Guidance Document: Taking Privacy into Account Before Making Contracting Decisions

Issued to federal government institutions by the Treasury Board of Canada Secretariat

Table of Contents

1. Introduction

Note: This guidance document was updated in July 2010 to include Chapter 6, entitled "Technological Measures to enhance Privacy and Security."  Chapter 6 identifies key technological measures that should be considered for inclusion in contract clauses to enhance privacy and security.  The recommended measures are intended for use in contracts that involve personal information and other sensitive information that is handled electronically. 

In addition, all hyperlinks and references to legislation and policy instruments have been updated.

Purpose of this document

This guidance document is intended to provide advice to federal government institutions whenever they consider contracting out activities in which personal information about Canadians is handled or accessed by private sector agencies under contract. 

The document was developed in response to privacy risks associated with the potential exposure of Canadians' personal information to U.S. authorities under the USA PATRIOT Act.

Why this document was developed

It is not uncommon for a federal government institution to contract out the management of a program or service involving personal information about Canadians to a company based in Canada, the U.S., or another country. When information is stored or accessible outside of Canada, however, it can be subject not only to Canadian laws but also to the laws of the other country.

One such law is the USA PATRIOT Act. The Act permits U.S. law enforcement officials to seek a court order allowing them to access the personal records of any individual for the purpose of an anti-terrorism investigation without informing individuals or agencies that such disclosure has occurred. In theory, as a result of government contracting activities, U.S. officials could access information about Canadians through U.S. firms or their affiliates, even if the data is located in Canada.

Although the risk of U.S. authorities using the USA PATRIOT Act in this way is minimal, it nevertheless exists. This has highlighted the need for special considerations with respect to government contracts involving personal information in order to mitigate such privacy risks.

The significance of the USA PATRIOT Act has been summarized by the Privacy Commissioner of Canada, Jennifer Stoddart:

The concerns raised about the impact of the USA PATRIOT Act on the privacy of personal information about Canadians are really part of a much broader issue—the extent to which Canada and other countries share personal information about their citizens with each other, and the extent to which information that has been transferred abroad for commercial purposes may be accessible to foreign governments. The enactment of the USA PATRIOT Act may simply have served as the catalyst that brought these issues to the fore.

The Government of Canada takes the issue of privacy very seriously. It supports the assessment of the Privacy Commissioner of Canada that the USA PATRIOT Act highlights the broader issue of personal information about Canadians becoming accessible to any foreign government.

2.  About the Guidance Document

Overview

The guidance document was developed by the Treasury Board Secretariat (the Secretariat) after consultation with federal government privacy and contracting experts. It is strongly recommended that institutions follow the advice offered in this document in order to mitigate privacy risks.

Each institution is responsible and accountable for any personal information under its care. Personal information is defined in section 3 of the Privacy Act as "information about an identifiable individual that is recorded in any form".

The document provides federal government officials involved in contract management with an overview of the possible strategies available to protect personal information and addresses privacy issues in contracting out that may be associated with the USA PATRIOT Act or other similar foreign legislation.

Benefits of using the document

The guidance document will help you in two ways:

  1. Firstly, it provides upfront assistance to government officials before the commencement of a contracting process in which personal information may be handled under a proposed contract. This first phase, covered in steps 1 and 2 (under "Steps to Follow"), will guide you in making an informed decision on whether an outsourcing contract is appropriate or not or, in cases where a contract is already in place, whether the contract should be renewed.
  2. Secondly, once a decision has been made to proceed with a contract, steps 3 to 5 will provide guidance on clauses and wording that can be considered for requests for proposals (RFP), statements of work (SOW), and contracts, all of which are designed to mitigate privacy risks.

Who should use the document?

The guidance document contains general policy advice for all federal government institutions that are subject to the Privacy Act. This includes approximately 250 federal departments, agencies, and Crown corporations.

