A private correspondent has suggested to me that call centres that record incoming calls ‘for quality assurance purposes’ often store the recordings offshore, including in the US. The correspondent wondered if there was any concern that the information in the calls might therefore be subject to investigation or copying by US law enforcement under the PATRIOT Act.
Both the Canadian and the Ontario Privacy Commissioners have commented on allegations of special risk of having personal information in the US because of that statute. Neither have supported the concerns. A recent summary of the discussion is found in the Ontario IPC’s decision PC 12-39 concerning the Ministry of Natural Resources at pages 5 – 6.
Essentially both commissioners say that there is no more risk of PI finding its way into the ‘wrong’ hands under that Act than under the equivalent Canadian legislation, and the exchange of information across the border by law enforcement agencies is routine.
They also cite privacy experts David Fraser and Michael Geist to the same effect.
Other privacy complaints based on storing PI in the US have failed in the past, in Ontario and British Columbia and probably elsewhere.
Anyone in Canada subject to privacy laws must ensure that third-party recipients (sub-contractors) of that information comply with restrictions equivalent to those in force in the home jurisdiction.
But the fact that the information may be subject to discovery by law enforcement officials is not a reason not to store it in the US. (I do not know if all foreign storage would be as acceptable. Views?)
Does that sound right to you?
Is there any obligation to inform people that their PI will be stored in the US, or otherwise outside of Canada? If so, should it be part of the recorded message (‘this call may be recorded for quality assurance purposes. The recording will be stored in the country with the cheapest bandwidth’)?