Data Sharing Agreement (Canada)

A Data Sharing Agreement in Canada sets how the parties may share and use personal data and the safeguards each must apply, governed primarily by PIPEDA and provincial privacy legislation.

The primary federal privacy legislation governing data sharing in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5), which applies to personal information collected, used, or disclosed in the course of commercial activity by private sector organizations. Schedule 1 of PIPEDA, which codifies the Canadian Standards Association Model Code for the Protection of Personal Information, requires organizations to take reasonable steps to confirm that personal information transferred to third parties — including data sharing partners — receives equivalent protection through contractual or other means. The accountability principle under Principle 1 of Schedule 1 makes the disclosing organization responsible for personal information transferred to a third party, even while that third party holds and processes it.

Three provinces — Alberta, British Columbia, and Quebec — have enacted substantially similar private sector privacy legislation that displaces PIPEDA for intra-provincial commercial activities. Alberta's Personal Information Protection Act (S.A. 2003, c. P-6.5, PIPA) and British Columbia's Personal Information Protection Act (S.B.C. 2003, c. 63, PIPA) were declared substantially similar to PIPEDA by federal order in council. Quebec's Act respecting the protection of personal information in the private sector (CQLR c P-39.1), as significantly amended by Law 25 (Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25), imposes requirements that in some respects exceed PIPEDA — including mandatory Privacy Impact Assessments (PIAs) before transfers of personal information outside Quebec under section 70.1, stricter consent requirements, and higher administrative penalties of up to $25 million or 4% of worldwide turnover.

Federal and provincial public sector organizations are subject to separate privacy frameworks: the federal Privacy Act (R.S.C., 1985, c. P-21) for federal government institutions, Ontario's Freedom of Information and Protection of Privacy Act (R.S.O. 1990, c. F.31, FIPPA) for Ontario provincial institutions, and equivalent statutes in each province. Public sector data sharing agreements must comply with the applicable public sector privacy statute in addition to any contractual obligations.

Health information shared between organizations in Ontario is separately governed by the Personal Health Information Protection Act (S.O. 2004, c. 3, Sched. A, PHIPA), which requires health information custodians to execute Information Sharing Agreements before sharing personal health information with non-custodian recipients. Similar health privacy statutes apply in Alberta (Health Information Act, R.S.A. 2000, c. H-5) and British Columbia (E-Health (Personal Health Information Access and Protection of Privacy) Act, S.B.C. 2008, c. 38).

A Canadian Data Sharing Agreement is needed whenever one organization transfers personal information or proprietary data to another organization and requires contractual safeguards to comply with PIPEDA, provincial privacy legislation, or sector-specific privacy statutes.

Research institutions — universities, teaching hospitals, and public health agencies — that share de-identified or identified patient or participant data with partner institutions need a Data Sharing Agreement to satisfy the requirements of PIPEDA, provincial health privacy legislation, and the Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS 2), which requires Research Ethics Boards (REBs) to approve data sharing arrangements involving identifiable human subjects research data.

Financial institutions sharing customer data — credit history, transaction records, account information — with affiliated entities, credit bureaus Equifax Canada and TransUnion Canada, or financial technology partners need a Data Sharing Agreement to satisfy PIPEDA's accountability principle and the Office of the Financial Institutions Superintendent (OSFI) Guideline B-10 on third-party risk management for federally regulated financial institutions.

Organizations transferring personal information to cloud service providers — including AWS, Microsoft Azure, and Google Cloud, all of which maintain Canadian data centre regions — need a Data Sharing Agreement or data processing agreement to satisfy PIPEDA's requirement for contractual safeguards equivalent to the organization's own privacy obligations. The Office of the Privacy Commissioner of Canada (OPC) has published guidance confirming that cloud hosting of personal information constitutes a transfer to a third party requiring contractual protection.

