Using Third Party Service Providers for Data Processing: Your Business' Legal Obligations

If your business collects personal information of any kind, you're likely using third party services to process that data. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have certain legal obligations in the event that your service provider suffers a data breach.
Categories: Business Insights
Feb 12th, 2020 | By: CapriCMW

If your business collects personal information of any kind, you're likely using third party services to process that data. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have certain legal obligations in the event that your service provider suffers a data breach.

Under PIPEDA, third party data processing refers to organizations collecting personal information and providing third party access to that data for the purpose of carrying out certain services for the organization. Some common examples include paying for cloud services to store customer and employee information, outsourcing payroll, procuring employee benefits plans through insurance providers, outsourcing customer service to call centres, etc. 

Mandatory data breach reporting came into effect across Canada on November 1, 2018. Organizations hit by privacy breaches (that meets certain conditions) are legally required to affected individuals and the Office of the Privacy Commissioner. You can learn more about these requirements in our previous blog post. If a third party data processor you use suffers a breach that meets the threshold for reporting, one may assume that the data processor would be accountable for fulfilling reporting and notification requirements under PIPEDA.

In fact, the onus falls on the organization that controls the data - your business would be legally responsible to notify affected individuals and the Privacy Commissioner.  

To minimize your liability and ensure compliance with PIPEDA, it is critical that your contracts with these service providers properly address the cybersecurity measures they should have in place and the policies and procedures for responding to a data breach. At a minimum, your contract should stipulate that your service provider:

  • notifies your business of a breach within the timeframes required by PIPEDA
  • provide all necessary information to meet your reporting and notification obligations
  • complies with appliable privacy laws
  • limits their use of personal data for specific purposes
  • protects data under their care from third party or authorized access
  • investigates and takes action to minimize the impact of breaches

Source: "What Businesses Need to Know About Their Legal Obligations When Outsourcing Data Processing to Third-Party Service Providers" by David McHugh of Segev LLP

For more information on how you can protect your business against the impact of a data breach, contact a CapriCMW Risk Advisor.

 

Recent Blog Posts

Business Insurance / COVID-19
BC's Economic Recovery Plan

On September 17, 2020, the provincial government released Stronger BC for Everyone: BC’s Economic…

Sep 22nd, 2020 | By: CapriCMW
Business Insurance / Occupational Health & Safety, WorkSafeBC, workers compensation
Changes to BC's Workers Compensation Act Now in Effect

On August 14, 2020, the Workers Compensation Amendment Act, 2020  (Bill 23) was passed into law,…

Sep 16th, 2020 | By: CapriCMW
Personal Insurance / Real Estate, landlord, COVID-19
New Rent Increase Effective Dates in BC

In March, a Ministerial Order delayed rent increases in BC until after the end of the Provincial…

Sep 10th, 2020 | By: CapriCMW
photo-10.jpg

Confidence and Freedom

At CapriCMW, we provide personalized insurance and custom risk solutions to give you the confidence and freedom to focus on what matters to you. Talk to an Advisor or get a quote today.

Get a Quote    Or call 1-800-670-1877

Can’t find what you are looking for? Ask us!