The document is therefore useful for all federal government employees involved in program and service development and delivery that includes the collection, use, disclosure, retention, and disposal of personal information.

3.  Considerations

Use the document within a broader context

This guidance document is meant only as a guide and government institutions should not rely solely on it in the preparation of a contract or any other document. The advice contained in this document is not intended to be read in isolation, but in conjunction with existing government policies and procedures for procurement. Institutions are encouraged to consult with their legal and privacy officials to ensure that no misinterpretation occurs and to determine appropriate privacy measures that apply to their particular circumstances.

It is important to remember that there is no universal approach, and potential contracting situations must therefore be reviewed on a case-by-case basis.

While some of the recommendations provided in this document refer to Treasury Board policies such as those relating to contracting and security, it is understood that some institutions that will use this guidance document are not subject to such TB policies.  It is therefore recommended that, where institutions are not subject to TB policies, they should consult with contracting, security or other appropriate officials of their respective institutions.

Appropriate provisions and consultation

In accordance with the Treasury Board Contracting Policy, authorities are responsible for ensuring that appropriate provisions for the protection of government information are included in procurement documents. 

In cases where personal information may be handled under the terms of a contract, institutions should consider the inclusion of appropriate clauses to protect personal information as a shared responsibility.

Program officials should bring plans to contract out the handling of personal information to the attention of procurement officials and, when necessary, consultations should be undertaken with the institution's privacy and legal officials.

Consideration of contract and security requirements

Although the main focus of this guidance document is on addressing privacy concerns and risks, the advice contained in the document can be applied to other protected or classified information, as defined in the Policy on Government Security that may be handled under contracts.

The guidance document is intended to complement the government's existing contractual and security requirements and advice already in place to safeguard personal and other sensitive information. 

Such requirements and advice are contained in other government publications, including the following:

Issues related to the security and confidentiality of classified information should be addressed in collaboration with contracting officials and the institution's security officers. Contracting authorities are expected to include pertinent provisions in the RFP and final contract to address security requirements and to ensure that any subcontracts that might be permitted also contain similar clauses. 

Where required, a Security Requirements Check List (SRCL) form must be filled out and consultations undertaken with the Canadian and International Industrial Security Directorate at Public Works and Government Services Canada (PWGSC).

A threat and risk assessment may also be required when protected or classified information (which may include personal information) will be accessed or handled under contract.

Institutions that are subject to Treasury Board policies must implement the Policy on Government Security when sharing Government of Canada information and, more specifically, the procedures for safeguarding and storage of information should be read in conjunction with this guidance document.  Section 10.1 of the Policy on Government Security - Operational Security Standard on Physical Security is of particular relevance.

4. Getting Started

Building trust

From a policy perspective, the term "privacy" means more than just ensuring security and maintaining confidentiality of personal information by protecting against misuse or wrongful disclosure. Privacy also relates to the trust relationship that is built between individuals who provide personal information and those who collect it. It means providing individuals with a comfort level with respect to government handling of their personal information.

Privacy considerations are particularly relevant when considering contracts that may involve transferring personal information and data across borders. In such instances, the personal information is subject to foreign laws and thus potentially accessible.

The steps outlined in the next section are intended to assist program officials and privacy experts, in consultation with their legal counsel, to determine whether to enter into contracts involving the handling of personal information or, in some cases, to revisit the decision to contract if it has been determined beforehand.

Making an informed decision

As part of good management practices, federal institutions consider the costs and benefits of contracting for a service. All contracting decisions, including those that will involve personal information, take a number of important factors into account, such as the costs of program delivery and level of service, before entering into the contract. 

The first step in the process is to identify any privacy risks. More information on this initial phase and other critical steps is provided in Step 1.0 and in Appendix A.

To identify all of the appropriate privacy and access to information measures government officials should take into account during the framing of a contract that involves personal or sensitive information,refer to Appendix B, "Privacy Protection Checklist." The checklist is a practical tool that guides the project authority through a series of privacy and access-to-information questions that ensure appropriate control, collection, use, disclosure, subcontracting, and other key factors in designing a contract.

