Alberta’s New Personal Information Outsourcing Requirements: Is Anybody Paying Attention?
The Amendments
I recently had an opportunity to speak with a representative in the Office of the Information and Privacy Commissioner of Alberta in connection with Alberta’s new obligations surrounding notification and disclosure of outsourcing arrangements involving personal information. On May 1st, Alberta’s Personal Information Protection Amendment Act, 2009 amended the provincial Personal Information Protection Act (PIPA). Now, while I’m not an Alberta lawyer, it’s clear to me that the amendments impact all organizations that collect personal information from residents of Alberta. I have worked from time to time with my firm’s Alberta office when PIPA privacy issues have arisen in the context of outsourcings, and (based on these amendments) it looks like I will be working with my Alberta colleagues even more often in the years ahead. That’s because the amendments require that, where organizations subject to PIPA use service providers located outside Canada, they:
- notify individuals before or at the time personal information is collected or transferred to a foreign service provider:
- that the organization uses a service provider outside of Canada to collect personal information or that the organization transfers, directly or indirectly, personal information to a service provider outside of Canada;
- how written information about the organization’s policies and practices regarding service providers outside of Canada can be obtained; and
- contact information for a person who can answer questions about the collection, use, disclosure or storage of personal information by the organization’s off shore service providers; and
- maintain written information about the organization’s policies and practices regarding the use of foreign service providers that identifies:
- the countries outside Canada in which the collection, use, disclosure or storage of personal information is occurring or may occur (including back-up); and
- the purpose for which the service provider has been authorized to collect, use or disclose personal information on behalf of the organization.
By specifically targeting foreign service providers, the PIPA amendments are curiously protectionist. Service Alberta issued an Information Sheet on this amendment which is available through the Government of Alberta’s Private Sector Privacy website. The Information Sheet notes that the amendments are “designed to foster openness and accountability in private-sector organizations with respect to the use of service providers outside Canada.” Ostensibly, the basis for focusing on foreign service providers is that such service providers may not be subject to legislation protecting personal information similar to that existing in Canada. However, PIPA already imposes requirements to ensure that personal information, regardless of where it is located, is subject to protections necessary to satisfy applicable requirements. Since a different level of protection would not apply in the context of offshore service providers, one has to wonder why the additional requirements apply solely to offshore service providers. Concerns about an organization’s use of service providers would presumably not be limited to non-Canadian service providers and concerns about storing and processing personal information outside Canada would likely extend to the organization’s own practices and not just those of its foreign service providers.
In spite of the apparent significance of the amendments, the representative I recently spoke to at the Office of the Information and Privacy Commissioner of Alberta was not aware of any feedback that had been received on the outsourcing disclosure requirements and was also unaware of any steps that affected organizations had taken to meet the requirements. Confirming this view, I looked at the websites of various organizations operating in Alberta and couldn’t find any of the required information. Since that conversation, I have been wondering whether the lack of compliance is attributable to any specific concerns of industry, or perhaps to operational delays in implementing compliant practices — or whether the amendments are simply viewed as being insufficiently significant to justify the time and expense of immediate compliance. Or maybe it’s simply that a lot of companies just haven’t been paying attention.
New Notification Requirements
The new notification requirements found in Sections 13.1(1) and (2) immediately follow the existing notification requirement in Section 13.1, which requires organizations to notify individuals of the purposes for which personal information is collected before or at the time such information is collected and to specify an individual or position who can respond to questions about such collection. Sections 13.1(1) and (2) impose a similar notification requirement where a foreign service provider collects personal information on behalf of the organization (for example, where customer support which requires the collection of personal information is provided by an offshore service provider) or where personal information may be transferred to a foreign service provider. Although the word “notification” implies an express duty to actively communicate the requisite information to an individual, since most organizations effectively meet their notification requirements under Section 13.1 through their privacy policies (by setting out the purposes for which personal information is collected) – organizations should be able to similarly comply with the outsourcing notification requirement by simply modifying an existing privacy policy to disclose that service providers outside of Canada are used, how to obtain additional information regarding the organization’s policies and practices for offshore service providers and contact details of an individual who can to respond to questions regarding such policies and practices. Similarly, if organizations provide any disclosure of their personal information practices in documents presented to customers (such as enrolment and contest forms), such disclosure can be similarly modified to reflect the requirements of the new amendments.
Although the new notification requirements are not onerous, compliance still presents issues. Organizations that operate in jurisdictions other than Alberta need to consider the potential impact (including any competitive disadvantage) that may result from their compliance with the Alberta legislative requirements in other jurisdictions. In addition, there are no grandfathering provisions excusing any outsourcing that preceded the amendment from the application of the notice requirements. Thus, a number of organizations who are subject to PIPA face the dilemma of how to communicate the required notification to existing customers – is a change to a privacy policy sufficient, or should an organization take additional measures to bring the change to their customers’ attention? Lastly, in my experience organizations tend to be cautious about making information about their use of offshore service providers public.
Written Policies and Procedures
Section 6(1) of PIPA requires organizations to maintain personal information policies and practices. The new Section 6(2) imposes a requirement for an organization to maintain information about the organization’s policies and practices regarding the use of offshore service providers. Pursuant to Section 6(3), organizations are required to make all policies and practices maintained under Section 6(1) and (2) available upon request. The Information Sheet notes that organizations can either incorporate the information required for services providers outside Canada into their general privacy policy or can maintain a separate policy document for offshore service providers.
Practically, organizations should not use their generally available privacy policy to communicate their outsourcing practices except in the most general sense. Since the use of offshore service providers is subject to constant changes and because outsourcing is often a key strategic initiative, it would be prudent to maintain a separate outsourcing policy which would only be provided to individuals upon request. This policy could be regularly updated and modified as necessary to reflect the organization’s practices and could be customized before being released to any individual to provide only the required information requested.
Taking Action
As previously stated, I have yet to see any evidence that organizations are working towards compliance. This might be attributable to the typical administrative delay in implementing changes to practices. Alternatively, organizations may be adopting a “wait and see” policy to determine how the Office of the Information and Privacy Commissioner of Alberta intends to enforce the new requirements and how much information about offshore outsourcings competitors will disclose. Equally likely, organizations may feel that the new requirements are not sufficiently material to be worth focusing on at this time.
I would imagine that, like myself, many organizations are questioning the need for the amendments and whether it is sound policy for the government to impose a requirement to disclose sensitive commercial information to the public. However, regardless of the reason, it is curious that organizations are not, at a minimum, taking the requisite steps to at least visibly indicate compliance – which would really only require a modification to privacy policies to advise that non-Canadian service providers are used and to provide contact information for someone that can respond to questions regarding such service providers. The more problematic document detailing the actual policies and procedures employed with respect to offshore service providers can be discussed internally so that something can (hopefully) be in place before a request is made for such information.
Comments are closed.