Table of Contents Hide
- In assessing the risk of injury to a person whose personal information is concerned by a confidentiality incident, a person carrying on an enterprise must consider, in particular, the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes. The person must also consult the person in charge of the protection of personal information within the enterprise.
- Bill 64 also requires enterprises “to keep a register of confidentiality incidents.”
- To enable enterprises to comply with the Bill 64 security incident obligations, and having regard to the accountability principle in Bill 64, it is likely they must include in their outsourcing agreements terms that accomplish at least the following:
The passage of Bill 64 (the Act to Modernize Legislative Provisions respecting the Protection of Personal Information) will have major consequences for companies doing business in the province that engage in outsourcing. Outsourcing involving transfers, communications, or disclosures of personal information to third parties (referred to here as “disclosures”) and is extremely common in Quebec and Canada. The types of outsourcings vary considerably and includes payment processing, IT services, artificial intelligence (AI) services (and there are many of these), business processing outsourcing, and a myriad of different types of cloud computing. Bill 64 will add a new layer of regulation on top of the other Canadian and international privacy laws, and other overlapping regulatory regimes that already apply to outsourcing transactions.
Bill 64 will require companies to review their current templates, agreements, practices and processes. Many service provider standard forms, customer outsourcing and procurement templates and existing agreements will not comply with Bill 64. Therefore, a lot of work will need to be done by customers and service providers to get ready for Bill 64.
The failure to comply with Bill 64 could subject enterprises to very large administrative monetary penalties (AMPS), fines, and private rights of action. So the risks of not being prepared, or not getting it right, could be high.[i]
Accountability of Enterprises
As more fully explained below, Bill 64 generally permits enterprises to disclose personal information to third parties for outsourcing purposes. But, those enterprises remain accountable for that information while in the possession of the outsourcer. This is made clear in s.1 of Bill 64 which states:
The Act applies to such information, whether the enterprise keeps the information itself or through the agency of a third person, whatever the nature of its medium and whatever the form in which it is accessible, whether written, graphic, taped, filmed, computerized, or other.
Accordingly, enterprises must ensure that they are in a position to comply with all of their obligations under Bill 64. To do so enterprises will be required to establish and implement governance policies and practices to ensure that personal information is protected in outsourcing transactions. This requirement is set out in s3.2 of Bill 64:
Any person carrying on an enterprise must establish and implement governance policies and practices regarding personal information that ensure the protection of such information. Such policies and practices must, in particular, provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the members of its personnel throughout the life cycle of the information and provide a process for dealing with complaints regarding the protection of the information. The policies and practices must also be proportionate to the nature and scope of the enterprise’s activities and be approved by the person in charge of the protection of personal information.
While not expressly so stating, but somewhat similar to what OSFI regulated financial institutions must do under the OSFI B-10 Outsourcing Guideline, all enterprises that disclose personal information for outsourcing purposes must establish and implement governance policies and practices for the protection of personal information in connection with the outsourcing relationship. This will likely have to include the process for conducting privacy impact assessments, methods and terms for contracting with outsourcers, processes for verification (including audits) of outsourcers, and flow down of specific obligations to ensure that the enterprise can comply with its obligations under Bill 64.
Privacy impact assessments
There are two different privacy impact assessments (PIAs) under Bill 64. Bill 64 requires enterprises to conduct PIAs before they disclose personal information to an outsourcer, whether domestic or foreign, if it involves a project to acquire, develop, or overhaul an information system or electronic service delivery system involving personal information. s.3.3 states the following:
Any person carrying on an enterprise must conduct an assessment of the privacy-related factors of any project to acquire, develop, or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information.
The privacy impact assessment
… must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.
The list of “privacy-related factors” that must be assessed are not provided. This leaves the analysis somewhat open ended.
Privacy impact assessments before disclosing information outside of Quebec
Bill 64 creates a requirement for conducting a PIA before information can be disclosed outside of Quebec, which presumably applies to both inter-provincial and to foreign disclosures. This requirement is contained in s.17 which reads as follows:
Before communicating personal information outside Québec, a person carrying an enterprise must conduct an assessment of privacy-related factors. The person must, in particular, take into account:
(i) the sensitivity of the information;
(ii) the purposes for which it is to be used;
iii) the protection measures, including those that are contractual, that would apply to it; and
(iv) the legal framework applicable in the State in which the information would be communicated including the personal information protection principals applicable in that State.
