Treasury Board of Canada Secretariat
Symbol of the Government of Canada

Guidance Document: Taking Privacy into Account Before Making Contracting Decisions


B.  Explanatory notes concerning the Checklist questions

Both the checklist and the explanatory notes are meant to provide guidance only and government institutions should not rely solely on them in the preparation of a contract or any other document. Again, institutions are encouraged to consult their departmental legal and ATIP experts for advice in this regard.

Control and accountability

Principle

The Access to Information Act and the Privacy Act apply to records and personal information "under the control" of government institutions. Thus, the issue of control is of primary importance to ensure that the information and privacy rights of individuals under these acts are upheld when records are transferred to or generated by a contractor, while fulfilling its obligations on behalf of a government institution.

It is government policy that institutions must respect their obligations under the Access to Information Act or the Privacy Act when contracting out.

Generally, unless there is valid justification, government institutions should include provisions in contractual agreements to ensure that records that are either transferred to, created, collected, or maintained by the contractor in the fulfilment of a contract relevant to the delivery of government services remain under the control of the contracting government institution and are subject to both the Access to Information Act and the Privacy Act.

In addition to access to information provisions, the contractual agreement should include privacy protection clauses to ensure that any personal information contained in the records, as defined in section 3 of the Privacy Act, is managed by the contractor in conformity with the code of fair information practices embodied in the Privacy Act and its regulations, as well as the Treasury Board Secretariat Policy on Privacy Protection.

The contractor should assume full responsibility for the performance of its obligations and functions under the contract.

1.  Should the contractual agreement specify the types of records or personal information (list them) affected by the contract that will remain:
  1. under the control of the government and subject to the Privacy Act and the Access to Information Act; or
  2. the sole property of the contractor?

Contracting out government programs or service-delivery functions does not relieve the government of its access and privacy obligations for records or personal information held by private sector companies on its behalf. Institutions proposing to contract out government programs or services should prepare a case analysis involving several public interest tests, including how information and privacy rights of Canadian citizens under the Access to Information Act and the Privacy Act will be maintained.[4]

When evaluating the access to information and privacy implications of contracting out, government institutions must determine whether the records (including personal information) that will be transferred [5] to, or collected, created, or maintained, by the contractor in the performance of the government program or service, are under the control of the government institution. If the government institution establishes control, the records will be covered by the Access to Information Act and the Privacy Act. To this end, the institution would be required to specify a number of conditions in the contract that are consistent with its duties and obligations under the acts and that make the contractor's responsibilities very clear with respect to those records and personal information.

From a legal perspective, the records are to be covered by the Access to Information Act and the Privacy Act when they are considered to be under the control of the federal institution. As long as records are under the control of a government institution, the legal requirements of the acts apply.

A government institution cannot avoid its statutory obligations [6] under the Access to Information Act and the Privacy Act by claiming that it does not have possession of specific records. There may, however, be legitimate circumstances where an institution wants to obtain a service from an independent contractor without ever taking control of the personal information created thereunder, while also protecting the information. For example, a government institution using a private polling firm to conduct a survey to assess client or employee satisfaction and determine how to improve service may not necessarily want to retain control of the personal information collected by the contractor. In fact, the deliverables may require that the contractor provide all information collected during the survey in a non-identifiable format. In such cases, the contractor should be required to destroy the key permitting it to link statistical data to individual respondents once the survey is completed and all survey data has been compiled and validated. The contractor should also be required to protect the information until it has been destroyed or rendered completely anonymous.

In other instances, it may also be desirable that a contract clearly identify and list any business records of the contractor (e.g. administrative, financial, accounting or human resources records) that are necessary for the contractor's performance under the contract but are not considered the property of or under the control of the government institution. The contract should specify that the documents would be considered to be under the control of the government institution if the government has possession of contractor documents or the power to produce them.

The contract should also specify that the records deemed to be under the control of the government institution but in the possession of the contractor must be segregated from the contractor's other business records or data holdings for security reasons and to facilitate the administration of the Access to Information Act and the Privacy Act (e.g. individuals' access and correction rights).

2.  Should the contractual agreement specify that the contractor shall designate a senior individual (or individuals) within its organization who would be responsible for ensuring the contractor's compliance with the privacy and security obligations under the contract and be the first point of contact with the government institution for any privacy and security issues?

The Treasury Board Security and Contracting Management Standard[7] indicates that departments are responsible for protecting sensitive information and assets under their control during all phases of the contracting process.  The standard prescribes the use of contractual clauses to specify security requirements.

The Industrial Security Manual, which is produced by the Canadian and International Industrial Security Directorate, Public Works and Government Services Canada (PWGSC), contains specific provisions that apply to any contractor that has been authorized to store or handle protected or classified government information or assets that requires a Designated Organization Screening or a Facility Security Clearance. Among other things, such contractors must appoint a company security officer to carry out security responsibilities.

Although there is no requirement in the Industrial Security Manual for a contractor to name someone to be responsible for ensuring the contractor's compliance with the privacy obligations under the contract, the government institution has a duty to ensure that the contractor is taking reasonable steps to ensure that contractors put in place effective privacy protection practices. One of these steps is to have a person in charge of privacy management for the contractor. Thus, depending on the sensitivity of the personal information involved and the nature and scope of the services to be provided by the contractor for the government institution, there may be a need for the contractor to assign one senior individual (or individuals) to be accountable for administration and compliance with the privacy requirements of the contract and to be the first point of contact for such issues. The government institution would be required to do the same.

3.  Should the contractual agreement specify that the contractor shall provide the government with an up-to‑date list of all employees, subcontractors or agents engaged in the contract who will have access to the personal information?

Government institutions may wish to consider whether they need to know the identity of the contractor's employees who will have access to personal information. In most cases, it may only be necessary to list the positions or categories of employees of the contractor who need access to personal information to carry out their duties under the contract rather than listing each employee by name. This would provide more flexibility for contracts with a lengthy duration or where there is a high staff turnover. In such cases, the contract should specify the types or elements of personal information that may be accessed by each category of employees, as well as the specific circumstances under which employees of the contractor will require access to the information. The contract should also stipulate the security requirements and access controls that will be in place.

In cases where the information to be accessed under the contract is highly sensitive,[8] government institutions may wish to impose further conditions, as follows:

  • to limit the number of individuals (e.g. employees of the contractor, subcontractors, or agents) who would be allowed to have access to the personal information for the purpose of the contract;
  • to identify in the contract the names of each individual who will access the personal information, specifying how, why, and when access is permitted (a list of the individuals would be annexed to the original contract); and
  • to maintain, throughout the contract, an up-to-date list, by position, of all officials who access personal information in the performance of the contract and to provide the government institution with a copy of that list at any time, upon request.[9]
4.  Should the contractual agreement specify that all contractors' employees, subcontractors or agents to whom personal information may be accessible in the performance of the contract shall sign a privacy and confidentiality agreement?

