Five commitments your Service Provider Must Make
The use of third parties for data processing is prevalent and expected in today’s data driven global economy. There are many benefits associated with outsourcing including operational efficiencies and cost savings. IT managed services are commonplace for instance, as relying on the third party’s expertise to support your technology needs allows your business focus on its own core competencies. However, there is also an increased risk exposure that cannot be ignored if you are entrusting a service provider with your customer or employee personal information. This is primarily due to the fact that the organization outsourcing has little or no control over the third party’s operational procedures or safeguards.
This article will cover five key features to look for when outsourcing in order to effectively manage privacy risks.
1. Ensure your service provider has a strong privacy management framework in place.
Ask questions that give you a sense of how sophisticated the third party is when it comes to data protection and whether they have adequately thought through privacy and data security. Make sure to get responses in writing. If a security incident occurs, privacy regulators and those affected by the breach will want evidence that you did your due diligence. Questions should include:
- Do you have an appointed Privacy Officer?
- Do you have a privacy and security training and awareness program in place?
- Have you experience privacy breaches? How were these resolved?
- Have you undertaken an information security audit or privacy assessment? When was this done?
- Do you use any subcontractors who will have access to the personal information being shared? If so, how do you make sure they have strong privacy practices in place?
Depending on the outsourcing relationship, there are many other questions that you should be asking. For a complete list, review the template service provider privacy and data security questionnaire on PRIVATECH’s Service Provider Privacy Risk Management Toolkit (“SPPRM Toolkit”).
2. Ensure best practice data security controls are in place.
Third parties should be able to commit to having strong safeguards in place that reduce privacy risks. Remember, your service provider’s risks are your risks too! Risks must be brought to a level that is acceptable for the risk tolerance of your organization. There will always be some residual risk (i.e. risk that remains after implementing security controls), but these must be tracked and managed. Here are some examples of security controls that your service provider should have in place:
- Limited access to personal information on a ‘need-to-know’ basis;
- Strong authentication practices for physical and logical access to data;
- Well-thought out implementation of intrusion detection and prevention;
- Employee background checks, codes of conduct and confidentiality agreements that provide a level of trust in the service provider’s personnel; and
- A documented information security/cybersecurity program, disaster recovery plan and incident response plan.
A service provider who takes pride in their security controls will be eager to share with you a summary of their controls, as they correctly perceive them to be a business advantage. Note also that if you have limited negotiation power due to a “take it or leave it” arrangement (i.e. a large established provider or a shared service firm with standard terms of service), look for certifications and attestations that demonstrate a strong commitment to data security, such as being SOC2 or ISO 27001 certified.
3. Establish ‘limited data’ rules that your service provider can live by.
When I conduct external privacy assessments for my clients, I often see organizations make two common mistakes:
- They provide more personal information or make more personal information accessible than is needed for the service provider to perform their functions. This can happen through automated processes that are not regularly reviewed, or some form of data dump that includes unnecessary information (for example a spreadsheet tucked away in an Excel workbook) that the service provider has no business knowing.
- Often the data’s end of life is not properly addressed. It is critical to ensure that data is securely destroyed when it is no longer needed or the services have been completed. Retention timeless must be agreed upon and diligently respected.
If you simply don’t know what your service provider’s information handling practices are, that’s a problem. You haven’t done your proper due diligence for avoiding privacy breaches when outsourcing.
4. Ensure your service provider has a strong breach response protocol in place.
Your service provider’s breach response plan must include YOU! You, as the client, must be notified of actual or potential privacy breaches that affect the data you have entrusted to the third party. You may have statutory requirements to report the breach to a regulator and notify affected individuals as soon as possible. For example, Canada’s federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), Alberta’s private sector Personal Information Protection Act, and many provincial health privacy laws require such reporting. You also need to ensure that the breach is being contained, investigated and managed appropriately. Take a look at your service provider’s privacy breach response plan. A detailed template for such a document can be found in PRIVATECH’s Privacy Documentation Suite.
You need to get prepared for potential negative regulations costs and develop appropriate communication strategies – you can’t do this if you aren’t quickly notified of your service provider’s security incident.
5. Ensure your service contract has privacy and security clauses that protect the data you have entrusted to the third party.
Clauses should include:
- Limited use of personal information for the purposes outlined;
- Appropriate safeguards to protect personal information – PIPEDA Report of Findings #2019-003 reviews Loblaws’ contract with its gift card program administrator, making it clear that the Federal Commissioner wants to see specific clauses outlining expected safeguards, not just a general statement that the data must be kept secure;
- Any additional uses or disclosures must be approved by you;
- You must be notified in the event of a privacy/security breach;
- Personal information must be securely destroyed upon service completion;
- An audit right (it is important to have this even though exercising an audit right creates an administrative burden for both parties, so it’s usually only done when something goes wrong – you could also include a clause requiring the service provider to supply evidence of an annual third party security review); and
- The right to terminate the service arrangement in the event of a breach or non-compliance with the privacy/security provisions.
A strong contract on its own isn’t enough to satisfy your obligations to ensure data protection, but the contract is still important as it helps to gain back some control back that is lost by the very act of outsourcing. Check out PRIVATECH’s SPPRM Toolkit for detailed privacy and security model contractual clauses (including the kinds of safeguards to outline) that have been included in a sample Confidentiality and Privacy Agreement. This sample has been drafted as a stand-alone legal contract that can be used for an existing service relationship. However, if there is an opportunity to include the clauses into a new service contract, even better!
If you take these five considerations seriously when outsourcing, you’ll be far ahead of game, and achieve a sense of confidence that your service relationships involving data transfers don’t introduce unnecessary risk. To keep track of your due diligence efforts and analyze inherent and residual risk for each service provider, consider using the template consolidated third party data risk assessment matrix found on PRIVATECH’s SPPRM toolkit.
Contact PRIVATECH for more information or for assistance with reviewing your service providers’ privacy practices.