The information may be communicated if the assessment establishes that it would receive adequate protection, in particular in light of generally recognized principles regarding the protection of personal information. The communication of the information must be the subject of a written agreement that takes into account, in particular, the results of the assessment and, if applicable, the terms agreed on to mitigate the risks identified in the assessment.
The same applies where the person carrying on an enterprise entrusts a person or body outside Québec with the task of collecting, using, communicating or keeping such information on its behalf.
The upshot of these provisions is the following:
- Before information can be disclosed to an outsourcer outside of Quebec, the enterprise must conduct a PIA in accordance with s.17 of the law.
- The PIA must include at least an assessment of these privacy-related factors:
(i) the sensitivity of the information;
(ii) the purposes for which it is to be used;
(iii) the protection measures, including those that are contractual, that would apply to it; and
(iv) the legal framework applicable in the State in which the information would be disclosed including the personal information protection principles applicable in that State.
- Because of the contextual nature of the PIA, it may need to be done on a case by case basis.
- The disclosure of personal information is not permitted unless the assessment establishes that the information would receive “adequate protection, in particular in light of generally recognized principles regarding the protection of personal information”.
- The “adequate protection” threshold assessment is fraught with difficulties:
- Enterprises have to make their own assessments as to whether information would receive “adequate protection”.
- It is unclear what “generally recognized principles regarding the protection of personal information” mean. Is this the laws of Canada, the EU, or some other country? Would meeting the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data be sufficient? Would meeting the privacy standards in trade agreements such as CUSMA, the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), the APEC Privacy Framework, or The Council of Europe’ s Modernized Convention on Personal Data Protection, or some combination of the foregoing, meet the standard?
- The law does not have any of the GDPR framework such as contractual clauses, binding corporate rules, a way for the Province to make findings of adequacy, or a way to sanction a Privacy Shield like safe harbour.
- The law permits and requires that risks that can be mitigated be mitigated contractually. It is unclear which type of risks can be mitigated by contractual or other measures such as by the use of encryption and methods of storing of private keys.
- In view of the ambiguity of the standard, the transfers to some countries including the United States is inevitably likely to be subject to Schrems I and Schrems 2 like challenges.
It has sometimes been suggested that under Bill 64 the enterprise outsourcing a function to a third party must, in respect of security, only take measures that are required to ensure “adequate protection”. s.10, creates additional obligations. It reads as follows:
A person carrying on an enterprise must take the security measures necessary to ensure the protection of the personal information collected, used, communicated, kept or destroyed and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.
Given the accountability principle it is likely that the enterprise must require the outsourcer to take security measures with respect to the protection of personal information that are reasonable to meet the requirements of s.10.
In view of s.18.3, the outsourcing agreement will also need to include methods to enable the enterprise to verify that the outsourcer is complying with the required security measures.
Bill 64 is silent as to whether service providers have independent obligations to comply with s.10 (and other provisions in the law), as in CPPA.
Agreement terms to permit disclosures to outsourcers
Bill 64 has an exception to the obligation to obtain consents of individuals under s.13 for disclosing personal information to third parties for outsourcing purposes. The exception is set out in s.18.3 which reads as follows:
A person carrying on an enterprise may, without the consent of the person concerned, communicate personal information to any person or body if the information is necessary for carrying out a mandate or performing a contract of enterprise or for services entrusted to that person or body by the person carrying on an enterprise.
In such a case, the person carrying on an enterprise must
(i) entrust the mandate or contract in writing; and
(ii) specify in the mandate or contract the measures the mandatary or the person performing the contract must take to protect the confidentiality of the personal information communicated, to ensure that the information is used only for carrying out the mandate or performing the contract and to ensure that the mandatary or person does not keep the information after the expiry of the mandate or contract. A person or body carrying out a mandate or performing a contract of enterprise or for services referred to in the first paragraph must notify the person in charge of the protection of personal information without delay of any violation or attempted violation by any person of any obligation concerning the confidentiality of the information communicated, and must also allow the person in charge of personal information to conduct any verification relating to confidentiality requirements.
s.18.3 expressly requires the enterprise to have at least the following in its contract with the outsourcer:
- The security measures the outsourcer must take. These must be sufficient to meet the obligations under Bill 64.
