CHARITY LAW BULLETIN No. 71

July 14, 2005
Editor: Terrance S. Carter

PRIVACY POLICY NOT ENOUGH, 3RD PARTY PRIVACY CONTRACT ALSO NEEDED TO COMPLY WITH PIPEDA

By U. Shen Goh, LL.B., LL.M.

A. INTRODUCTION

The first principle of the Personal Information Protection and Electronic Documents Act ("PIPEDA") deals with accountability and states that an organization is responsible for any personal information under its control which it collects, uses or discloses in the course of commercial activities. Accordingly, many charities and non-profit organizations throughout Canada have already instituted privacy policies to demonstrate their commitment to protecting personal information entrusted to them. What many organizations do not realize, however, is that the first principle of accountability also states that an organization is responsible for any personal information that has been transferred to a third party for processing and should use contractual or other means to provide a comparable level of protection while such information is being processed by third parties. As such, organizations that outsource personal information to third parties should also enter into agreements to protect the personal information that is transferred as part of the outsourcing contract.
This Charity Law Bulletin provides a brief discussion of what constitutes the "transfer" of personal information, and why "3rd party privacy contracts" are necessary. For more information concerning whether PIPEDA applies to your charitable or not-for-profit organization, please refer to Charity Law Bulletin Nos. 28 , 42 and 70.

B. WHAT DOES THE TERM "TRANSFER" MEAN?

PIPEDA does not define the phrase "transferred to a third party for processing." This has led to discussions regarding the differences between the term "transfer" and the term "disclose," if any, neither of which is defined by PIPEDA.

The answer is of significant importance because the third principle of PIPEDA deals with consent and states that the knowledge and consent of the individual are required for the disclosure of personal information. Therefore, if the term "transfer" were synonymous with the term "disclose," an organization would need to obtain consent before transferring information to a third party for processing.

In response, the Privacy Commissioner of Canada made the following statements which unequivocally established that the term "transfer" is not synonymous with the term "disclose":

  • In a speech to the Institute of Canadian Advertising on February 27, 2001:
    A "disclosure" of personal information involves providing the information to and for the use of a third party-that includes an organization that is affiliated with the organization that's making the disclosure. Disclosure requires the consent of the people to whom the information pertains in all but a very few, specific situations.

    A "transfer" of personal information involves providing information to a third party for processing purposes. Say, a bank giving personal information to a printer in order to have a batch of personal cheques made up, or a business transferring personal information to another company to conduct a direct mail campaign on its behalf. The information remains the responsibility of the organization that initiated the transfer, and consent is not required, as long as the information is not used for any other purpose, and is either returned to the company that initiated the transfer or is destroyed.

  • In a speech on e-Business at The HR Challenge on November 20, 2002:
    It's important to understand that the Act recognizes a difference between disclosures of personal information and transfers of personal information.

    A "disclosure" involves providing personal information to a third party, including an affiliated but separate organization. The information passes out of your control and into the control of the organization to which you disclose it. For that, the Act requires you to have consent.

    A "transfer", on the other hand, involves providing information to a third party simply for processing purposes. You don't need consent for a transfer, provided the third party only uses the personal information for the purpose for which it's transferred. The information remains your responsibility. The Act requires you to ensure, by contractual or other means, that the third party protects it.
  • In a speech at the General Meeting of the Private Investigators Association of British Columbia on March 20, 2003:

    The Act allows an organization to transfer personal information to a third party, without consent, for processing purposes. Take, for example, a bank that wants to have cheques printed for its customers. The Act allows it to transfer personal information of its customers to a cheque printing company for this purpose. Notice that I didn't say that the bank is "disclosing" the information. That's because the Act distinguishes this kind of transfer for processing purposes from disclosures.

    Transfers are only allowed for limited purposes, and they're subject to stringent conditions. For instance, the processor can use the information only for the specified purposes, and has to protect the information as required by the Act. But the point I want to stress is that this recognition of transfers for processing, as distinct from "disclosures", is necessary to the reasonable functioning of standard business practice. Considering this transfer as a "disclosure," and requiring banks to get the consent of their customers to it, wouldn't serve any useful purpose.

