I recently had an opportunity to speak with a representative in the Office of the Information and Privacy Commissioner of Alberta in connection with Alberta’s new obligations surrounding notification and disclosure of outsourcing arrangements involving personal information. On May 1st, Alberta’s Personal Information Protection Amendment Act, 2009 amended the provincial Personal Information Protection Act (PIPA). Now, while I’m not an Alberta lawyer, it’s clear to me that the amendments impact all organizations that collect personal information from residents of Alberta. I have worked from time to time with my firm’s Alberta office when PIPA privacy issues have arisen in the context of outsourcings, and (based on these amendments) it looks like I will be working with my Alberta colleagues even more often in the years ahead. That’s because the amendments require that, where organizations subject to PIPA use service providers located outside Canada, they:
- notify individuals before or at the time personal information is collected or transferred to a foreign service provider:
- that the organization uses a service provider outside of Canada to collect personal information or that the organization transfers, directly or indirectly, personal information to a service provider outside of Canada;
- how written information about the organization’s policies and practices regarding service providers outside of Canada can be obtained; and
- contact information for a person who can answer questions about the collection, use, disclosure or storage of personal information by the organization’s off shore service providers; and
- maintain written information about the organization’s policies and practices regarding the use of foreign service providers that identifies:
- the countries outside Canada in which the collection, use, disclosure or storage of personal information is occurring or may occur (including back-up); and
- the purpose for which the service provider has been authorized to collect, use or disclose personal information on behalf of the organization.
By specifically targeting foreign service providers, the PIPA amendments are curiously protectionist. Service Alberta issued an Information Sheet on this amendment which is available through the Government of Alberta’s Private Sector Privacy website. The Information Sheet notes that the amendments are “designed to foster openness and accountability in private-sector organizations with respect to the use of service providers outside Canada.” Ostensibly, the basis for focusing on foreign service providers is that such service providers may not be subject to legislation protecting personal information similar to that existing in Canada. However, PIPA already imposes requirements to ensure that personal information, regardless of where it is located, is subject to protections necessary to satisfy applicable requirements. Since a different level of protection would not apply in the context of offshore service providers, one has to wonder why the additional requirements apply solely to offshore service providers. Concerns about an organization’s use of service providers would presumably not be limited to non-Canadian service providers and concerns about storing and processing personal information outside Canada would likely extend to the organization’s own practices and not just those of its foreign service providers.
In spite of the apparent significance of the amendments, the representative I recently spoke to at the Office of the Information and Privacy Commissioner of Alberta was not aware of any feedback that had been received on the outsourcing disclosure requirements and was also unaware of any steps that affected organizations had taken to meet the requirements. Confirming this view, I looked at the websites of various organizations operating in Alberta and couldn’t find any of the required information. Since that conversation, I have been wondering whether the lack of compliance is attributable to any specific concerns of industry, or perhaps to operational delays in implementing compliant practices — or whether the amendments are simply viewed as being insufficiently significant to justify the time and expense of immediate compliance. Or maybe it’s simply that a lot of companies just haven’t been paying attention.
New Notification Requirements
Written Policies and Procedures
As previously stated, I have yet to see any evidence that organizations are working towards compliance. This might be attributable to the typical administrative delay in implementing changes to practices. Alternatively, organizations may be adopting a “wait and see” policy to determine how the Office of the Information and Privacy Commissioner of Alberta intends to enforce the new requirements and how much information about offshore outsourcings competitors will disclose. Equally likely, organizations may feel that the new requirements are not sufficiently material to be worth focusing on at this time.
I would imagine that, like myself, many organizations are questioning the need for the amendments and whether it is sound policy for the government to impose a requirement to disclose sensitive commercial information to the public. However, regardless of the reason, it is curious that organizations are not, at a minimum, taking the requisite steps to at least visibly indicate compliance – which would really only require a modification to privacy policies to advise that non-Canadian service providers are used and to provide contact information for someone that can respond to questions regarding such service providers. The more problematic document detailing the actual policies and procedures employed with respect to offshore service providers can be discussed internally so that something can (hopefully) be in place before a request is made for such information.