It is of utmost importance that, in any outsourcing or contracting agreement, all of the contractor's staff (e.g. employees of the contractor, subcontractors, or agents) engaged in the performance of the contract are fully aware of their obligations to protect personal information. To this end, the contract should stipulate that the contractor train relevant employees in the privacy and security requirements of the contract and commit to using discipline, if necessary, to ensure that employees comply with those requirements.

Depending on the sensitivity of the personal information involved, the contract may also require the contractor to ensure that, before allowing any employee to have access to any personal information held in connection with the contract, each employee signs a privacy and confidentiality undertaking with the contractor, in a form acceptable to the government institution. The undertaking should specify that discipline, up to and including termination of employment, may result if the employee, without authority, intentionally accesses, uses, discloses, or disposes of personal information contrary to the terms of the contract. The undertaking is to be maintained on file by the contractor for the duration of the contract and for a specified period of time after completion of the contract. The employees should also be advised that a copy of their undertaking could be disclosed to the government institution upon request.

5.  Should the contractual agreement specify that the contractor shall be fully and solely responsible for the actions of its employees, subcontractors, and agents who act on its behalf in the performance of their functions under the contract?

The contractor must be made fully responsible for the performance of its obligations and functions under the contract. The overall responsibility of the contractor for ensuring that its employees, agents, and subcontractors adhere to the terms and conditions of the contract, including requirements to protect personal information under the control of the government institution, should be explicit in the contract.

6.  Should the contractual agreement specify that the contractor shall advise the government in advance in the event of any change in ownership or control of all or a part of the contractor's business?

A corporation buyout or merger involving the contractor may create a potential conflict of interest or may introduce unanticipated information, privacy, and security risks. Requiring the contractor to advise the government institution in advance in the event of a change in ownership or control of all or part of the contractor's business would enable the government institution to undertake an assessment of the potential impact on information, privacy, and security that may result from the change. The institution should include a right to terminate the contract in such circumstances, at its discretion. This would be of particular importance if the proposed new owner or partner is located is in a foreign country or has ties with U.S.-based companies or other foreign organizations or for other reasons of public policy (e.g. Canada does not contract with Iran).

7.  Should the contractual agreement specify that the contractor shall immediately notify the government in the event of any proceedings for bankruptcy or insolvency brought by or against the contractor under applicable bankruptcy or insolvency laws or any notice of creditor's remedies?

Depending on the nature of the contract and the sensitivity of the services or functions to be performed by the contractor on behalf of the government institution, there may be a need to specify in the contract that the contractor shall advise the government institution or contracting authority in the event of any proceedings for bankruptcy or insolvency brought by or against the contractor under applicable bankruptcy or insolvency laws, including any notice of creditor's remedies made against the contractor. Government institutions should consult with their legal advisors and contracting experts before including any such clause in their contract.

The fact that a contractor is experiencing financial difficulty or has filed under any of the bankruptcy or insolvency laws could have very serious implications on how the contractor is capable of meeting the requirements of the contract or of completing contract performance. Upon being notified that the contractor has become insolvent or has filed for bankruptcy,[10] it is essential that prompt action be taken to ensure that the government's rights are protected in any formal proceedings and to determine whether the contractor is still capable of performing or meeting the requirements of the contract. Intensive monitoring of the contractor's performance would be required in such circumstances and, to the extent permitted by the laws of Canada, the government institution should specify in the contract that it may, at its option, immediately terminate all or any part of the contract.

Transborder data flows

Principle

Government institutions have an obligation to ensure that personal information collected, used, processed, accessed, disclosed, retained, received, created, or disposed of in order to fulfil the requirements of a contract shall be protected against any possible risks related to the issue of transborder flow of information. This would include the potential exposure of personal information of Canadians to U.S. authorities under the USA PATRIOT Act or other similar foreign laws.

8.  Should the contractual agreement specify any limitations on where the records and personal information (including back-up tapes and archives) may be processed, stored or maintained by the contractor (Refer to the Guidance Document for advice and sample clauses)?

One mechanism to deal with the risks associated with transborder flow of information is to have the work done in Canada and to have personal information segregated to a system not accessible by entities outside Canada (e.g. a government-organization contractor‑operated (GOCO) facility or partnership) subject to applicable trade laws. The contract should therefore stipulate whether there are any geographical restrictions related to processing, storing, maintaining, or accessing records containing personal information by the contractor or an affiliate. This is particularly important if the contractor is located in a foreign country or is a subsidiary of a foreign organization.

The inclusion of a clause of this nature will depend on the sensitivity of the personal information involved, the type of contract, the work to be performed and whether the government institution has control of the information, the company performing the work, and the level of risk of exposure to U.S.-based or other foreign companies or subcontractors. Guidance on how to make that decision is contained in Steps 3 to 5 "Contracting" and in Appendix A of the Guidance Document, which also offers examples of contractual language that could be used to address the risk of potential disclosure to foreign governments. It is important that institutions consult with their legal advisors and ATIP officials before implementing, modifying, or adapting any of the clauses that are offered as examples in the Guidance Document. There may also be a requirement to consult with the departmental security officer concerning any security requirements under the Policy on Government Security.

9.  Should the contractual agreement specify that the contractor is prohibited from disclosing or transferring any personal information outside the boundaries of Canada, or allowing parties outside Canada to have access to it, without the prior written approval of the government?

Where appropriate, the contract may stipulate that the contractor is prohibited from disclosing or transferring any personal information to third parties outside Canada or from allowing such parties to have access to it without the prior written approval of the institution. Once information goes beyond Canada's borders, it may be either impractical or impossible for a government institution to prevent any unauthorized use, disclosure, or transfer of that information or even, in some cases, to access its own information.

Collection of personal information (sections 4 and 5 of the Privacy Act)

Principle

Under section 4 of the Privacy Act, a government institution shall collect personal information only when it relates directly to an authorized program or activity of the institution.

Subsection 5(1) of the Privacy Act requires that, wherever possible, government institutions shall collect personal information intended to be used for an administrative purpose directly from the individual to whom it relates. There are limited exceptions to this rule; for example, law enforcement activities.

Subject to exceptions referred to in subsection 5(3) of the Privacy Act, government institutions are required to inform individuals of the purpose for which the information is being collected and the intended uses to be made of it.

10.  Should the contractual agreement specify that the collection of personal information shall be limited to that which is necessary for the contractor to comply with the contract or the exercise of the contractor's rights under the agreement?

In cases where the contractor is required to collect personal information on behalf of the government institution in performing government services or functions and the personal information is under the control of the government institution, the contract should specify the purposes for which the contractor may collect personal information under the contract and the institution's authority [11] for such a collection. The contract should also stipulate the type or elements of personal information that may be collected by the contractor on behalf of the institution and from whom such personal information is collected. A similar clause should be considered when the contractor is required under the contract to create personal information.

The contract should also specify that the contractor must limit its collection of any personal information to what is necessary for the purpose of the contract or the exercise of the contractor's rights under the agreement (i.e. information that would be required by the contractor to substantiate its rights to receive payment).

It is important to remember that when specifying the nature of the personal information to be collected by the contractor, the government institution must ensure that the contractor does not collect more personal information from individuals than the government institution itself would be allowed to collect under the Privacy Act for a similar authorized operating program or activity of the institution. Notification and direct collection requirements (or exceptions) for personal information intended to be used for an administrative purpose must be respected.

In cases where the institution obtains a service from an independent contractor without taking control of the personal information, but where the contract deliverables will result in a collection of personal information by the government institution, the contract should specify the personal information to be provided to the government institution as part of the deliverables. The government institution must ensure that only personal information directly related to the program or activity is collected as part of the deliverables and that the indirect collection requirements under the Privacy Act are met.

11. Should the contractual agreement specify that the contractor must, unless otherwise directed in writing, collect personal information directly from the individual to whom the information relates?

When the contractor collects personal information on behalf of the government institution by performing government services or functions and the personal information is under the control of the government institution, the contract should specify that, unless otherwise directed in writing by the institution, the contractor must collect it directly from the individual to whom the information relates. The method and manner of collection should also be specified in the contractual agreement.

12. Should the contractual agreement specify that the contractor, at the time of collection of personal information, must notify an individual from whom it collects personal information:
  • The purpose and authority for the collection;
  • Any uses or disclosures that are consistent with the original purpose;
  • Any uses or disclosures that are not related to the original purpose;
  • Any legal or administrative consequences for refusing to provide the personal information; and
  • The rights of access to, correction of and protection of personal information under the Privacy Act.

Subsection 5(2) of the Privacy Act recognizes an individual's right to know and understand the purpose for which his or her personal information is being collected and how it will be used. The Treasury Board Directive on Privacy Practices has expanded on how such notice is to be given. It is one of the most fundamental privacy principles because without appropriate notice an individual cannot make an informed decision whether or not to provide personal data.

When a contractor collects personal information on behalf of the government institution by performing government services or functions and the personal information is under the control of the government institution, the contract should require that the contractor notify,[12] at the time of collection, individuals from whom it collects personal information of the purpose and authority for the collection; any uses or disclosures that are consistent with the original purpose; any uses or disclosures that are not related to the original purpose; any legal or administrative consequences for refusing to provide the personal information; and the rights of access to, correction of and protection of personal information under the Privacy Act.

13. Should the contractual agreement specify that the contractor's employees must effectively identify themselves to the individuals from whom they are collecting personal information and provide individuals with a means to verify that they are actually working on behalf of the government and authorized to collect the information?

Where the contractor is required to collect personal information from individuals in person, the contract should specify that the contractor's employees must effectively identify themselves to the individuals from whom they are collecting personal information and provide them with a means to verify that they are actually working on behalf of the Government of Canada and authorized to collect the information. As a matter of good practice, the contractor's employees should carry a letter provided by the government institution confirming that the personal information is being collected on behalf of the Government of Canada and present a photo identification in a format and manner approved by the institution when collecting personal information from individuals in person at their place of residence.

When collecting personal information by telephone, the contractor's employees should provide individuals with the title, business address, and telephone number of a government official who can confirm the authority and the purposes for which the information is being collected and answer any other questions the individuals might have about the collection.

Accuracy of personal information (subsection 6(2) of the Privacy Act)

Principle

Subsection 6(2) of the Privacy Act stipulates that government institutions must take all reasonable steps to ensure that personal information that is used for an administrative purpose is as accurate, up-to-date, and complete as possible. This requirement is intended to minimize the possibility that a decision affecting an individual will be made on the basis of inaccurate, obsolete, or incomplete information.  

14.  Should the contractual agreement specify that the contractor must make every reasonable effort to ensure the accuracy and completeness of any personal information to be used by the contractor or the government institution in a decision-making process that will directly affect the individual to whom the information relates?

If any personal information collected by the contractor under the contract is used, or is available for use, by the contractor while performing government services or functions or by the government institution itself in a decision-making process that directly affects the individual to whom the information relates, the contract should require the contractor to make every reasonable effort to ensure the information is accurate, up-to-date, and complete.

In some instances, the contract may specify joint responsibility for data accuracy and integrity by the government institution and the contractor. For example, where the contractor's obligation is limited to ensuring that the data provided to it are accurately recorded and stored, it will be the government institution's responsibility to review and amend the data to ensure accuracy and completeness. In such situations, the contract should specify that the contractor should take all reasonable steps to ensure that personal information provided to it in connection with the contract is accurately recorded and is not amended, except as directed by the government institution.

Alternatively, the contractor may be required to update personal information at specified intervals by either directly contacting the affected individuals, or indirectly from other sources if the government institution has the authority to collect the information indirectly from a third party.

Use of personal information (section 7 of the Privacy Act)

Principle

Without the consent of the individual to whom it relates, personal information under the control a government institution shall only be used for the purpose for which it was collected, or for a use consistent with the original purpose, or for a purpose for which the information may be disclosed within or outside the institution under subsection 8(2) of the Privacy Act.

15.  Should the contractual agreement specify that, unless otherwise directed in writing, the contractor shall use the personal information only for the purpose of fulfilling its obligations under the contract?

The government institution must ensure that the personal information under its control but in the physical possession of the contractor is not used in a manner inconsistent with the government institution's obligations [13] under the Privacy Act. The contractor should be prohibited from using any personal information held in connection with the contract in any way other than for the specific purpose of fulfilling its obligations under the contract.

The contract should expressly specify the purpose(s) for which the contractor may use the personal information and stipulate that use for any other purposes must have prior express written authorization from the government institution. It should also state that these restrictions survive the contract.

Disclosure of personal information (section 8 of the Privacy Act)

Principle

Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed to third parties except in the limited number of situations set out in subsection 8(2) of the Privacy Act.

16.  Should the contractual agreement specify that the contractor shall be prohibited from disclosing or transferring any personal information, except as necessary for the purposes of fulfilling its obligations under the agreement or unless otherwise directed to do so in writing?

Assuming an Act of Parliament does not prohibit the disclosure of the personal information, the government institution may disclose personal information to a contractor with the consent of the individual to whom the information relates or, where the disclosure is authorized under subsection 8(2) of the Privacy Act, without consent. The contractor's ability to collect the personal information from the government institution may be subject to legislative privacy requirements at the provincial or federal level, such as the Personal Information Protection and Electronic Documents Act, and any such requirements must be taken into account in the contract.

