With all the news over the past couple of weeks — whether it be "Shrems II" or the release of the contact tracing app by the federal government — a smaller, less known story managed to slip through the cracks. That is, 10 days ago, the Office of the Privacy Commissioner of Canada released a report of findings in an important case about cross-border transfers of personal information.
The case arose from a complaint about a bank outsourcing to an organization in India. While the commissioner expressed his concerns that the current legislative framework does not adequately protect Canadians when it comes to transfers outside of Canada, he nevertheless found that the bank had done things properly in this instance.
I think it’s an important case because I’ve long said that we need examples of what is acceptable and expected when it comes to safeguarding information once it leaves Canada. This case provides a good shopping list of examples that satisfied the commissioner. For example, the bank adopted a number of measures aimed at reducing the risk to its customers’ personal information. These included:
Undertaking risk assessments to identify and mitigate potential privacy risks associated with engaging the service provider, prior to signing a contract, and then incorporating those findings into the contract.
Requiring the service provider to control its work environment to prevent copying or sharing information about the bank’s customers or employees.
Strictly limiting the service provider’s access to, and use of, personal information through a contract and robust safeguards.
Proactively monitoring the service provider’s safeguards and practices to ensure contractual compliance, including via regular audits by an independent auditor. Any issues were to be monitored by the auditor to ensure they were addressed.
The report of findings is here. I encourage all privacy pros to read it (it’s not very long) because it lays out in some detail what is expected and acceptable when you do transfer personal information outside the country.
And in somewhat unrelated but other interesting news, did you see that Ontario has launched a consultation into the possibility of private sector privacy legislation for that province? It’s about time!