The make-or-buy decision is based upon privacy, security, and other key business case considerations, such as quality and speed of service, the feasibility of carrying out the program or service in-house, the need for specialized expertise, trade obligations, and costs.

Making the procurement decision involves a multi-faceted analysis and should involve consultations with contracting, privacy, and other relevant officials within the government institution. Even when highly sensitive personal information is involved, appropriate privacy mitigation strategies, such as contract clauses, can be implemented so that the level of overall risk is reduced before contracting is initiated. 

This guidance document is intended to promote a balanced approach and forms the basis of a well-informed decision on whether or not to contract out. 

If a decision is made to proceed with a contract, Step 4.0 contains suggested wording for contract clauses that should be built into the contractual agreement to enhance privacy protection and reduce risks.

5.  Steps to follow

Steps 1 to 2,Pre-contract

Step 1.0: Contracts involving personal information

Once it is determined that personal information (as defined in the Privacy Act) about identifiable individuals will be involved in the program or service, and that a contract is being considered as an option, the institution's analysis should include the following:

  • 1.1 compliance with the Privacy Act and Treasury Board Secretariat's privacy policy instruments;
  • 1.2 an invasion-of-privacy test; and
  • 1.3 a core Privacy Impact Assessment (PIA), if not already completed.
  • 1.4 The Privacy Act and Treasury Board Secretariat's privacy policy instruments

When federal government functions or services are performed under contract by third parties, care must be taken to ensure that the government continues to fulfil its privacy obligations. The personal information must be managed so that the government institution conforms to the fair information practices embodied in sections 4 through 8 of the Privacy Act, the Privacy Regulations, the Treasury Board Secretariat's Policy on Privacy Protection and other privacy policy instruments. In particular, the institution must have the authority to collect the personal information that will be involved in the contract and the information must, in accordance with section 4 of the Act, relate "directly to an operating program or activity of the institution."

1.2  Invasion-of-privacy test

The invasion-of-privacy test was first developed for the Treasury Board Manual on Privacy and Data Protection. The test suggests that institutions consider three interrelated risk factors:

  • the sensitivity of the personal information, including whether the information is detailed or highly personal (e.g., health information), and the context in which the information was collected;
  • the expectations of the individuals to whom the personal information relates (including the assurance that their information will be shared only on a need-to-know basis); and
  • the potential injury if personal information is wrongfully disclosed or misused, including the potential for identity theft or access by foreign governments.

The above privacy considerations will assist institutions in identifying potential risks with respect to the proposed program delivery instrument that should be mitigated as part of the contracting process. For additional guidance on this matter, please refer to Appendix A - Invasion-of-Privacy Test.

1.3  Directive on Privacy Impact Assessment and the Directive on Privacy Practices

Institutions subject to the Privacy Act are also subject to both the Directive on Privacy Impact Assessment and the Directive on Privacy Practices.

Under the Directive on Privacy Impact Assessment, the appropriate senior officials or executives of institutions are required to conduct a PIA for any new or substantially modified existing program or service involving the collection, use, or disclosure of personal information. This would include the contracting of a program or service to the private sector. .

The Directive on Privacy Practices also requires that contracts with private sector entities contain appropriate safeguards to address the following:

  • control over the personal information;
  • limitations on collection and handling as well as any prohibitions regarding the personal information for the purposes of the contract;
  • disposition of the personal information, where relevant;
  • administrative, technical and physical safeguards; and
  • obligations of other parties acting on behalf of the government institution. 

Note: Government institutions subject to the Policy on Government Security are also to ensure that government security standards are respected including Industrial Security requirements of the Department of Public Works and Government Services.

Step 2.0: Assess privacy risks against other considerations

Depending on the circumstances at the institution, there are a number of other factors that could be taken into account at this stage. The privacy risks identified and assessed in Step 1.0—in particular, the sensitivity of the information and the amount of control that the service provider has over the information—will need to be weighed against the following factors before reaching a final decision.

2.1  Laws of foreign jurisdictions

As part of doing business in circumstances that may allow the application of laws of foreign jurisdictions (e.g. subcontracts, change of ownership), institutions should give consideration to whether contracts or operations under contracts can be negatively affected by the foreign jurisdiction's economy, political reality, laws, or legal system. In some instances, these differences in a foreign environment may give rise to questions with respect to possible privacy risks.

Foreign search and seizure laws, for example, may require companies that are based within their jurisdiction, or that have ties to companies within their jurisdiction, to disclose information that is either under their control or to which they can obtain access, including information held under a contract or arrangement. The following scenarios provide examples of how such laws could potentially apply if Canada enters into a contract with a company:

Scenario A: Contract with a company operating in Canada and not in any foreign country

A company operating only in Canada that maintains personal information only in Canada is subject to Canadian legislation. There is an indirect risk of access if, under the terms of the contract, the Canadian company (the contractor) has the authority to subcontract and thus may subcontract with companies that are based in a foreign country or have links to foreign commercial organizations.

Scenario B: Contract with a company operating both in Canada and in a foreign country

An order pursuant to a foreign law could indirectly apply. A foreign-based company could be required to disclose personal information to which it has access or can obtain access, including information held by its Canadian affiliate under contract. Depending on the nature of the foreign legislation and the ease of access to the records by the foreign-based company, the Canadian affiliate may not be made aware of an order to produce information.

Scenario C: Contract with a company operating in a foreign country

Commercial organizations operating in a foreign country that hold personal information about Canadians in that country must comply with the laws of the foreign country. A foreign-based company could be required to produce personal information to which it has access or can obtain access as a result of a contract or arrangement with a Government of Canada institution.

The above examples could apply to any foreign jurisdiction with laws that can compel the production of information from companies operating within their borders. Note that it would be much more difficult for most foreign governments to target specific personal information that may be held by a company under the terms of a contract with the Canadian government than it would be to request information through an existing bilateral agreement. In considering the possible use of the USA PATRIOT Act by U.S. law enforcement to get information about Canadians, the Privacy Commissioner of Canada stated the following:

…US government agencies can rely on other established procedures to obtain information about Canadians that is held by government or the private sector in Canada. Longstanding information sharing agreements between security and law enforcement agencies in both countries, and the mutual legal assistance process, are the most likely vehicles for obtaining access to information held in Canada.

It should be noted that the Personal Information Protection and Electronic Documents Act (PIPEDA) or substantially similar provincial laws (in place only in British Columbia, Alberta, and Quebec) regulate the privacy practices of commercial organizations operating in Canada. None prevents contracting involving personal information, but they do require that
Canadian-based contractors include privacy-protective clauses in any subcontracts.

2.2  Analysis of possible application of international trade agreements

Before deciding whether or not to contract out for the handling of personal information, institutions should determine whether international trade agreements apply to the proposed procurement (Appendix C provides a brief overview of some key trade agreements). If such agreements apply to the procurement, the Government of Canada must ensure that its trade obligations are met and that requests for proposals are consistent with these obligations.

In practical terms this may mean that, in some cases, government institutions would not be able to require that information be retained in Canada.The applicability of trade agreements is therefore an important determination and may be influential in decisions to initiate a particular procurement approach or to examine alternatives. 

Government officials should consult with legal advisors to determine whether international trade agreements are applicable.

Steps 3 to 5, Contracting

Step 3.0: Building privacy into contracts

If the decision is to proceed with a contract, institutions should ensure adequate privacy protection is included in contract documents, as outlined in Steps 3.0 and 4.0. Government institutions can employ a variety of tools in the procurement process to ensure that any resulting contract will include adequate privacy protection. The evaluation criteria, the SOW, as well as other provisions of the RFP are among the most effective vehicles for ensuring upfront protection of personal information. The initial design and drafting of such procurement documents should establish overall privacy protection strategies and should produce the key provisions for ensuring appropriate privacy protection through contracts. All effective contracting solutions must take implementation costs into consideration.

3.1   Request for proposals / statement of work

One of the most fundamental risk considerations when establishing contracts that involve the handling of personal information is to ensure that the information will be collected, used, retained, and disclosed only for the purposes specified in the contract and that it will be accessible only to authorized individuals (on a need-to-know basis) for those purposes. Depending on the arrangement, this may require additional contractual safeguards, especially where the information is being accessed or held by a foreign-based contractor or a contractor with ties to a foreign jurisdiction.

Privacy risks must be considered at this early stage of the procurement process. It is imperative that all potential bidders or contractors are aware of any specific requirements associated with the performance of the contract at the RFP stage since such requirements will affect costs. The decision to include specific provisions in the RFP or SOW should be based on overall risk considerations, including potential privacy impacts and the need for contract clauses that mitigate risks. 

Any restrictions related to the access, use, and storage of personal information must be reflected in the procurement documents, including the RFP or the SOW. 

At the RFP or SOW stage

Based on the results of the invasion-of-privacy test and other risk factors, if it is determined that the risk level is relatively high, institutions may consider the following:

  • In cases where international trade agreements do not apply, is there a requirement that the work must be conducted and data retained in Canada or Government of Canada facilities (e.g. foreign embassies, military facilities abroad)?
  • Is there a requirement for the contractor to segregate the government information or database from other information?
  • Is there a requirement for the provision of an information management and security plan by the contractor (i.e. documentation that details exactly how the information will be treated over its life cycle and how its security will be ensured)?
  • Is there a requirement to obtain assurances that the bidder can meet the requirements of the contract or demonstrate certain qualifications or certification before the RFP process (i.e. are bidders pre-qualified based on their ability to manage personal information)?
  • Will the contractor be required to provide or make use of specific systems, equipment, or records with respect to the privacy and security of the government information?
  • What will be available to the contractor (e.g. facilities, systems, records, databases)?
  • Will the contractor be required to provide and maintain a list of personnel who will be authorized to access the government information or databases under the contract?
  • Will the Government of Canada have control of the information, and will the responsibilities for the handling (i.e. collection, use, storage, disposal, and disclosure) of the information be stipulated?
  • Will the contractor be required to maintain audit trails and report on all access to and disclosures of the government information or databases?
  • Will there be a need to demonstrate proof of government-authorized destruction?

Note: All contracts for services have an SOW or a description of requirements, which clearly describes the work to be carried out, the objectives to be attained, and the time frame. The SOW will be part of the RFP and the contract.

Where privacy risks are considered high, government institutions may wish to specifically evaluate the bidders' privacy protection strategies. If bidders will be required to produce a privacy management plan as part of the contract, government institutions may request that such plans be included in response to the RFP as part of the bidder's submission for evaluation during the procurement process. The federal institution could then assess such plans and give them appropriate weight in the evaluation criteria.

Step 4.0: Specific considerations for RFPs and contracts involving personal information

Important note:The Standard Acquisition Clauses and ConditionsManual (SACC), published by PWGSC, may provide adequate protection in many cases where contractual arrangements involving personal information are being made. It is therefore imperative that government officials consult their legal services and privacy officials regarding the application of additional or revised contractual language on a case-by-case basis.

The following are some considerations related to the protection of personal information that will be useful in mitigating the risk of possible unauthorized disclosure to foreign governments and in ensuring appropriate care and monitoring of contracts involving personal information. In some cases, these considerations for suggested clauses may already be requirements under other contracting and security policies, directives, and guidelines that currently apply to many institutions subject to the Privacy Act. The intent of including the suggestions below is not to limit the requirements for privacy clauses but to point out that the following matters are of particular significance and should be considered in RFPs and contract clauses.

