The privacy laws recognize that personal information transferred to a third party for processing (e.g. outsourcing; service provision) is not disclosed to that party, but remains, under the relevant privacy law, the responsibility of the transferring organization (the “data collector”). The laws also mandate the data collector to ensure that the service provider organization applies the same level of protection to that data while within its custody or control as the data collector is obliged to provide under its relevant law. This legislative framework dictates that a data collector must include in its outsourcing/service provider agreements sufficient controls and requirements to ensure that its service provider satisfies that obligation. To be clear, it is the data collector that has the statutory obligation, while the service provider organization, generally, does not have a direct obligation at law but instead is required by contract to provide protections sufficient to ensure that the data collector is compliant.
A (non-exhaustive) itemization of the privacy protective provisions that should be contained in any outsourcing/service provider agreement includes:
- an acknowledgement that the service provider holds personal information on behalf of and (as applicable, e.g. under PHIPA) as agent for the data collector;
- an obligation on the service provider to protect the personal information from unauthorized disclosure or loss including meeting stipulated objective or recognized standards;
- an obligation of the service provider to refer all requests for access to personal information to the data collector
- an obligation of the service provider not to use or disclose to third parties personal information except is authorized by the data collector;
- an obligation of the service provider to return to the data collector and delete or destroy personal information at any time as directed by the data collector or in any event at the end of the agreement term;
- an audit right for the data collector to inspect the service provider’s procedures and facilities;
- (as applicable) a restriction or procedural requirement in connection with any cross-border transfer or data storage and a requirement of the service provider to notify immediately the data collector in the event of any court, law enforcement or national security authority access to personal information;
- an obligation of the service provider to notify immediately the data collector in the event of any unauthorized use/disclosure, loss or other security breach and to provide full cooperation to the data collector in responding to such incident;
- an obligation of the service provider to comply with applicable privacy laws and to conduct itself in a manner that does not cause the data collector to breach such laws.