Generally, the contract should specify that, unless the government institution otherwise directs in writing, the contractor is prohibited from disclosing or transferring any personal information held in connection with the contract in any way other than in accordance with the contract. The government institution must also ensure that personal information under its control but in the physical possession of the contractor is not disclosed in a manner inconsistent with the government institution's obligations under the Privacy Act. To this end, the contract should expressly stipulate how, when, and why personal information under the control of the government institution may be disclosed or transferred by the contractor to perform the government services or functions under the contract as well as the authority for such disclosures or transfers.

17.  Should the contractual agreement specify that if the contractor receives any request for disclosure of personal information for a purpose not authorized under the contract, or if it becomes aware that disclosure may be required by law, the contractor shall immediately notify the government about the request or demand for disclosure and must not disclose the information unless otherwise directed to do so in writing?

In some instances, the contract should specify that if the contractor receives any request for disclosure of personal information, other than those stated in the contract, or if it becomes aware that disclosure may be required by law (i.e. demand for disclosure from a court of law, an investigative body, or from a foreign jurisdiction), the contractor must immediately advise the government institution of the request or demand for disclosure and must not disclose the information unless otherwise directed to do so in writing by the institution.

While the contractor may have a legal duty to disclose personal information, it should let the government institution know as soon as possible so that the institution may consider its position in relation to the legality of the demand for disclosure and have the opportunity to intervene in any proceedings before any disclosure is made. The contract should specify that failure on the part of the contractor to notify the government institution of any such disclosure beforehand, even where disclosure is required by law, would be considered a material breach of the contract and may result in termination of the contract.

The government institution may also request that the contractor keep a record of any disclosures of personal information that have been made. Maintaining such a record or register may be of particular importance when sensitive personal information is involved. The register of disclosure should contain the following information and should be made available to the government institution immediately upon request:

  • the date of the disclosure;
  • the name of the entity or person to whom the information was disclosed and, if known, the address of such entity or person;
  • a brief description of the information disclosed;
  • a brief statement of the purpose of such disclosure, which includes an explanation of the basis for such disclosure;
  • the format of the record (e.g. paper, electronic);
  • the method of transmission; and
  • the name of the person who made the disclosure.

Requests for information (section 12 of the Privacy Actand section 4 of the Access to Information Act)

Principle

Government institutions should provide individuals with informal access to government records or their personal information whenever possible.

Where informal access to the requested government records or personal information cannot be given, the requestor must be informed, as appropriate, of his or her rights under the Access to Information Act or the Privacy Act.

18.  Should the contractual agreement specify that individuals can use an informal process to access records or their personal information directly from the contractor?

It is important that the contract clearly state the responsibilities of both the government institution and the contractor in dealing with access requests for records or personal information in the custody of the contractor but under the control of the government institution.

First, the contract should specify whether the contractor would be allowed to provide informal access to certain types of information as a matter of course without the necessity for an individual to submit a formal access request under the Access to Information Act or the Privacy Act , as the case may be. Where appropriate, this informal release process should be encouraged to reduce administrative costs.

If the government institution authorizes the contractor to provide routine informal access, the contract must clearly identify the types of records, including any elements of personal information, that could be routinely released by the contractor. The contract must also specify the circumstances, the conditions, and the restrictions [14] under which the contractor may make such records or personal information informally available to individuals upon request. In allowing the contractor to disclose information on an informal basis, the government institution must be satisfied that such informal disclosures by the contractor can be made because no exceptions under the Access to Information Act apply, the disclosures will be in accordance with the privacy requirements of the Privacy Act, and the privacy and confidentiality requirements of any other applicable legislation or Treasury Board policies and guidelines will be respected.

19.  Should the contractual agreement specify the responsibilities of both the government and the contractor in dealing with formal request made under the Access to Information Act or the Privacy Act with respect to those records or personal information considered under the control of the government but maintained by the contractor?

The contract should also include provisions establishing how the contractor and the government institution will deal with formal access requests made under the Access to Information Act and the Privacy Act for records or personal information held by the contractor but under the control of the government institution in connection with the contract. For example, the contract could specify that if the contractor receives a request under the Access to Information Act or the Privacy Act from an individual for records or personal information, the contractor must promptly advise the individual to make the request directly to the ATIP coordinator of the government institution involved and provide that official's name and contact information to the requester. The contractor may also offer to forward the individual's request to the ATIP coordinator of the government institution for direct action along with copies of all records that may be relevant to the request. If the government institution receives a request pursuant to the Access to Information Act or the Privacy Act for any records or personal information in the custody of the contractor, the government institution must promptly notify the contractor about the request and ask the contractor to produce forthwith copies of all records that may be relevant to the request and to forward them promptly to the ATIP coordinator.

The contract should also stipulate whether the provision by the contractor of copies of all records that may be relevant to formal request pursuant to the Access to Information Act or the Privacy Act to the government institution should be made at the contractor's expense. It is important to remember that large-scale or complex requests may involve a considerable burden to the contractor. If the government institution makes arrangements to assist with the contractor's costs in this regard, it should be reflected in the contract.

The contract should also clearly state that destroying, altering, falsifying, or concealing records to avoid providing access to them under the Access to Information Act is an offence under the Act. For example, it could state that the contractor acknowledges that section 67.1 of the Access to Information Act specifies that a person who wilfully destroys, alters, falsifies, or conceals any record that is subject to the Act or directs another person to do so with the intent to obstruct a request for access to records is guilty of an offence and is liable to a fine of not more than $10,000.

In cases where other legislative privacy requirements at the provincial or federal levels may also apply, such as the Personal Information Protection and Electronic Documents Act, the manner in which such requests will be processed should also be reflected in the contract. For example, the contract should describe the authority and procedures that will be used by the contractor to provide access to personal information held by the contractor in connection with the contract and the need to liaise with the government institution about procedures and requests.

Correction of personal information (paragraph 12(2)(a) of the Privacy Act) 

Principle

Paragraph 12(2)(a) of the Privacy Act provides that every individual given access to personal information about him or herself that has been used, is being used, or is available for use for an administrative purpose is entitled to request correction of the information or that a notation be attached to information where the individual believes there is an error or omission therein.

20.  Should the contractual agreement specify the responsibilities of both the government and the contractor with respect to requests made by individuals under the Privacy Act to correct or annotate personal information maintained by the contractor?

Under the Privacy Act, an individual has the right to challenge the accuracy and completeness of his or her personal information and to have it amended, if appropriate. In most cases, formal requests for correction or notation of personal information held by a contractor on behalf of the government institution will be received and dealt with by the government institution, which will obtain relevant information from the contractor and instruct the contractor to act as appropriate.

The contract should establish a process to ensure that the contractor will correct the information if the government institution determines that a correction or notation is necessary. For example, the contract could specify that upon being directed in writing by the institution to correct or annotate any personal information, the contractor must do so. Further, it could state that, if so directed by the institution, the contractor must also provide the corrected or annotated information to any other party to whom the contractor has disclosed the personal information for an administrative purpose over the course of the two years prior to the request for correction being received by the government institution, requiring any of those parties to attach a copy of the correction or notation to the personal information in their custody.

