Guidance Document: Taking Privacy into Account Before Making Contracting Decisions
An invasion-of-privacy test provides guidance in determining whether a contract that would involve personal information would result in harm or injury to an individual. There are three main factors that should be taken into account in any invasion-of-privacy test: sensitivity of the information, expectations of the individuals, and probability and gravity of injury.
1) Sensitivity of the information
Determine what type of personal information will be involved in the contract.
- How detailed is the personal information (tombstone data such as name and address or highly detailed personal information, including longitudinal information)?
- What is the severity of the breach (determined by such factors as the number of individuals whose information is in the database and the amount of individual information collected)?
- Is the information of a highly sensitive personal nature (e.g. health and financial information) or does it appear to be fairly innocuous information (e.g. tombstone information)?
- What is the purpose of the work (i.e. statistical in nature, program administration, regulatory enforcement, or possible criminal enforcement)?
- What is the context surrounding this information? (The name and address of an individual can be innocuous or extremely sensitive depending on the context; for example, names and addresses of individuals participating in a youth employment program are less sensitive than a similar list containing names and addresses of Hepatitis C and HIV compensation victims.)
- What is the amount of control that the service provider will have over the information?
From a privacy standpoint, particular attention should be given to the decision related to contracting highly sensitive information. If information is highly detailed, sensitive, and extremely personal, institutions should consider alternatives that increase the institutions' direct control over the information where possible. Alternatively, institutions should consider implementing a very high standard of security and confidentiality that may be well beyond the minimum requirements when contracting the handling of such information. This will assist in providing Canadians with a comfort level when it comes to their personal information.
Note: The invasion-of-privacy test suggested above has been adapted from the public interest invasion-of-privacy test outlined in Chapter 2-4 of the Treasury Board Manual on Privacy and Data Protection.
2) Expectations of the individual
Determine or establish the expectations of the individuals with respect to their personal information. The conditions that govern the collection of the personal information usually are the best source for determining the expectations of the individuals.
- Where personal information has already been collected by the government institution, verify what conditions were established at the time the information was first collected from the individual:
- Was there a commitment or promise not to disclose to any other party or institution?
- Was there a caveat stating that the information could be disclosed in a manner consistent with the original purpose for its collection?
- Was the information compiled or obtained under guarantees that preclude some or all types of disclosure?
- Was the information unsolicited or given freely or voluntarily with little expectation of it being maintained in total confidence?
If personal information is to be collected by the government institution from the contractor, or the government institution has exercised control over the contractors' records, establish the conditions for the collection and the expected use and disclosure of the personal information in accordance with the fair information practices embodied in the Privacy Act. For example:
- Will the institution provide clear direction to the contractor regarding its obligation with respect to the collection of personal information on behalf of the Government of Canada?
- Will the institution ensure that the contractor informs individuals of the purpose of the collection and obtains consent (where relevant) for the collection, use, and disclosure? This also includes ensuring that individuals are informed of any statutory authority for the collection, of their right to refuse to provide any or all of the requested information and any possible consequences of such refusal, and of their right of access and correction.
- Will the institution ensure that the contractor informs individuals of other possible uses and disclosures related to the information?
- Would an individual feel comfortable knowing that his or her personal information could be accessed by a third party under contract?
- Would the individual expect a third party to be involved in the handling of such personal information?
- What level of confidentiality and security would the individual expect?
3) Probability and gravity of injury
Determine the probability of injury if the personal information was wrongfully disclosed or if a breach of security or confidentiality occurred. Injury should be interpreted as any harm or embarrassment that will have direct negative effects, for example, on an individual's career, reputation, financial position, safety, health, or well-being. The following factors will assist in determining the extent of probable injury:
- Would the contract involve the personal information of few or numerous individuals (e.g. will the contract deal with one or two individuals or will it involve the personal information of hundreds or thousands of individuals)?
- If the information is considered sensitive, can it be surmised that any disclosure carries a probability of causing measurable injury (e.g. identity theft, fraud, emotional distress, or negative effects on an individual's career, reputation, financial position, safety, health, or well-being)?
- Is there a risk in terms of the possible application of foreign laws (i.e. potential for disclosure to foreign government for uses unrelated to the contract)?
- How grave or serious could the potential injury be?
The following table will assist in determining risks related to possible application of foreign laws as a result of a contract involving the handling of personal information.
Databases maintained and processed on a Government of Canada site only, or databases located or maintained
off-site and processing conducted by a Canadian company that operates in Canada only.
Records storage/archival and disposal handled on a Government of Canada site only or by a Canadian company operating in Canada only.
Databases located or maintained off-site and processed by a company in Canada, with potential access by a
foreign subcontractor or potential access by foreign parent company or affiliate (with risk mitigation
strategies in place).
Records storage/archival and disposal handled off-site by a company in Canada, with potential access by a foreign subcontractor or potential access by foreign parent company or affiliate (with risk mitigation strategies in place).
|Database maintained and processing conducted by a foreign-based company in a foreign jurisdiction (with risk mitigation strategies in place).|
|Database maintained and processing conducted by a foreign-based company in a foreign jurisdiction (with no risk mitigation strategies in place). Records storage/archival and disposal handled by foreign-based company in foreign jurisdiction.|
Note: Institutions may wish to consider other factors unique to their situations. For this reason, institutions are encouraged to develop guidelines on the application of the invasion-of-privacy test within their institution.
The use of effective mitigation strategies by federal institutions will result in reducing the level of risk. These strategies could include the use of non-technological solutions, such as including the privacy clauses suggested in this document, or the implementation of technological solutions, such as encryption.
- Date modified: