Using Third Party Service Providers for Data Processing: Your Business' Legal Obligations

If your business collects personal information of any kind, you're likely using third party services to process that data. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have certain legal obligations in the event that your service provider suffers a data breach.
Categories: Business Insights
Feb 12th, 2020 | By: CapriCMW

If your business collects personal information of any kind, you're likely using third party services to process that data. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have certain legal obligations in the event that your service provider suffers a data breach.

Under PIPEDA, third party data processing refers to organizations collecting personal information and providing third party access to that data for the purpose of carrying out certain services for the organization. Some common examples include paying for cloud services to store customer and employee information, outsourcing payroll, procuring employee benefits plans through insurance providers, outsourcing customer service to call centres, etc. 

Mandatory data breach reporting came into effect across Canada on November 1, 2018. Organizations hit by privacy breaches (that meets certain conditions) are legally required to affected individuals and the Office of the Privacy Commissioner. You can learn more about these requirements in our previous blog post. If a third party data processor you use suffers a breach that meets the threshold for reporting, one may assume that the data processor would be accountable for fulfilling reporting and notification requirements under PIPEDA.

In fact, the onus falls on the organization that controls the data - your business would be legally responsible to notify affected individuals and the Privacy Commissioner.  

To minimize your liability and ensure compliance with PIPEDA, it is critical that your contracts with these service providers properly address the cybersecurity measures they should have in place and the policies and procedures for responding to a data breach. At a minimum, your contract should stipulate that your service provider:

  • notifies your business of a breach within the timeframes required by PIPEDA
  • provide all necessary information to meet your reporting and notification obligations
  • complies with appliable privacy laws
  • limits their use of personal data for specific purposes
  • protects data under their care from third party or authorized access
  • investigates and takes action to minimize the impact of breaches

Source: "What Businesses Need to Know About Their Legal Obligations When Outsourcing Data Processing to Third-Party Service Providers" by David McHugh of Segev LLP

For more information on how you can protect your business against the impact of a data breach, contact a CapriCMW Risk Advisor.

 

Recent Blog Posts

Business Insights / Real Estate, property development
How the Land Owner Transparency Act Will Affect Developers in BC

The Land Owner Transparency Act (LOTA), expected to come into force later this year, will introduce…

Feb 19th, 2020 | By: CapriCMW
Personal Insurance / extreme weather, home maintenance
10 Ways to Protect Your Home Against Cold Weather

Extreme weather is becoming more common with temperatures hitting historic lows this winter in many…

Feb 5th, 2020 | By: CapriCMW
Employee Benefits / Human Resources, workplace wellness
HR Trends Transforming Workplaces in 2020

In recent years, the role of human resources has evolved and broadened as technological developments…

Jan 29th, 2020 | By: CapriCMW
photo-10.jpg

Confidence and Freedom

At CapriCMW, we provide personalized insurance and custom risk solutions to give you the confidence and freedom to focus on what matters to you. Talk to an Advisor or get a quote today.

Get a Quote    Or call 1-800-670-1877

Can’t find what you are looking for? Ask us!