The contract should also specify that if the contractor receives a formal request for correction of personal information from a person other than the government institution, the contractor must immediately advise the person to make the request directly to the ATIP coordinator of the government institution involved. The contractor must also provide that official's name and contact information to the requester or offer to forward the individual's request for correction to the ATIP coordinator of the government institution for direct action and reply.

In those cases where other legislative privacy requirements at the provincial or federal level, such as the Personal Information Protection and Electronic Documents Act, allow formal requests for correction by individuals, the contract should specify how such requests will be processed. For example, the contract should describe the authority and the procedure that will be used by the contractor to correct any personal information held by the contractor in connection with the contract and the need to liaise with the government institution about both procedures and individual requests for correction.

Retention of records or personal information (subsection 6(1) of the Privacy Act and
subsections 4(1) and (2) of the Privacy Regulations)

Principle

Personal information must be retained and disposed of in accordance with approved records retention and disposal schedules.

Unless the individual consents to earlier disposal, personal information that has been used in a decision-making process directly affecting the individual must be kept for a minimum of two years after the last time it was so used and, where a request for access to the information has been received, until such time as the individual has had the opportunity to exercise all his or her rights under the Privacy Act.

Records should be properly disposed of in a manner consistent with their security designation.

Subsection 12. (1) of the Library and Archives of Canada Act directs that "No government or ministerial record, whether or not it is surplus property of a government institution, shall be disposed of, including by being destroyed, without the written consent of the Librarian and Archivist or of a person to whom the Librarian and Archivist has, in writing, delegated the power to give such consents."

For further information:

Treasury Board Management of Government Information policies, which can be found at http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?section=text&id=12742

Library and Archives Canada, Multi-Institutional Disposition Authorities, which can be found at  http://www.collectionscanada.gc.ca/government/disposition/007007-1008-e.html.

21.  Should the contractual agreement specify the retention and disposal requirements for records or personal information, including the maximum retention period, as well as the disposal methods to be used?

In accordance with subsection 6(1) of the Privacy Act and subsection 4(1) of the Privacy Regulations, personal information that has been used by a government institution for an administrative purpose shall be retained for at least two years following the last use of the information unless the subject individual consents to its earlier disposal and, where a request for access to the information has been received, until such time as the individual has had the opportunity to exercise all his or her rights under the Act.

Records containing personal information in the possession of the contractor but under the control of the government institution must comply with these requirements. In addition, the Library and Archives of Canada Act and the Treasury Board Directive on Recordkeeping require that government institutions schedule all of their information holdings for retention and disposal. This means that each government institution must ensure that there is an appropriate retention and disposition schedule for the records under its control, including those common administration records covered by the Multi-Institutional Disposition Authorities.

The retention and disposal schedule for records, including personal information, that are held by the contractor but under the control of the government institution must be approved before the contract is signed. This would require consultation with information management staff of the government institution and also possibly with staff of the Library and Archives Canada to determine if special procedures might apply for preserving historical or archival records that may be transferred to the contractor or generated for the government institution by the contractor.

In most cases, provisions in the contract relating to the disposal or destruction of the records may not be required provided that the contract clearly stipulates the contractor's obligation to provide the records to the government institution on request and to destroy the records only after having been directed to do so in writing by the government institution.

In cases where records must be retained and disposed of by the contractor in accordance with the government institution's records retention and disposal schedule, the contract should include a timetable for the retention and disposal of personal information to ensure that the information will be kept by the contractor for a stipulated period of time and no longer. The schedule must specify the maximum retention period for the information and the method of destruction applying to each category of record, as required under the Operational Security Standard on Physical Security for the destruction of classified and protected information. The disposal methods chosen will depend on factors such as the sensitivity of the information, how much information is to be destroyed, and the form in which it is recorded.

The government institution may also require a notification from the contractor when records are due for disposal in accordance with the instructions contained in the approved records retention and disposal schedule. Such a notification would allow the institution to ensure that the contractor only disposes of records that should be destroyed. When required, the contractor must also notify the institution when destruction has taken place.

Depending on the sensitivity of the personal information involved and the nature and scope of the services to be provided under contract, the institution may also require that the contractor maintain a record of destruction or a log of the disposal of any records considered under the control of the government institution that have been authorized to be disposed of under the contract. The record of destruction or log should contain at least the following information and should be made available to the institution immediately upon its request:

  • details of the records that were disposed of (e.g. file name, file number, date(s) of the records);
  • the method of destruction (paper copy shredded or electronic copy deleted from all files);
  • the date of destruction (day, month, year); and
  • the name and position title of the person who carried out the destruction of the records.
22.       Should the contractual agreement specify the conditions governing the disposal of any transitory records that are created or generated by the contractor?

If a record retention and disposal clause is used in the contract, a complementary clause relating to transitory records [15] should be included.

Before considering any clause to address transitory records, however, it is important to understand that transitory records may be destroyed routinely without recourse to a disposal schedule or authorization process once they are no longer useful for the purpose for which they were created (unless they are the subject of a request under the Access to Information Act or the Privacy Act). For example, a telephone message slip may be thrown in the garbage once the call has been returned, or handwritten notes of a meeting may be destroyed once necessary information has been transcribed and added to the relevant file.

It is crucial that government institutions adhere to good information and records management practices and be familiar with the applicable legislative and policy requirements for the management of such records. The routine destruction of transitory records is a healthy records management practice and, within a well-structured records management program, it should not give rise to an alleged offence under section 67.1 of the Access to Information Act  (see question 19).

When incorporating a clause relating to transitory records, the contract should describe what is meant by transitory records (the above-mentioned link to the Authority for the Destruction of Transitory Records provides a definition and a fairly comprehensive list of such records) and specify that the contractor may dispose of those records when they are no longer required. These may be disposed of without the need for a record of destruction.

The contract should also specify that any transitory records in existence when the government institution advises the contractor of the receipt of a request made under the Access to Information Act or the Privacy Act must be included in the records to be processed for responding to the request. Such records must also be retained until such time as the request (and any subsequent complaint) has been fully processed.

Protection of personal information (sections 6, 7, and 8 of the Privacy Act[16] and the Policy on Government Security[17])

Principle

Government institutions that are subject to Treasury Board policies are responsible for protecting sensitive information and assets under their control in accordance with the Policy on Government Security and its operational standards. This policy applies equally to the contracting process as it does to internal government operations.

Government institutions must have in place appropriate security measures to ensure that, throughout its life cycle, personal information under their control is protected and not vulnerable to unauthorized use, disclosure, alteration, or destruction.

For further information:

Treasury Board Security and Contracting Management Standard, which can be found at http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12332&section=text

Treasury Board Personnel Security Standard, which can be found at http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12330&section=text

23.  Should the contractual agreement oblige the contractor to ensure that personal information is protected against such risks as loss or theft, as well as unauthorized access, disclosure, transfer, copying, use, modification or disposal?

