The Access to Information Act and the Privacy Act apply only to those federal institutions listed in schedules of each Act and grant individuals a right of access to records or personal information under the control of government institutions, subject to specific exceptions and exclusions. The Privacy Act also imposes statutory obligations on government institutions to manage personal information in accordance with sections 4 to 8 of the Act, which establish a code of fair information practices regarding the collection, accuracy, use, disclosure, retention, and disposal of personal information.
The acts do not apply to private sector contractors. This means that government institutions must ensure that the contract does not weaken the right of public access to information or significantly affect their ability to protect personal information of individuals when contracting out the management of a government program or service. The most effective means to require that an outside service provider respects the statutory requirements of the Access to Information Act and the Privacy Act is to insert, where appropriate, relevant access to information and privacy clauses in the contractual agreement.
The clauses required will vary depending on the relationship and nature of the services to be provided. In some cases, clauses may be needed to deal with the disclosure of personal information to the service provider to enable contract performance. In other cases, clauses may be needed to meet the collection requirements of the Privacy Act where contract deliverables will result in the collection of personal information by the contractor on behalf of the government institution. In other cases, where the contracting party is acting on the government institution's behalf by performing government services or functions, clauses may be needed to stipulate who has control of the records or personal information transferred to, or collected, created or maintained by, the contractor in the performance of the contract and ensure that the requirements under both acts applicable to records or personal information deemed to be under the control of the government institution are fully met.
Appropriate contract clauses would ensure that the government institution's responsibility for the protection of personal information continues to be fulfilled by the contractor and, where applicable, individuals continue to have a right of access to their personal information and to records relevant to the government institution's accountability for the program or services performed under the contract.
The following explanatory notes complement the Privacy Protection Checklist to guide government institutions in developing access to information and privacy clauses that are consistent with their obligations under the legislation. The clauses are meant for situations where an outside service provider (hereinafter referred to as the contractor) is required to handle records or personal information on behalf of a government institution or contracting authority while performing government services or functions. The questions found in the checklist serve to highlight the specific access to information and privacy requirements that should be considered when drafting government contracts.
As every contract is unique, not all questions in the Privacy Protection Checklist will apply to all contract situations. For example, a contract involving only the storage or archiving of personal information or the operation or maintenance of a computerized system containing personal information may not require privacy protection clauses that address the collection, accuracy, use, disclosure or correction of personal information. Each Checklist question should be answered taking into consideration the sensitivity of the personal information involved and the nature and scope of the services to be provided by the contractor on behalf of the government institution. Institutions are encouraged to consult their legal advisors and Access to Information and Privacy (ATIP) officials to determine any specific needs for access and privacy clauses that may apply to their particular contracting circumstances.
The Checklist questions and the explanatory notes provided in this document are not necessarily all-inclusive; there may be other legislative privacy requirements at the provincial or federal level to consider, including departmental or program-specific legislation and the possible application of the Personal Information Protection and Electronic Documents Act. Government institutions faced with this kind of scenario should, in consultation with their institution's legal advisors and ATIP officials, conduct a thorough legislative and policy analysis of the requirements of all applicable laws and develop contractual clauses that ensure first and foremost that the government institution meets its legal obligations. If more than one law applies, institutions may also wish to adopt the most stringent privacy principles or standards.