In light of the above statements, it is now clear that the organizations which outsource personal information, whether for purposes such as payroll operations; payroll cheque processing; information or computer services; or marketing or research functions (including polling), do not need to obtain consent to transfer the personal information to third parties for processing, in contrast to the requirement for consent when disclosing personal information. However, the organizations do need to enter into confidentiality agreements with third parties in order to protect the personal information transferred to them.

C. WHY ARE "3RD PARTY PRIVACY CONTRACTS" NECESSARY?

It is clear from a review of PIPEDA, and the Privacy Commissioner of Canada's statements outlined above, that the organization transferring the personal information remains in control of and accountable for the personal information and is, therefore, liable for any misuse of that information.

This includes information that has been transferred to a third party for processing, and requires the transferring organization to use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

This is further illustrated by the following Privacy Commissioner of Canada Findings:

  • PIPEDA Case Summary #35: A bank contracted with a research firm to study the future provision of products and services to customers. The research firm, in turn, subcontracted part of the study to another research firm. The bank had a confidentiality agreement with the contractor, but the contractor did not have a confidentiality agreement with the subcontractor. When the subcontractor telephoned a customer to ask her to participate in the study, the customer filed a privacy complaint. The Privacy Commissioner of Canada found that the agreement between the bank and the contractor was deficient in that it made no provision for subcontracting, leaving the bank in contravention of PIPEDA.

  • PIPEDA Case Summary #168: A bank contracted with a collections agency to collect credit card debts from its customers. The bank had a confidentiality agreement with the collections agency which expressly prohibited the collections agency from disclosing customers' personal information without consent. When the collections agency disclosed to a customer's employer that the customer had a credit card debt, the customer filed a privacy complaint. The Privacy Commissioner of Canada found that the disclosure had been made by the collections agency, resulting in a finding that the bank had contravened PIPEDA.

  • PIPEDA Case Summary #277: A company contracted with an email distributor to distribute messages on the company's behalf. The company had dealt with the email distributor for a number of years; however, there was no confidentiality agreement in place between the two. When the email distributor mass-emailed 618 customers and erroneously left their addresses in the "to" field for everyone to view, the customers filed a privacy complaint. The Privacy Commissioner of Canada found that the error had been made by the email distributor, and the company was held responsible for the error of its email distributor.

The above cases make it clear that, when an organization transfers personal information to a third party for processing and the third party misuses the personal information, PIPEDA will hold the organization accountable to the individual whose personal information was misused. However, PIPEDA will not hold the third party accountable and, as a result, the organization will find itself with no recourse for indemnification of its damages. As such, the organization must protect itself by entering into 3rd party privacy contracts which will hold the third party accountable to the organization in they event that they are found to be in contravention of PIPEDA.

Clearly, 3rd party privacy contracts are necessary for organizations transferring personal information to third parties. In addition to assisting the organization in recovering damages from third parties in the event that the third parties misuse the transferred personal information in violation of PIPEDA, 3rd party contracts can also enable an organization to obligate third parties to abide by the organization's privacy policy in order to discourage the third parties from acting in a manner that would result in a privacy complaint against the organization.

D. CONCLUSION

Given the high onus set by PIPEDA, as illustrated by the case findings of the Privacy Commissioner of Canada, organizations which transfer personal information to third parties would be wise to adopt 3rd party privacy contracts which, at minimum, would stipulate that:

  • the third party will use the personal information only for the purposes for which it was provided;
  • the third party will rectify, delete or update the personal information upon instructions from the organization transferring the personal information;
  • the third party is liable for the use made of the personal information;
  • and the third party will indemnify the organization transferring the personal information for any breach of the contract.

In addition to having 3rd party privacy contracts in place, it is also highly recommended that organizations transferring personal information to third parties keep detailed records of the information that is transferred, the purpose for transferring the information, and to which third parties the transfers are made. Such careful documentation will assist organizations in minimizing their liability for the actions of third parties.

 

DISCLAIMER: This Charity Law Bulletin is a summary of current legal issues provided as an information service by Carters Professional Corporation. It is current only as of the date of the Bulletin and does not reflect subsequent changes in the law. The Charity Law Bulletin is distributed with the understanding that it does not constitute legal advice or establish the solicitor/client relationship by way of any information contained herein. The contents are intended for general information purposes only and under no circumstances can be relied upon for legal decision-making. Readers are advised to consult with a qualified lawyer and obtain a written opinion concerning the specifics of their particular situation.
© 2008 Carters Professional Corporation