- That the disclosed information is used only for the purposes of carrying out the contract. This limitation will create issues with many standard form outsourcing contracts which frequently contain terms that permit the outsourcer to use information for other purposes such as to improve the outsourcer’s services. It will also create challenges for many AI service agreements which often contain terms permitted customer data to be used for machine learning and related purposes.
- That the information is not retained when no longer required for the mandate. Under s.23, Bill 64 gives enterprises the option of either destroying or anonymizing information or using it “for serious and legitimate purposes” when the purposes for which it was collected or used was achieved. Bill 64 does not expressly permit enterprises to permit outsourcers to retain and use anonymized information or to use it for serious and legitimate purposes after the contract ends.
- That the outsourcer will notify the enterprise if there has been a breach or an attempted breach of the confidentiality/security obligations. The “attempted breach” notification requirement will also be a problem as service providers typically do not want to report on “attempted breaches” and will be reluctant to include “attempted breaches” in definitions of reportable “security incidents”.
- The enterprise must have verification (or audit) rights to ensure that the required security measures have been implemented by the outsourcer.
Where the disclosure of personal information is outside of Quebec, the contract with the outsourcer must also contain the other terms that are required under s18.3 to ensure that the information receives “adequate protection…in light of generally recognized principles regarding the protection of personal information”.
The contract with the outsourcer must also contain terms that will enable the enterprise to meet other its Bill 64 obligations. Some of these other are summarized below.
Disclosures that information may be processed outside of Quebec
s.8 of Bill 64 requires enterprises to inform individuals when the information is collected (or subsequently upon request) that the information could be disclosed outside Québec. Individuals must also be informed of the names of the third persons or categories of third persons to whom personal information will be disclosed.
Bill 64 contains provisions related to security breach notification that need to be addressed by enterprises and their outsourcers.
As noted above, under s18.3 an outsourcer is required to notify the enterprise for whom services are provided without “delay of any violation or attempted violation by any person of any obligation concerning the confidentiality of the information communicated”. This language may catch certain confidentiality incidents, but such a term by itself would not provide enterprises what they need to comply with Bill 64.
Under Bill 64, enterprises are required to give notice to the CAI and to certain individuals and third parties under s.3.5 of Bill 64, which reads, in part, as follows:
Any person carrying on an enterprise who has cause to believe that a confidentiality incident involving personal information the person holds has occurred must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature.
If the incident presents a risk of serious injury, the person carrying on an enterprise must promptly notify the Commission d’accès à l’information established by section 103 of the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1). He must also notify any person whose personal information is concerned by the incident, failing which the Commission may order him to do so. He may also notify any person or body that could reduce the risk, by communicating to the person or body only the personal information necessary for that purpose without the consent of the person concerned. In the latter case, the person in charge of the protection of personal information must record the communication of the information.
Despite the second paragraph, a person whose personal information is concerned by the incident need not be notified so long as doing so could hamper an investigation conducted by a person or body responsible by law for the prevention, detection or repression of crime or statutory offences.…
Bill 64 defines the term “confidentiality incident” to mean: “access not authorized by law to personal information; use not authorized by law of personal information; communication not authorized by law of personal information; or loss of personal information or any other breach in the protection of such information”.
Bill 64 also provides guidance on when “the incident presents a risk of serious injury” as follows:
In assessing the risk of injury to a person whose personal information is concerned by a confidentiality incident, a person carrying on an enterprise must consider, in particular, the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes. The person must also consult the person in charge of the protection of personal information within the enterprise.
Bill 64 also requires enterprises “to keep a register of confidentiality incidents.”
To enable enterprises to comply with the Bill 64 security incident obligations, and having regard to the accountability principle in Bill 64, it is likely they must include in their outsourcing agreements terms that accomplish at least the following:
- A requirement that the outsourcer notify the enterprise without “delay of any violation or attempted violation by any person of any obligation concerning the confidentiality of the information communicated”.
- An obligation that the outsourcer notify the enterprise of a confidentiality incident of a sufficient degree of seriousness and with sufficient information to enable the enterprise to determine whether the incident presents a risk of serious injury to trigger the notification requirements. The outsourcing agreement will need to address Bill 64’s nuances regarding when notifications by the enterprise must be given
- An obligation on the outsourcer “who has cause to believe that a confidentiality incident involving personal information the person holds has occurred” must be required to “take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature”.
