The Information and Privacy Commissioner/Ontario has released a new guidance document on contracting with third party service providers for the processing of records and personal information. The document consolidates and augments existing IPC guidance, and invites institutions to consider a more holistic approach to due diligence.
Ontario institutions have spent the better part of the last decade migrating their IT services to services hosted by third-party organizations. Although IT outsourcings are not the only outsourcings that raise privacy issues, the public sector’s move to the cloud has kept IT leaders, procurement professionals, risk managers and legal counsel very busy.
To date, the IPC has issued guidance in a series of privacy investigation reports that focus on contractual terms between the parties. In its new guidance document, the IPC repeats and reiterates that guidance, though stresses that holistic due diligence is required in contracting with third party service providers, setting out the following five-part due diligence model.
Part 1 - Procurement planning
Part 2 - Tendering
Part 3 - Vendor selection
Part 4 - Agreement
Part 5 - Agreement management and termination
Possibly to stress the importance of considering privacy planning early in the procurement process, the IPC sets out the greatest number of requirements in respect of tendering - inviting institutions to set out appropriate access, privacy and security requirements in their tendering documents. These requirements, as noted by the IPC, should address legislative and compliance matters, the scope of processing, how to address access requests, the scope of collection, use, disclosure and retention, safeguarding, privacy breach and complaint management, and monitoring rights and obligations.
Given the growing interest of vendors in monetizing data, we highlight the IPC’s position on vendor secondary uses:
Service providers acting on behalf of an institution may not process personal information beyond what the institution itself is authorized to do. For example, service providers may not use personal information for secondary purposes such as marketing or product improvement without the independent consent of the individual users.
Although a seemingly clear prescription, the IPC does qualify its footnote: “Use of personal information to develop or improve services may be inconsistent with authorized purposes.”
The IPC’s overall approach to outsourcing remains pragmatic. It says, “there is no one-size-fits all solution” and invites institutions to determine what is “relevant and appropriate” in each case. Although data localization has gained favour among some policy makers, the guidance does nothing to upset the IPC’s longstanding position on cross-border processing - that it is permitted, with no particular or special form of due diligence.
We would be pleased to discuss these matters with you and provide assistance with your next outsourcing project.