The Privacy Implications of Outsourcing

By Evan Sumner

Last month’s revelation that CIBC will be outsourcing a large number of accounting jobs to India scandalized many Canadians. The news not only negatively affected CIBC’s reputation, but caused a drop in its share price and led to a number of its long-term customers breaking ties with the bank.[1]

Besides the obvious effect of reducing employment opportunities for Canadians, outsourcing has the added potential to thwart Canadian privacy laws designed to protect customer information. Put another way, outsourcing results in the personal data of Canadian customers being subject to the privacy laws of other jurisdictions – privacy laws that are potentially less robust than those in Canada.

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations like CIBC to consider the privacy implications of outsourcing to other jurisdictions. PIPEDA doesn’t prevent companies from outsourcing data processing but it does hold that Canadian companies must take any and all reasonable steps to ensure their customer data isn’t misused or mishandled by third-party organizations. This includes determining whether those organizations have the requisite policies and processes in place to ensure customer data is properly safeguarded.[2]

In the event a Canadian organization outsources some or all of its data processing, PIPEDA requires it ensure its customers are made aware of that fact, in no uncertain terms, preferably before they agree to disclose their information.[3]

Once an individual has made an informed decision to do business with an organization they no longer have any right to refuse the transfer of their information to other third-party organizations. In fact, if their information is processed by a third-party service provider that’s located somewhere like India, it is subject to India’s laws instead of Canada’s. In other words, if for some reason an Indian court issued a subpoena for your information, that third-party service provider would be required to give it to them.[4]

It isn’t hard to see how this arrangement could go wrong, especially if the third-party service provider happens to reside in a country where privacy isn’t as highly valued as it is in Canada.

While Canadian organizations have a responsibility to ensure their customer data is properly safeguarded at a level comparable to the protection provided in Canada, they still need to be held accountable when and if they fail to do so.[5] As such, there are certain steps Canadians can take to help protect their information. The Office of the Privacy Commissioner of Canada has several recommendations on how to employ PIPEDA to help you protect yourself.[6]

Organizations subject to Canadian law are required to be transparent with regards to their data outsourcing practices.[7] As a result, it’s important you notify the Office of the Privacy Commissioner, or their provincial equivalent, whenever you suspect an organization isn’t being transparent. It is also important to ensure you’re properly informed with regards to how an organization is handling your data. If you’re unsure what an organization is doing with your data, just ask them. Under PIPEDA, and similar provincial privacy legislation, an organization is required to disclose their data processing practices to their customers. If following such a request an organization can’t or won’t disclose their data processing practices, they may very well be in violation of PIPEDA or its provincial equivalent and should be reported – who you report to exactly depends on whether the organization is primarily governed by provincial or federal law.

In an age of daily privacy breaches, it’s always better to know more about how a company is handling your personal data and to do what you can to protect yourself from its potential misuse. That said, it’s important to keep in mind that international data transfers are essentially a fact of life these days and companies are typically under a lot of pressure to maintain privacy standards regardless of jurisdiction. In other words, please consider this article more as encouragement to stay informed rather than as a rallying cry to engage in a campaign of endless digital paranoia.

References   [ + ]

2, 3, 4.
6, 7.