- An obligation on the outsourcer “to keep a register of confidentiality incidents” and to provide appropriate access to same to enable the enterprise to comply with Bill 64 which, at a minimum, must provide that “A copy of the register must be sent to the Commission at its request”. This is similar to the existing PIPEDA requirement which, even today, some widely used outsourcing providers push back on providing.
Restrictions on use of disclosed information
s.12 of Bill 64 restricts uses of information provided to an enterprise to those for which consent has been obtained. Bill 64 has certain exceptions to use information for other purposes without consent such as “if it is used for purposes consistent with the purposes for which it was collected”, “if it is clearly used for the benefit of the person concerned”; “if its use is necessary for the purpose of preventing and detecting fraud or of assessing and improving protection and security measures”; “if its use is necessary for the purpose of providing or delivering a product or providing a service requested by the person concerned; or “if its use is necessary for study or research purposes or for the production of statistics and if the information is de-identified”.
Bill 64’s provisions related to consent may also impact contracts with outsourcers. Many standard form agreements with outsourcers including some cloud and AI service providers, for example, contain terms that permit the outsourcer to use customer data for a variety of their own purposes. Sometimes the purposes are limited, but sometimes not. Given Bill 64’s limited exceptions to consents, enterprises must carefully consider what uses outsourcer can make of personal information provided for processing, unless they are willing to obtain consents from their customers for such uses accept the risks of penalties, fines, and class actions should consents not be obtained.
Providing access to information
Bill 64 contains obligations on enterprises to provide access to information in particular formats. It also provides individuals a right to correct information if it is inaccurate, incomplete or equivocal. ss.27 and 28 states, in part:
s.27 Every person carrying on an enterprise who holds personal information on another person must, at the request of the person concerned, confirm the existence of the personal information, communicate it to the person and allow him to obtain a copy of it.
At the applicant’s request, computerized personal information must be communicated in the form of a written and intelligible transcript.
Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant, and not created or inferred using personal information concerning him, must, at his request, be communicated to him in a structured, commonly used technological format. The information must also be communicated, at the applicant’s request, to any person or body authorized by law to collect such information.…
s.28 In addition to the rights provided under the first paragraph of article 40 of the Civil Code, any person may, if personal information concerning him is inaccurate, incomplete or equivocal, or if collecting, communicating or keeping it are not authorized by law, require that the information be rectified.
In many outsourcing transactions, such as a pure hosting cloud PAAS or IAAS service, the enterprise may not require the assistance of the outsourcer to fulfill these obligations. However, for other types of outsourcing (such as a SAAS) the enterprise will need to ensure that the solution is capable of meeting individuals’ access requests. Where a business process is outsourced, and depending on the degree of the outsourcing, the outsourcing agreement will need to set out in detail the outsourcer’s obligations to comply with the access requirements of Bill 64.
Automated decisions and outsourcing
Many enterprises are increasingly relying on AI tools to make decisions about individuals. Often enterprises outsource business processing to third parties who themselves rely on AI systems to make the decisions.
Bill 64 introduced new privacy protections for individuals with respect to certain decisions made about them using their personal information which enterprises that outsource business processes will need to address. S12.1 of Bill 64 states the following:
S12.1 Any person carrying on an enterprise who uses personal information to render a decision based exclusively on an automated processing of such information must inform the person concerned accordingly not later than at the time it informs the person of the decision.
He must also inform the person concerned, at the latter’s request,
(i) of the personal information used to render the decision;
(ii) of the reasons and the principal factors and parameters that led to the decision; and
(iii) of the right of the person concerned to have the personal information used to render the decision corrected.
The person concerned must be given the opportunity to submit observations to a member of the personnel of the enterprise who is in a position to review the decision.
The implications for outsourcing contracts for business processing outsourcings that use personal information to render a decision based on an automated processing of information are the following:
- The contract must permit or prohibit decisions being made about individuals being made solely via automated means. It may be possible to avoid Bill 64 applying if all decisions are only made by “persons in the loop”. But if decisions will only be made by automated means, then further terms will be required in the outsourcing agreement to ensure that the enterprise can comply with Bill 64.
