Using Third Party Service Providers for Data Processing: Your Business' Legal Obligations

If your business collects personal information of any kind, you're likely using third party services to process that data. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have certain legal obligations in the event that your service provider suffers a data breach.
Categories: Business Insights
Feb 12th, 2020 | By: CapriCMW

If your business collects personal information of any kind, you're likely using third party services to process that data. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have certain legal obligations in the event that your service provider suffers a data breach.

Under PIPEDA, third party data processing refers to organizations collecting personal information and providing third party access to that data for the purpose of carrying out certain services for the organization. Some common examples include paying for cloud services to store customer and employee information, outsourcing payroll, procuring employee benefits plans through insurance providers, outsourcing customer service to call centres, etc. 

Mandatory data breach reporting came into effect across Canada on November 1, 2018. Organizations hit by privacy breaches (that meets certain conditions) are legally required to affected individuals and the Office of the Privacy Commissioner. You can learn more about these requirements in our previous blog post. If a third party data processor you use suffers a breach that meets the threshold for reporting, one may assume that the data processor would be accountable for fulfilling reporting and notification requirements under PIPEDA.

In fact, the onus falls on the organization that controls the data - your business would be legally responsible to notify affected individuals and the Privacy Commissioner.  

To minimize your liability and ensure compliance with PIPEDA, it is critical that your contracts with these service providers properly address the cybersecurity measures they should have in place and the policies and procedures for responding to a data breach. At a minimum, your contract should stipulate that your service provider:

  • notifies your business of a breach within the timeframes required by PIPEDA
  • provide all necessary information to meet your reporting and notification obligations
  • complies with appliable privacy laws
  • limits their use of personal data for specific purposes
  • protects data under their care from third party or authorized access
  • investigates and takes action to minimize the impact of breaches

Source: "What Businesses Need to Know About Their Legal Obligations When Outsourcing Data Processing to Third-Party Service Providers" by David McHugh of Segev LLP

For more information on how you can protect your business against the impact of a data breach, contact a CapriCMW Risk Advisor.

 

Recent Blog Posts

Employee Benefits / employment law, employee benefts
Government of BC Seeking Feedback on Paid Sick Leave Models

As of January 1, 2022, employers in BC will be required to provide a minimum number of paid sick…

Oct 14th, 2021 | By: CapriCMW
Personal Insurance / home maintenance
6 Ways to Prepare Your Home for Cold Weather

With the days getting colder and wetter, now is the time to begin preparing your home for the…

Oct 7th, 2021 | By: CapriCMW
Personal Insurance / travel insurance, COVID-19
6 Tips to Getting the Travel Insurance You Need Now

As Canada recovers from the effects of the ongoing pandemic, travel has gradually resumed and begun…

Sep 29th, 2021 | By: CapriCMW
Search the Blog
photo-10.jpg

Confidence and Freedom

At CapriCMW, we provide personalized insurance and custom risk solutions to give you the confidence and freedom to focus on what matters to you. Talk to an Advisor or get a quote today.

Get a Quote    Or call 1-800-670-1877

Can’t find what you are looking for? Ask us!