Quebec organizations transferring personal information to a service provider outside Quebec — including to other Canadian provinces or to the United States — must complete a Privacy Impact Assessment under section 70.1 of Quebec's Act respecting the protection of personal information in the private sector before executing the Data Sharing Agreement. The PIA must assess whether the receiving jurisdiction provides adequate protection and must be documented and available for review by the Commission d'accès à l'information (CAI).

Employers sharing employee personal information — payroll data, benefit enrolment information, performance records — with payroll processors such as ADP Canada or Ceridian, group benefits insurers, or background check providers under sections 7(3)(b) or 7(1)(a) of PIPEDA need a Data Sharing Agreement specifying the limited purposes for which the recipient may process the data and requiring the recipient to comply with PIPEDA's security safeguard obligations.

Government agencies sharing data under provincial open data initiatives or inter-governmental data exchange programs need Data Sharing Agreements that comply with the applicable provincial FIPPA or FOIPPA and specify data governance obligations, use restrictions, and the audit rights of the disclosing institution.

A complete Canadian Data Sharing Agreement contains specific provisions required by PIPEDA, provincial privacy legislation, and the OPC's published guidance on third-party data transfers.

The data description clause precisely identifies the categories of data being shared — personal information (as defined in PIPEDA, s. 2(1): information about an identifiable individual), de-identified data, proprietary business data, or a combination. For personal information, the clause should identify the data elements (name, address, email, SIN, health information, financial account numbers) and the format of the data (structured database records, unstructured documents, audio or video files). Specificity is essential — vague descriptions such as "customer data" are insufficient for PIPEDA compliance and may cause disputes about the scope of the agreement.

The permitted purpose clause defines the specific, limited purposes for which the receiving organization may use the shared data. Under PIPEDA's purpose limitation principle (Principle 4), personal information may only be used for the purposes for which it was collected, or as specified in the agreement. Secondary uses — such as using shared research data for marketing purposes — are prohibited without the prior written consent of the disclosing organization.

The security safeguards clause specifies the technical and organizational measures the recipient must implement to protect the shared data. PIPEDA Principle 7 requires safeguards appropriate to the sensitivity of the information; the OPC's guidance suggests that highly sensitive data (health records, financial information, SIN numbers) requires encryption at rest and in transit, access controls, audit logging, and regular security assessments. The clause should reference recognized security frameworks such as ISO/IEC 27001 or NIST SP 800-53.

The breach notification clause requires the recipient to notify the disclosing organization of any breach of security safeguards involving the shared data within a short contractual window — typically 24 to 72 hours from discovery — to enable the disclosing organization to meet its statutory notification obligations to the OPC and affected individuals under PIPEDA's mandatory breach notification regulations (SOR/2018-64). For Quebec data, the same clause must address notification to the CAI within 72 hours of discovery of a high-risk incident under section 3.5 of Quebec's Act.

The data retention and destruction clause specifies the maximum period for which the recipient may retain the shared data and requires return or certified destruction of all copies — including backup copies and data derived from the shared data — when the purpose is complete or the agreement terminates. The clause should address electronic and physical destruction methods and require written certification of destruction.

The Quebec privacy impact assessment clause — required for organizations subject to Quebec's Act — requires the recipient to cooperate with the disclosing organization in completing a Privacy Impact Assessment before the transfer takes place, including providing information about the recipient's privacy practices, data breach history, and applicable laws in the recipient's jurisdiction.

The audit rights clause grants the disclosing organization the right to audit the recipient's data protection practices — including inspection of security controls, access logs, and compliance records — either directly or through an independent third-party auditor, to verify compliance with the agreement and applicable privacy legislation. The OPC has emphasized in its published guidance that audit rights are a necessary component of an effective third-party data governance program.

The governing law clause specifies which Canadian province's law governs the agreement and which court or tribunal has jurisdiction over disputes. For agreements involving Quebec personal information, Quebec law and the jurisdiction of Quebec courts or the CAI should be specified for the Quebec data elements.

Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. The forms-legal.com Data Sharing Agreement (Canada) template covers the mandatory elements under Canada Business Corporations Act (R.S.C. 1985, c. C-44).