That exact circumstance is not explicitly addressed in the Privacy Act. In PIPEDA it is, because it talks about an organization. If they send information out for processing, the organization remains responsible for it, even if they've handed it off to somebody else for processing.
The scenario you just described is not addressed in the Privacy Act. If there were a requirement that the government institution implement safeguards to protect the information they collect, part and parcel of it is that they make sure of the security of that information wherever it goes, which would make the public body accountable, I would expect, for the information in the hand, for example, of an outsourced processor.