The contract should stipulate that the contractor is obliged to protect classified or personal information by making reasonable security arrangements that meet the standards of the Policy on Government Security or for institutions that are not subject to that policy, their own internal security standards. To this end, the contract must describe the administrative, technical, and physical security measures and safeguards that must be taken by the contractor to protect the information in its custody but under the control of the government institution from both external and internal sources.[18]

These security requirements should apply to information recorded in any form, such as paper and electronic records (i.e. a database). While the general security requirements for hard copy and electronic records may be the same, the contract should describe any safeguards or security measures that may be specific to each information medium.

It is important to remember that the nature and extent of these measures and safeguards will vary depending on the sensitivity of the information that has been transferred to, or collected by, the contractor. Other factors may include the amount, distribution, format, and method of storage of the information and the circumstances of the contract. For example, more stringent controls might be appropriate where the contractor handles sensitive personal information or significant amounts of personal information. In those cases, a schedule setting out the security measures and safeguards to be taken by the contractor to protect the information should be annexed to the contractual agreement. The contract should also specify that the contractor cannot vary the security procedures set out in the schedule without the prior written approval of the government institution.

Government institutions should consult with their security personnel and, if necessary, with systems or information technology personnel to determine which administrative, physical, and technical safeguards or security measures the contractor should put in place to meet the required standards. They may also need the expertise of information management staff and legal advisors.

Complaints and investigations (section 30 of the Access to Information Act and section 29 of the Privacy Act)

Principle

The Information Commissioner of Canada and the Privacy Commissioner of Canada are responsible for investigating complaints from people who believe they have been denied rights under the Access to Information Act or the Privacy Act respectively.

For more information:

Treasury Board of Canada Secretariat Review of Decisions Under the Access to Information Act, which can be found at http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=13781&section=text

Treasury Board of Canada Secretariat Review of Decisions under the Privacy Act, which can be found at http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=25503&section=text

24.  Should the contractual agreement specify that the government institution and the contractor shall immediately notify each other when complaints are received pursuant to the Access to Information Act and the Privacy Act or other relevant legislation and of the outcome of such complaints?

Subject to applicable laws, the contract should specify that the government institution and the contractor will immediately notify each other when complaints are received pursuant to the Access to Information Act or the Privacy Actor other applicable privacy legislation [19] in connection with records or personal information held by a contactor on behalf of the institution and, if necessary, of the outcome of such complaints.

If personal information is disclosed as part of the notice, the disclosure must be with consent or authorized under subsection 8(2) of the Privacy Act. Consideration of other applicable privacy legislation at the provincial or federal level, such as the Personal Information Protection and Electronic Documents Act, may also need to be taken into account.

25.  Should the contract specify the right of the Information Commissioner and the Privacy Commissioner to access any records or personal information for the purposes of investigations under the Access to Information Act or the Privacy Act?

The contractor must be advised of the powers of the Information Commissioner of Canada and of the Privacy Commissioner of Canada, as may be the case, to investigate any complaints made pursuant to the Access to Information Act or the Privacy Act that relate to records or personal information deemed to be under the control of the government institution but in the physical possession of the contractor. The contract should also stipulate that the contractor will be required to co-operate and assist the government institution during any investigation of such complaints by the Information Commissioner or the Privacy Commissioner, and that the contractor's officials may have to be interviewed by investigators of the Commissioners' offices.

Audit and inspection of records or personal information

Principle

The government institution should have the right, from time to time and on reasonable notice, to access the contractor's premises to recover any or all of its records and for auditing purposes to ensure compliance with the terms of the contract.

Subsection 37(1) of the Privacy Act provides that the Privacy Commissioner may, at his or her discretion, carry out investigations to ensure compliance with the requirements contained in sections 4 to 8 of the Act. These requirements concern the collection, use and disclosure, retention, and disposal of personal information.

Under subsection 34(2) of the Privacy Act and subsection 36(2) of the Access to Information Act, the Privacy Commissioner and the Information Commissioner, respectively, have the right to examine any information recorded in any form under the control of a government institution.

26.  Should the contractual agreement specify that the government may, at any time and upon reasonable notice to the contractor, enter the contractor's premises to inspect, audit or to require a third party to audit the contractor's compliance with the privacy, security, and information management requirements under the contract, and that the contractor must co‑operate with any such audit or inspection?

As part of their accountability responsibilities in managing contracts, government institutions should consider, on a case-by-case basis, the inclusion of appropriate clauses to monitor the compliance of the contractor with respect to the information management, privacy, and security requirements under the contract.

Such a clause should give the government institution access to the contract-related facilities, records, and equipment to ensure that the contractor and its employees are complying with their obligations under the contract. The government institution should have the right to inspect or audit the contractor's practices and procedures related to security, collection, use, disclosure, retention, and disposal of records and personal information considered to be under the control of the government institution. Such a clause, however, must clearly prohibit access to information that is outside the scope of the contract.

The contract should also specify that the institution may authorize a third party to inspect and evaluate on its behalf, at any reasonable time and on reasonable notice to the contractor, the contractor's compliance with the privacy, security, and information management requirements under the contract. It should be made clear in the contract that such a notice would not be required in circumstances in which notice is not practicable or appropriate (e.g. caused by a regulatory request with shorter notice or investigation of theft or where the government institution has reasonable suspicion of abuse or breach of contract).

The contract should not reduce, limit, or restrict in any way the function, power, right or entitlement [20] of the Information Commissioner of Canada to carry out investigations of complaints made under the Access to Information Act in respect of records under the control of government institutions; andthe Privacy Commissioner of Canada to carry out investigations of complaints made under the Privacy Act, or compliance reviews undertaken at the discretion of the Privacy Commissioner under section 37 of the Act, in respect of personal information under the control of government institutions.

27.  Should the contractual agreement specify the requirement of the contractor to maintain specific information to enable the conduct of information audits, i.e. the maintenance of some form of audit trail (electronic or paper form)?

The contractor should be required to maintain an audit trail or other appropriate means of control (to the extent that this is technologically practical and cost-effective) in order to detect unauthorized or unjustified access to personal data. Such a system should be capable of monitoring and logging user activities on the system and of producing a list of users who have accessed an individual's record or a list of records accessed by a specific user. This information would have to be provided to the government institution immediately upon request.

Notification of privacy breach

Principle

If an individual fails to safeguard, releases without appropriate authority, or uses information for unauthorized purposes, such action may constitute a contravention of the Access to Information Act, the Privacy Act, or other Acts of Parliament and a breach of the Policy on Government Security

The contractor should be obliged to immediately notify the government institution when it becomes aware that it has breached the contractual provisions relating to security, unauthorized disclosure, destruction, removal, modification, or use of government information held by the contractor in connection with the contract.

Notification of the government institution is required if any conditions of the agreement are breached.

Contractors engaged in classified or protected contracts or subcontracting should ensure that the Canadian and International Industrial Security Directorate (CIISD)at Public Works and Government Services Canada is immediately notified of any breach or compromise, and that a written report is submitted to the CIISD as soon as possible. Investigation of breaches or instances of compromise shall be coordinated by the CIISD.

For more information:

"Responsibilities of the Company Security Officer," Chapter 1 of the Industrial Security Manual, which can be found at http://ssi-iss.tpsgc-pwgsc.gc.ca/msi-ism/msi-ism-eng.html.  

28.  Should the contractual agreement specify that the contractor shall be obliged to notify the government immediately when it anticipates or becomes aware of an occurrence of breach of privacy or of the security requirements of the contract?

The contract should require the contractor to immediately notify the government institution when it anticipates or becomes aware of an occurrence of breach of any contractual provision relating to the security or management of personal information deemed to be under the control of the institution. This would apply to any situations where personal information may have been compromised, including unauthorized access, destruction, use, modification, or disclosure of personal information.

When notifying the institution about a breach, the contractor should be required to provide the following information in writing to the institution:

  • the nature of the information that was breached (type and date of the information, name(s) of the person(s) whose information is affected);
  • when the breach occurred (if known);
  • how the breach occurred (if known);
  • who was responsible for the breach (if known);
  • what steps the contractor has taken to mitigate the matter; and
  • what measures the contractor has taken to prevent recurrence.

Government institutions should consult their legal advisors and contracting experts before developing any such clauses.

29.  Should the contractual agreement specify that the contractor shall be required to indemnify the government for any damages in connection with any breach of its obligations under the contract?

The contractor should assume full responsibility for any negligent or wilful act or omission of any of its employees or subcontractors respecting unauthorized access, destruction, use, modification, or disclosure of personal information. There should be significant, effective remedies and penalties for violation of contract terms and conditions governing the protection of personal information.

This should include a requirement for the contractor to indemnify the government institution for any losses or damages incurred as a result of any breach of the contractor's privacy and security obligations under the contract. The consequences of such breaches may include the possible termination of the contract or any other action the institution considers appropriate, including the following:

  • demanding the immediate return of all of the government institution's records and personal information in the custody of the contractor, at the expense of the contractor;
  • requiring that the contractor issue notice, at its own expense, to any third party whose information was improperly used or disclosed; or
  • compensating the government institution for any costs it has incurred in directly sending such notices to the individuals concerned.

Government institutions should consult their legal advisors and contracting experts before developing any such clauses. This should include processes for dispute resolution, and for appropriate remedies if contractors or subcontractors breach the contract.

Subcontracting

Principle

Except for subcontracts previously permitted in the contract or as allowed for in the general terms and conditions of the contract, the government institution should carefully consider whether the contractor should be allowed to subcontract any other services or functions under the contract.

If subcontracting all or part of the activities covered by the contract is allowed, only qualified subcontractors should be permitted.

The contractor should be required to ensure that any subcontract requires the subcontractor to comply with access, privacy, and security provisions that are consistent with those contained in the contract between the contractor and the government institution.

The assignment of a subcontract does not relieve the contractor of any contractual obligations or impose any liability upon the Crown in relation to the subcontractor.

For further information:

Chapter 8, "Contract Management" of the Supply Manual, which can be found at http://www.tpsgc-pwgsc.gc.ca/app-acq/ga-sm/index-eng.html.

30.  Should the contractual agreement specify that the contractor must not subcontract the performance of any or all parts of the services or functions under the contract without prior written approval?

Where appropriate, the government institution should carefully consider whether the contractor should be allowed to subcontract any services or functions under the contract involving the government's records or personal information. In situations where subcontracting all or part of the contract may introduce unanticipated privacy and security considerations, the contract should contain relevant clauses that prevent subcontracting without the prior written approval of the government institution or the contracting authority.

Particular care should be taken with respect to subcontractors that are located or have ties outside of Canada because this could result in personal information being accessed by a foreign jurisdiction.[21] A government institution should assess the risk and consider contract measures to mitigate the risk, such as prohibiting the contractor from using subcontractors, giving the government institution the right to approve any subcontractor, or requiring the government institution's written approval for any proposed change to a subcontractor identified in the contractor's tender, proposal, or other submission.

Before giving its written approval to subcontracting, the government institution may impose terms and conditions it deems appropriate with respect to the suitability of the subcontractor, the services or functions that may be carried out by a subcontractor, and the imposition of any geographic restrictions as to where the work may be conducted and the data maintained or stored by a subcontractor.

Should the government institution or contracting authority consider it appropriate to give approval to the contractor to subcontract all or part of the activities covered by the contract, it should ensure, at a minimum, that

  • all of the contractor's terms and conditions under the primary contract to protect records or personal information that are relevant to the subcontractor's role in the provision of the services and functions under the contract are included in the agreement between the contractor and a subcontractor;
  • the agreement between the contractor and the subcontractor specifies which records, including personal information, relating to the services performed by the subcontractor remain under the control of the government institution; and
  • arrangements are in place, where appropriate, to ensure that the privacy and confidentiality undertaking referred to in question 4 is signed by each employee of the subcontractor who will access personal information deemed to be under the control of the government institution.
31.  Should the contractual agreement specify that, despite any written approval to subcontract, the contractor remains fully responsible for the performance of services under the contract or subcontract?

In the event of the government institution's acceptance of a subcontractor, the contractor should not be relieved of its responsibilities for any activities that will be assumed by the subcontractor.

The contract between the government institution and the contractor is the primary source of the contractor's obligations in relation to the records or personal information considered to be under the control of the government institution. For this reason, it is important that the contract specify that the contractor is fully responsible for the performance of the contract notwithstanding the subcontractor's performance of any part of the contract.

Although the government may not have direct contractual rights against the subcontractor, having such a clause included in the contract would allow the government to continue to have contractual remedies against a contractor in the event that a subcontractor breaches any of the information, privacy, or security clauses in the contract.

It should be noted that the contractor's responsibility in subcontracting is also dealt with in question 5, which suggests that the contractor be fully and solely responsible for the actions of its employees, subcontractors, and any agents acting on its behalf in the performance of any functions under the contract.

Termination or expiry of the contract

Principle

Upon termination or expiry of the contract, or upon request of the government institution, the contractor will cease any and all use of the personal information and will return all relevant records or personal information to the institution, including any copies, or destroy it in a manner designated by the institution or otherwise agreed to by the parties.

32.  Should the contractual agreement specify that all personal information and records must be returned to the contracting authority upon completion of the contract?

The contract should adequately deal with what will happen to the government institution's records or personal information that are in the custody of the contractor on completion or termination of the contract.

For example, the contract should specify that, unless otherwise instructed in writing by the government institution, the contractor shall return all records or personal information collected, generated, or maintained by the contractor in the course of providing the services under the contract and are deemed to be under the control of the institution to the institution upon expiry or termination of the contract.

If the contract requires that data be destroyed or deleted by the contractor upon termination or expiry of the agreement, adequate security measures and time frames should be specified in the contract. Where the records to be destroyed involve sensitive information, the government institution may also require that the contractor provide a detailed record of destruction, as specified in question 21. The contract may also specify that, if deemed appropriate by the government institution, government representatives may be present to oversee the destruction of the records.

33.  Should the contractual agreement specify that the obligations of the contractor to protect personal information shall continue even after completion of the contract?

Even though contracts will normally provide for all records or personal information to be returned to the government institution at the end of the agreement or to be destroyed, it is prudent to ensure that the protection that existed during the contractual agreement remains in effect after the agreement has ended should any personal information inadvertently remain with the contractor. In addition, specific contractor employees will have knowledge of confidential information, even after the contract has expired. Where a breach occurs or comes to light after an agreement has ended, relevant contractual clauses concerning confidentiality should continue to apply and remedies may be sought.


[1].     Acknowledgements: This document has been developed based on work that has been conducted by the Access and Privacy Branch, Alberta Government Services, on managing contracts under the Freedom of Information and Protection of Privacy Act.

[2].     Contractor means one who contracts to perform work or furnish materials in accordance with a contract. (Government of Canada, Public Works and Government Services Canada (PWGSC),Supply Manual)

[3].     Contracting authority means:

  1. The appropriate Minister as defined in paragraph (a) or (b) of the definition "appropriate Minister" in section 2 of the Financial Administration Act.
  2. A corporation named in Schedule II to the Financial Administration Act.
  3. Defence Construction (1951) Limited, the National Capital Commission or the National Battlefields Commission. (Ibid.)

[4].     Under the Treasury Board Secretariat Directive on Privacy Impact Assessment, government institutions must complete a PIA when contracting out or transferring a program or activities to another level of government or the private sector results in substantial modifications to the program or activities.

[5].     Before transferring any records containing personal information to a contractor, the government institution must ensure that there is nothing in its enabling legislation that could prevent any such disclosure to the contractor. Assuming the institution's own legislation does not prohibit such disclosure, the institution must then ensure that disclosure is permitted by one of the disclosure provisions in section 8 of the Privacy Act.

[6].     Where a government institution has failed to exercise control where it should have, it would be still subject to the requirements of the Access to Information Act and the Privacy Act in relation to that information, and the individual may be able to assert his or her rights under these acts against the government institution.

[7].     The Policy on Government Security applies to all departments within the meaning of Schedules I, I.1, II, IV and V of the Financial Administration Act (FAA), unless excluded by specific acts, regulations or Orders in Council.

        Certain agencies and Crown corporations can enter into agreements with the Treasury Board of Canada Secretariat to adopt the requirements of this policy and apply them to their organization.

[8].     There may be cases where privacy considerations may be so significant that they may lead an institution to decide against contracting out. This has particular relevance for outsourcing information technology systems that hold highly sensitive personal data.

[9].     This would assist in clearly identifying incidents of unauthorized access, especially where audit trails are used.

[10].  In the event a contractor has filed, or is suspected to have filed, for bankruptcy, the government institution or contracting authority must contact the court that has jurisdiction in the area of the contractor and obtain confirmation from the bankruptcy clerk of the court. Confirmation may also be obtained from the Office of the Superintendent of Bankruptcy Canada (OSB), which provides an insolvency name search service. By contacting OSB and paying a fee, you can find out whether a person or entity has begun insolvency proceedings. The service is available on the Internet at https://strategis.ic.gc.ca/sc_mrksv/bankruptcy/bankruptcySearch/engdoc.

[11].  In certain cases, the authority to collect personal information will be clearly articulated in law; the Income Tax Act offers a good example of this. In most cases, however, the institution's enabling statute will simply refer to an operating program or activity. In still other cases, the institution's enabling statute may make no specific reference to a particular program or activity, but a strong case can be made that the program or activity under examination is consistent with and in furtherance of the institution's statutory mandate. In the absence of clear statutory authority to collect personal information, institutions should consult their legal services.

[12].  Under subsection 5(3) of the Privacy Act, this requirement may not apply where notifying the individual would likely result in the collection of inaccurate information or prejudice the use for which the information is collected.

[13].  Government institutions should ensure that any obligations the contractor has under the contract do not go beyond a use that the government institution would be permitted under the Privacy Act. In other words, a government institution cannot, through a contract, avoid its own obligations under the Privacy Act by authorizing a private service provider to use the personal information in a manner that the institution itself is not permitted.

[14].  Whether the contractor is allowed to disclose the record or personal information would be determined by the various exceptions and exemptions in the Access to Information Act and the Privacy Act.

[15].  Transitory records are defined by Library and Archives Canada as "records that are required only for a limited time to ensure the completion of a routine action or the preparation of a subsequent record. Transitory records do not include records required by government institutions or Ministers to control, support or document the delivery of programs, to carry out operations, to make decisions or to account for activities of government."

[16].  These sections of the Privacy Act deal with retention, disposal, accuracy, use, and disclosure. There is no specific provision in the Privacy Act that focuses on the protection of information. Any protection offered to personal information is ancillary to the main objective of these sections and would apply where the government institution retains control of the personal information.

[17].  The Policy on Government Securityexplains how to protect personnel and assets, including information and information technology systems, and assure service delivery.

[18].  According to Gartner Inc. (one of the world's leading providers of research and analysis about the global information technology industry), an estimated 70 per cent of unauthorized access to information in both public and private sectors is committed by internal employees, as are more than 95 per cent of intrusions that result in significant financial losses.

[19].  There may be other legislative privacy requirements at the provincial or federal level to consider, including the possible application of the Personal Information Protection and Electronic Documents Act, which could apply to the personal information that will be collected, used, disclosed, or disposed of by the contractor in the fulfillment of its obligations under the contract with the government. Government institutions should therefore consult with their legal advisors on this matter.

[20].  Broad investigation powers, including access to the contractor's premises, may be needed to permit investigations by either commissioner (or any compliance review that may be undertaken at the discretion of the Privacy Commissioner) for information deemed to be under the control of the government but in the physical possession of a contractor.

[21].  According to the Canadian and International Industrial Security Directorate (CIISD) at Public Works and Government Services Canada (PWGSC), "Contractors shall not award a CLASSIFIED / PROTECTED subcontract to organizations located outside Canada without the PRIOR written approval of CIISD'S (PWGSC) contracting authority. The security status of foreign organizations must be verified through CIISD before entering into any commercial commitments. In addition, any transfer of CLASSIFIED / PROTECTED information to a foreign country must be channeled through CIISD.