Note: This guidance document was updated in July 2010 to include Chapter 6, entitled "Technological Measures to enhance Privacy and Security." Chapter 6 identifies key technological measures that should be considered for inclusion in contract clauses to enhance privacy and security. The recommended measures are intended for use in contracts that involve personal information and other sensitive information that is handled electronically.
In addition, all hyperlinks and references to legislation and policy instruments have been updated.
This guidance document is intended to provide advice to federal government institutions whenever they consider contracting out activities in which personal information about Canadians is handled or accessed by private sector agencies under contract.
The document was developed in response to privacy risks associated with the potential exposure of Canadians' personal information to U.S. authorities under the USA PATRIOT Act.
It is not uncommon for a federal government institution to contract out the management of a program or service involving personal information about Canadians to a company based in Canada, the U.S., or another country. When information is stored or accessible outside of Canada, however, it can be subject not only to Canadian laws but also to the laws of the other country.
One such law is the USA PATRIOT Act. The Act permits U.S. law enforcement officials to seek a court order allowing them to access the personal records of any individual for the purpose of an anti-terrorism investigation without informing individuals or agencies that such disclosure has occurred. In theory, as a result of government contracting activities, U.S. officials could access information about Canadians through U.S. firms or their affiliates, even if the data is located in Canada.
Although the risk of U.S. authorities using the USA PATRIOT Act in this way is minimal, it nevertheless exists. This has highlighted the need for special considerations with respect to government contracts involving personal information in order to mitigate such privacy risks.
The significance of the USA PATRIOT Act has been summarized by the Privacy Commissioner of Canada, Jennifer Stoddart:
The concerns raised about the impact of the USA PATRIOT Act on the privacy of personal information about Canadians are really part of a much broader issue—the extent to which Canada and other countries share personal information about their citizens with each other, and the extent to which information that has been transferred abroad for commercial purposes may be accessible to foreign governments. The enactment of the USA PATRIOT Act may simply have served as the catalyst that brought these issues to the fore.
The Government of Canada takes the issue of privacy very seriously. It supports the assessment of the Privacy Commissioner of Canada that the USA PATRIOT Act highlights the broader issue of personal information about Canadians becoming accessible to any foreign government.