disappear and data protection principles will no longer apply.
PIPEDA doesn’t prevent organizations from outsourcing the processing of data, but the Office of the Privacy Commissioner cautions that organizations outsourcing PI need to take “all reasonable steps to protect that information from unauthorized uses and disclosures while it is in the hands of the third-party processor.”[iii]
CANADA: Under PIPEDA, the “transfer” of data is considered a “use” by a company, as opposed to a “disclosure” – this is because the processing of information by a third party is still done for the purposes for which the PI was originally collected. “Processing” is interpreted as any use of the information by a third party for its intended purpose at the time of collection.
PIPEDA’s first Privacy Principle, Accountability, states:
“An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”
This statement has three key clauses; we’ll look at each in turn.
1) “An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.” The onus of responsibility lies with your organization, even once information has been transferred to a third party; you cannot outsource legal liability. This means that you’ll need to know exactly what data protection safeguards your data processor has in place, and be able to monitor them during the transfer process.
2) An organization needs to ensure a “comparable level of protection while the information is being processed by a third party.” According to the Office of the Privacy Commissioner, this means that the third party must provide a level of data protection comparable to the protection that would have been in place had the data not been transferred.[iv] (The protection should be generally equivalent, but it doesn’t necessarily have to be exactly the same across the board.)
3) “The organization shall use contractual or other means” to comply with legal privacy requirements. There should be a written agreement in every instance where personal information is transferred to a third party. A contract cannot transfer responsibility, but it can describe necessary measures a data processor must take to optimally safeguard personal information, and clearly delineate the responsibilities of each party.
In an effort to protect PI and reduce risks, PIPEDA’s restrictions encourage organizations to minimize data transfers, and only to use them for reasonable purposes.
Quebec has passed legislation[v] that imposes strict rules on private-sector organizations using, transferring, or disclosing personal information outside Quebec, even if the PI is being transferred to another Canadian province. Under the law, data transfer or disclosure is prohibited unless it can be guaranteed that the PI will not be used or disclosed for other purposes than those for which it was transferred, or disclosed to third parties without consent.
UNITED STATES: While no federal law creates a general requirement for data owners regarding data protection during transfer, sectoral laws may do so: for example, the Health Insurance Portability and Accountability Act imposes strict regulations on covered entities seeking to disclose personal health information to a service provider. State laws may also impose security standards; for example, California requires organizations transferring data to third parties to contractually oblige those third parties to maintain reasonable security protocols.
EUROPE: Free transfer of personal data within member states is integral to the founding principles of the EU. As long as the data is transferred in compliance with the strict requirements of the General Data Protection Regulation, the Regulation does not restrict data flows within the European Union or European Economic Area.
For further information on data transfers, and privacy compliance matters generally, see Waël Hassan’s book Privacy in Design: A Practical Guide to Corporate Compliance, available on Amazon.
A three-part series from KI Design:
- Part I: Data Outsourcing
- Part II: Cross-border Data Transfers
- Part III: Preparing for Data Transfer – Clauses for Vendor Contracts
[i] Trustwave 2013 Global Security Report, p. 10, online at: https://www.trustwave.com/Resources/Library/Documents/2013-Trustwave-Global-Security-Report/.
[ii] Patrick Thibodeau, “Offshore risks are numerous, say those who craft contracts,” Computerworld, 3 November 2003, p. 12, online at: https://www.computerworld.com/article/2573865/it-outsourcing/offshore-risks-are-numerous–say-those-who-craft-contracts.html.
[iii] For more information, see the OPC’s “Privacy and Outsourcing for Businesses” guidelines, online at: https://www.priv.gc.ca/en/privacy-topics/outsourcing/02_05_d_57_os_01/.
[iv] Office of the Privacy Commissioner, “Guidelines for Processing Personal Data Across Borders,” January 2009, online at: https://www.priv.gc.ca/en/privacy-topics/personal-information-transferred-across-borders/gl_dab_090127/.
[v] P-39.1 – Act respecting the protection of personal information in the private sector, online at: