Using Third Party Service Providers for Data Processing: Your Business' Legal Obligations

If your business collects personal information of any kind, you're likely using third party services to process that data. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have certain legal obligations in the event that your service provider suffers a data breach.
Categories: Business Insights
Feb 12th, 2020 | By: CapriCMW

If your business collects personal information of any kind, you're likely using third party services to process that data. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have certain legal obligations in the event that your service provider suffers a data breach.

Under PIPEDA, third party data processing refers to organizations collecting personal information and providing third party access to that data for the purpose of carrying out certain services for the organization. Some common examples include paying for cloud services to store customer and employee information, outsourcing payroll, procuring employee benefits plans through insurance providers, outsourcing customer service to call centres, etc. 

Mandatory data breach reporting came into effect across Canada on November 1, 2018. Organizations hit by privacy breaches (that meets certain conditions) are legally required to affected individuals and the Office of the Privacy Commissioner. You can learn more about these requirements in our previous blog post. If a third party data processor you use suffers a breach that meets the threshold for reporting, one may assume that the data processor would be accountable for fulfilling reporting and notification requirements under PIPEDA.

In fact, the onus falls on the organization that controls the data - your business would be legally responsible to notify affected individuals and the Privacy Commissioner.  

To minimize your liability and ensure compliance with PIPEDA, it is critical that your contracts with these service providers properly address the cybersecurity measures they should have in place and the policies and procedures for responding to a data breach. At a minimum, your contract should stipulate that your service provider:

  • notifies your business of a breach within the timeframes required by PIPEDA
  • provide all necessary information to meet your reporting and notification obligations
  • complies with appliable privacy laws
  • limits their use of personal data for specific purposes
  • protects data under their care from third party or authorized access
  • investigates and takes action to minimize the impact of breaches

Source: "What Businesses Need to Know About Their Legal Obligations When Outsourcing Data Processing to Third-Party Service Providers" by David McHugh of Segev LLP

For more information on how you can protect your business against the impact of a data breach, contact a CapriCMW Risk Advisor.

 

Recent Blog Posts

Employee Benefits / coronavirus, employment insurance, work sharing
COVID-19 Update: Income Support and Work-Sharing Program Changes

In response to the impact of the COVID-19 outbreak on organizations across Canada, the Government of…

Mar 20th, 2020 | By: CapriCMW
Business Insights / health and safety, coronavirus, workplace health
Novel Coronavirus (COVID-19) Workplace Preparedness

Managing workplace issues related to COVID-19 is an important part of an employer’s duties and…

Mar 17th, 2020 | By: CapriCMW
Business Insights / business continuity, health and safety, coronavirus
The Precautions Businesses Should Take Amid COVID-19

With COVID-19 spreading in countries far from its origins, all organizations should be taking…

Mar 10th, 2020 | By: CapriCMW
photo-10.jpg

Confidence and Freedom

At CapriCMW, we provide personalized insurance and custom risk solutions to give you the confidence and freedom to focus on what matters to you. Talk to an Advisor or get a quote today.

Get a Quote    Or call 1-800-670-1877

Can’t find what you are looking for? Ask us!