Purchasing professionals would do well to consider information security requirements in third-party vendor services agreements
In an era marked by rapid, technologically enabled social change and as a response to mounting evidence of the under-protection of personal information collected by businesses, Canadian legislatures and courts have promulgated legal requirements aimed at strengthening privacy rights (industry associations such as the payment card industry may supplement those requirements via additional standards). Purchasing professionals must therefore consider including robust information security requirements within third-party vendor services agreements as a means for appropriately “flowing down” those obligations into the supply chain.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is general Canadian federal legislation which establishes rules that recognize both the right of privacy of individuals with respect to their personal information, as well as the needs of organizations engaged in commercial activities to collect, use and disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
Provincial governments in Alberta, British Columbia and Quebec have enacted substantially similar comprehensive private sector privacy legislation (Manitoba has also passed private-sector data protection legislation, which is expected to be declared largely similar to PIPEDA once it has been proclaimed in force). Leaving aside lingering constitutional concerns, the better view is that PIPEDA also applies to regulate private-sector organizations doing business in Manitoba, New Brunswick, Newfoundland and Labrador, Northwest Territories, Nova Scotia, Nunavut, Ontario, Prince Edward Island, Saskatchewan and the Yukon, but due to constitutional limitations placed on the federal government’s ability to regulate workplaces, not their handling of employee personal information. Legal considerations relating to the handling of personal health information are outside the scope of this article and there are several provincial statutes which regulate the collection, use and disclosure of personal health information by private sector actors. If the organization is involved in cross-border transactions, those transactions may be regulated by a complex combination of PIPEDA, provincial legislation, and the privacy regime of another country.
PIPEDA also applies to the collection, use and disclosure of personal information about an employee of an organization that operates “a federal work, undertaking or business”, such as a bank or a telecommunications company. As noted above, a company’s handling of personal information about its employees who are resident in Alberta, British Columbia and/or Quebec is regulated under the applicable provincial privacy legislation (again leaving aside personal health information related issues). Nevertheless, many employers located outside of those three provinces are basing their workplace privacy practices and procedures on PIPEDA requirements on the basis that it evidences industry best practices.
PIPEDA sets out 10 principles of fair information practices, which form the basic ground rules for the collection, use and disclosure of personal information, as well as for providing access to personal information. These principles are intended to give individuals an appropriate measure of control over how their personal information is handled. However, in addition to these 10 principles, PIPEDA contains obligation that “any collection, use or disclosure of personal information must only be for purposes that a reasonable person would consider are appropriate in the circumstances”.
Canadian courts have also adopted an activist stance regarding the protection of privacy rights. In a significant development the new tort of intrusion upon seclusion was recognized in 2012 in Ontario as an independent cause of action in the case of Jones v. Tsige and in a factual situation in which PIPEDA was the relevant “background” statute. In Jones, the facts indicated that a “rogue” bank employee repeatedly and improperly accessed personal information about another employee (there was no wrongdoing on the part of the PIPEDA-regulated bank).
The following three elements must be satisfied in order to establish the tort of intrusion upon seclusion: (i) the defendant’s conduct must be intentional; (ii) the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and (iii) a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.
Liability for tortious intrusion upon seclusion has fallen in the general range of $10,000 to $20,000, depending on the egregiousness of the facts in each particular case. When this damages range is multiplied by the number of individual plaintiffs who are often included in a class action, the overall potential monetary exposure may therefore be very significant. This trend towards an increased level of damages is also discernable in the cases where liability under PIPEDA has been the issue.
A statute-based breach of privacy claim can potentially issue in British Columbia, Saskatchewan, Manitoba and Newfoundland (a similar provision is also included in the Quebec Civil Code).
The ambit of the new Ontario breach of privacy tort was carefully circumscribed to fit the facts that were present in Jones; however, Justice Sharp, who wrote the reasons on behalf of the unanimous three-judge panel, also acknowledged the existence in the US of a “4 privacy tort catalogue”, which included within it a tort aimed at providing a remedy in the circumstances where the defendant was responsible for the public disclosure of embarrassing private facts about the plaintiff. This second privacy tort shoe dropped in Canada in the summer of 2015 when the Federal Court accepted the tort of public disclosure of private facts as a basis for its certification of a class action lawsuit against the Government of Canada launched by aggrieved individuals who were sent a letter by Health Canada identifying their involvement in the Marijuana Medical Access Program on the outside of the envelope.
Businesses that are keeping abreast of the foregoing legal and regulatory developments are insisting on the inclusion of an information security standards schedule as an attachment to a MSA where the vendor in question may either access, process, transmit and/or store company personal information or have access to the company’s networks. This document tends to be modular containing mandatory “core” standards (often aligned with a recognized international methodology such as ITIL, COBIT or ISO/IEC) as well as additional optional security requirements where the vendor: (i) operates one or more facilities that store company personal information and/or has connectivity to one or more company network(s); or (ii) provides software development services.
Ravi Shukla is a business lawyer who specializes in Internet and information technology law. Reach him at [email protected]