Data protection agreements

Region: Ontario Answer # 344

What are data protection agreements?

Data protection agreements are used to protect personal information (PI) about customers when organizations are sharing information.

When are data protection agreements used?

Data protection agreements are usually entered into when one organization outsources or sub-contracts part of their work to a third party organization. In doing so, the organization must often give the sub-contractor PI about its customers, so that the sub-contractor can complete the work. The protection of the PI always remains the responsibility of the organization which collected the information. The PI can include information about individual customers, employees, or other individuals. The organization is responsible for ensuring that the PI is protected and handled in compliance with federal and provincial privacy laws.

In fact, in the Personal Information Protection and Electronic Documents Act (PIPEDA), which is the federal legislation governing such information transfers, it states,

“An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”

It is important, therefore, for an organization to take proper measures to protect PI before it transfers it to a third party service provider or sub-contractor. The organization can do such things as:

  • review their written privacy policies,
  • ask about their past practices with regard to PI and other sensitive information,
  • request information about prior privacy complaints and data breaches, and
  • enter into a data protection agreement, or include privacy provisions as part of the service agreement.


What issues should be covered in a data protection agreement?

Data protection agreements should be customized to reflect the parties involved, the exact data to be shared, the services to be provided, and the steps being taken to keep the data protected.

Most data protection agreements will include the following information:

  • ownership of the PI
  • the type and nature of the PI that is being transferred
  • the purpose for which the PI can be collected, used and disclosed
  • confidentiality requirements
  • restrictions on access to the PI
  • safeguards required to protect PI (including physical restrictions, technological protection and organizational systems)
  • updating, correcting and deleting the PI
  • right to inspect how the PI is being protected
  • restrictions on further transfer or access to the PI
  • agreement to comply with privacy laws
  • requirements to disclose government access requests or other disclosure orders (where permitted by law)
  • requirement to notify the organization and/or customer in the case of a breach
  • procedure to destroy and/or return the PI at the termination of the contract
  • consequences of breaching the data protection agreement obligations
  • consequences of breaching privacy laws

Data protection agreements are a very important safeguard and usually complicated. For legal assistance in creating or reviewing such an agreement contact an IT and E-commerce lawyer.


You now have 3 options:

Was your question answered?

Yes    No

What information would you like to see added?

Submit an Edit Request

What are your changes?*

Page loaded. Thank you