- The individual must be informed that the decision has been made by automated means. The outsourcing agreement must specify who will inform the individuals.
- Processes must be put in place to ensure the enterprise is able to answer information requests of individuals. Bill 64 mandates that, if requested, individuals be given minimum explanation that includes the personal information used in making the decision and the “reasons and the principal factors and parameters that led to the decision”. Thus, the outsourcing agreement must at least provide that the outsourcer and its AI tools have a minimum threshold of “explainability” and must also provide for disclosure thereof to the enterprise to be able to answer individuals’ requests for information. Customers already often need to contract for a minimum level of explainability to meet other legal or regulatory obligations. Bill 64 will add to the complexity of negotiating AI service agreements.
- There must be a process to enable a “human in the loop” to review the decision.
Fines and penalties
Outsourcing agreements typically contain limitations and exclusions of liability for breaches of contract. The agreements frequently also contain exclusions from liability or “stretch caps” to address specific types of breaches such as, for example, breaches of privacy, security, and confidentiality, fines imposed for breach of certain provisions or applicable law. They typically also contain indemnities.
Bill 64 creates substantial risks of fines and penalties for breaches. For example:
- AMPs of $10,000,000 or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year can be assessed against a business for breaches of Bill 64 including: disclosing or keeping personal information in contravention of the law, not reporting confidentiality incidents as required by the law, not taking the security measures required by s.10, or not informing an individual of a decision based exclusively on an automated process or not giving the person an opportunity to submit observations, in contravention of section 12.1.
- Fines of between $15,000 to $25,000,000, or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year. The penal offenses for which large fines are exigible include anyone who “collects, uses, communicates, keeps or destroys personal information in contravention of the law”, or fails to report a confidentiality incident to the Commission or to the persons concerned when required, or does not take the security measures required by s.10. Despite the extremely broad category of potential offenses and the already large fines, in “the case of a subsequent offence, the fines… are doubled”.
- Private rights of action can be brought for infringement of rights conferred by Bill 64. Where an injury and the infringement is intentional or results from a gross fault, under s.93.1 of Bill 64, the court must award punitive damages of not less than $1,000.
The amount of potential lability – only for breaching Bill 64 – can be substantial. Accordingly, outsourcing agreements should address the allocation of risk between the parties for violations of Bill 64 (and other privacy laws) including the applicable liability caps, damages exclusions, stretch caps and indemnities.
Dealing with differences between Bill 64 and other applicable laws
Many Quebec and Canadian based enterprises have developed processes and contractual templates to enable them to comply with the (prior) Quebec Private Sector Act, PIPEDA, other provincial privacy laws and relevant international laws including the GDPR when contracting for outsourcing services. However, there are some important differences between Bill 64 and other applicable laws. These will necessitate a review of applicable processes, templates and agreements to ensure that Bill 64 can be met. Examples of differences between Bill 64 and other laws that impact existing processes, templates, and agreements include the following.
- Bill 64’s PIA is a new requirement that must be used for all disclosures of personal information outside of Quebec. No such express requirement exists under PIPEDA, although since organizations are required under PIPEDA to ensure that the personal information will receive “comparable” protection when transferred, some process must be used by organizations to make this assessment. Further, unlike PIPEDA where the focus of the analysis is on whether the personal information would have comparable protection, Bill 64 requires that the information must receive “adequate protection” in light of generally recognized principles regarding the protection of personal information. Bill 64 also expressly requires that outsourcing agreements mitigate risks recognized by the PIAs, something that is only implicit in PIPEDA. Unlike the GDPR, enterprises are not given any pre-approved adequacy framework or tools to facilitate the “adequate” protection analysis under Bill 64. See also, Michael Scherman et al, Quebec’s Bill 64 Introduces New Contractual Requirements for Transfers of Data, Karime Joizil et al, Quebec’s Bill 64 Introduces New Operational Requirements for Cross-Border Transfers of Personal Information, Barry Sookman, CPPA: transfers of personal information to service providers.
- Bill 64 treats disclosures of personal information to processors as a “communication” for which consent is required. It sets out specific conditions to be met for the exception to apply including contractual terms between the controller and processer. PIPEDA by comparison, treats transfers for processing as uses which do not require any new consents. Thus, if all of the conditions for the Bill 64 exception to consent are not met, the customer must have Bill 64 compliant consents before the personal information can be disclosed. No such risk exists under PIPEDA.
