All Canadian businesses, by now, should be aware of their mandatory data breach reporting obligations under PIPEDA. These obligations require Canadian companies to:
a. Report to the Office of the Privacy Commissioner (“OPC”) breaches of security safeguards involving personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach of the security safeguard creates a real risk of significant harm to an individual or individuals;
b. Notify the affected individuals about those breaches and keep records of all breaches.
What many might not be aware of is that these data breach obligations apply to your business even if it is your third-party data processor (if you are outsourcing or offshoring) who suffered the actual data breach.
Additionally, if your business transfers personal data to a third-party for processing, your company is legally obligated to ensure appropriate contractual terms are place with that third-party to protect the personal data while in possession of the third-party.
Privacy protections applicable to outsourcing transactions in Canada are complicated. Some debate that these laws are heavily in favor of protecting privacy to the disadvantage of free flows of information and the business realities. Many reasons that there can never be a compromise on maintaining privacy in personal information. Yet others argue that Canada should be following international privacy precedent.
Canadian government’s view on this matter also diverges. Many provinces have followed different models to deal with privacy problems. Some have approached models in which regulation is achieved exclusively through legislation. Others follow a mix of legislation, contracts, and mechanisms dealing with monitoring, due diligence, and risk assessment. On the federal government level, the Treasury Board of Canada’s views, the federal government’s principal procurement agency, appear more liberal than privacy laws regulating the public sector in individual provinces.