Privacy Commissioner of Canada Finds Bank Properly Protects Customer Information Transferred to Third Parties for Processing

In 2017, a former TD employee filed a complaint with the Office of the Privacy Commissioner of Canada regarding the outsourcing of TD’s fraud claim investigations to service providers operating in India.  The Commissioner recently released its Report of Findings in respect of the complaint.

In finding that the complaints related to TD’s outsourcing of fraud claims were not well-founded, the Commissioner considered whether TD: (1) was required to obtain consent for, or allow customers to opt-out of, the transfer of personal information for the processing in question; (2) was sufficiently open or transparent with respect to its transfer of personal information to a third party service provider in a foreign jurisdiction for processing; and (3) ensured a comparable level of protection while personal information was being processed by the service provider.  The Commissioner concluded:

1. Consent: An organization does not need to obtain additional consent for the transfer of information to a third party when the transfer is for the same purpose identified to customers when the organization originally obtained contained consent for the collection and use of customers’ information.  TD’s agreements required customers to consent to the use of their information for, among other things, protection against fraud.
2. Openness:  TD’s Privacy Code and Privacy Agreements provided customers with notice that their information may be disclosed to organizations that provide services to TD, including organizations outside of Canada.
3. Accountability: TD demonstrated that it ensured that there was comparable level of protection for its customers’ information accessed by the third party service providers through its contracts with those service providers and that the service providers only had remote access through an online portal to customer information stored in servers in Canada.

The Commissioner praised TD and noted the following good practices that should be followed by other organizations that transfer personal information to third parties for processing:

• Undertaking risk assessments to identify and mitigate potential privacy risks associated with engaging the service provider prior to signing a contract, and then incorporating those findings into the contract.
• Requiring the service provider to control its work environment to prevent copying or sharing information about customers or employees.
• Strictly limiting the service provider’s access to, and use of personal information through a contract and robust safeguards.
• Proactively monitoring the service provider’s safeguards and practices to ensure contractual compliance, including via regular audits by an independent auditor.

Summary By: Matthew Frontini