- Bill 64 imposes different security standards for outsourcing transactions than what is required under PIPEDA. Bill 64’s security standard is one that must be reasonable given the sensitivity of the information in light of the purposes for which it is to be used. Under PIPEDA, personal information must be protected by security safeguards “appropriate” to the sensitivity of the information.
- Bill 64’s confidentiality incident reporting obligations are different from those in PIPEDA. See, Charles Morgan et al, Quebec’s Bill 64 Introduces Unique Cyber Incident Reporting Obligations.
- Bill 64 has a new provision dealing with automated decision making. There is no comparable provision in PIPEDA, and what has been enacted is different from what was proposed in the CPPA. See, Barry Sookman, Using privacy laws to regulate automated decision making.
- Bill 64 contains extremely high penalties and fines for breaches of the law. PIPEDA has no such comparable regime. The CPPA would have had very significant penalties and fines. There could have been liability under the CPPA for penalties as high as the greater of $10 million or 3% of an organization’s gross global annual revenue. There could also have been liability under the CPPA for fines of up to the greater of $25 million or 5% of an organization’s gross global annual revenues for certain contraventions of the CPPA. Neither Bill 64 nor the CPPA addressed the potential for aggregate fines and penalties in respect of the same privacy breach, leaving the risks of doing business in Quebec far higher than even under the GDPR’s very onerous regime.
Dealing with new regulatory layers for outsourcing transactions
Enterprises that engage in outsourcing will realize that Bill 64 adds one more privacy related regulatory layer that must be satisfied. Depending on the nature of the business, there are numerous other laws, guidelines and advisories that enterprises also have to work into their management practices. As these measures have different requirements, in the aggregate, they create multiple overlapping obligations that have to be assessed by enterprises that transfer personal information for outsourcing purposes. Increasingly, the guidance focuses on taking proactive steps to assess and mitigate risks including security risks associated with outsourcing These include:
- Federally regulated financial institutions must comply with the OSFI B-10 Outsourcing Guideline. OSFI expects that the security and confidentiality policies of the outsourcer will be “commensurate with those of the FRE and should meet a reasonable standard in the circumstances”. OSFI also expects “appropriate security and data confidentiality protections to be in place”. OSFI recently tightened its technology and cybersecurity incident reporting requirements. OSFI also recently released a Draft Guideline on Technology and Cyber Risk Management. It includes third party provider technology and cyber risk guidelines with an intent to ensure “effective controls and processes are implemented to identify, assess, manage, monitor, report and mitigate technology and cyber risks throughout the TPP’s life cycle, from due diligence to termination/exit.”
- Investment dealers are subject to IIROC guidance on outsourcing transactions. This includes IROC Notice 14-0012 and Part 11 of the Companion Policy to NI 31- 103. The guidance includes many of the “best” practices under Bill 64. For example, registered firms are responsible and accountable for all functions they outsource to a service provider. Firms must have a written, legally binding contract that includes the expectations of the parties to the outsourcing arrangement. Firms should follow prudent business practices and conduct a due diligence analysis of prospective third-party service providers. Due diligence should include an assessment of the service provider’s relevant internal controls. Firms should also “ensure that third-party service providers have adequate safeguards for keeping information confidential”. The IIROC guidance is based, in part, on the International Organization of Securities Commission (IOSCO) outsourcing principles. These outsourcing principles were just recently updated by IOSCO.
- Many Canadian financial institutions also have business operations in the United States and have obligations under the Office of the Comptroller of the Currency (OCC), Treasury; the Board of Governors of the Federal Reserve System (Board); and the Federal Deposit Insurance Corporation (FDIC) guidance and rules. The rules related toComputer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers were also recently updated.
* I would like to thank Loïc Turner for his help with this blog post. Loïc a McCarthy Tetrault Co-op program student from Sherbrooke University.
[i] Some of the topics discussed in this post have been canvassed in other blogs such as those published by Michael Scherman et al, Quebec’s Bill 64 Introduces New Contractual Requirements for Transfers of Data, and Karime Joizil et al, Quebec’s Bill 64 Introduces New Operational Requirements for Cross-Border Transfers of Personal Information.