The approach that I recommend is to enter agreements with third parties that (like other comprehensive business contracts) specifically list the rights and responsibilities of the parties. In my view, simply stating in the agreement that the other organization agrees to comply with PIPEDA is insufficient. Greater detail in the agreement, however, will help to mitigate problems arising in the future and, in my view, is required to meet the letter and spirit of the law. The types of terms will, to some extent, often match the obligations described in Schedule 1 to PIPEDA, but should (for business reasons as well as legal) go much further. For example, many of these types of agreements contain privacy auditing rights and spell out the process for dealing with consents and withdrawals of consent. A company’s personal information holdings is one of its most valuable assets so undertaking this type of due diligence is worth it!