4.1  Establish control

It is important that the nature of the relationship between government institutions and contractors and their respective roles and obligations be clearly specified in contractual arrangements. A government institution cannot collect personal information unless it is directly related to an operating program or activity of the institution. 

The institution must examine the scope of its legal authority for a program or activity. Once the authority is established, contracts for the management of government programs and services should include provisions to ensure that the government institution maintains control over personal information or other records that are transferred to the contractor and, where appropriate, over information collected, created, obtained, or maintained by the contractor in fulfillment of the contract. Establishing control is necessary to enable the contracting institution to comply with its statutory obligations under the Privacy Act and the Access to Information Act. This is of particular importance when highly sensitive information is to be stored or processed in a foreign country by a foreign-based company, subsidiary, or third party, such as a subcontractor or agent. Government institutions can establish control by defining the institution's proprietary rights to the information in the contract, including the institution's right to obtain the records upon request. 

In addition, the government has a duty to include other specific privacy protection provisions in the contractual agreement to ensure that the contracting out of government programs and services does not result in a reduction of privacy protection. There may be instances where federal institutions subject to the Privacy Act enter into contractual agreements with organizations in the private sector that are subject to other legislative privacy requirements at the provincial or federal level, such as PIPEDA. Federal institutions faced with this kind of scenario should, in consultation with their institution's legal and privacy officials, conduct a thorough legislative and policy analysis of the requirements of both laws and develop contractual clauses in keeping with the more stringent privacy principles or standards of the two laws.

4.2  Confidentiality use for purposes related to the contract

Institutions should ensure that provisions are in place to limit access (including unauthorized access) to, or the ability to obtain the sensitive personal information for purposes not related to the contract, including any disclosure or access by a foreign-based parent company, other affiliates, or third parties, such as subcontractors or agents that are not directly named in the primary contract or arrangement. In cases where sensitive personal information is being accessed, government institutions should either include a requirement for the contractor to specifically identify and designate all contractor employees who will have access to the personal or proprietary data, or identify positions of employees who will have access. This would assist in revealing any incidents of unauthorized access, especially where audit trails are used.

4.3  Audits required or permitted (including verification of tracing and audit trails)

In addition to standard audit provisions, when sensitive personal information is being accessed, institutions should consider a requirement to stipulate that the supplier or service provider maintain specific information to enable the conduct of informational audits. Audits of security and privacy, for example, will require maintenance on the part of the contractor of some form of audit trail (electronic or paper form) to demonstrate that those who accessed information had the proper authority to do so.

4.4  Segregation of information

The contracting authority should consider including provisions to ensure that mechanisms are in place requiring that all sensitive personal information disclosed to a contractor by the Government of Canada, or collected or created pursuant to a contract or arrangement with the Government of Canada, is separated or segregated from other records or company data holdings. Institutions should qualify the nature of the segregation, which may include the physical separation of data (e.g. data held on a magnetic tape), the logical separation of data (e.g. record or user ID), or a combination of both physical and logical separation.

Note: References to segregation of information in the contract must be consistent with the terms established in the RFP and SOW, as well as the PWGSC SACC manual.

4.5  Conditions for disclosures unrelated to the contract 

The government institution should consider placing specific requirements for the contractor to account for and obtain prior approval of all disclosures of sensitive personal information unrelated to the contract (see 4.2, "Confidentiality use for purposes related to the contract").

4.6  Inspection

Where a government institution establishes control (see 4.1, "Establishing control"), it may also wish to put in place broad powers to inspect the contractor's premises when sensitive personal information is involved. Past contracts related to records disposition have highlighted the importance of inspecting facilities and the actual work that is being conducted under contract. It is important that government institutions verify (not necessarily through audit) that the work is being conducted in the manner specified in the SOW and respects the conditions outlined in the RFP. If, for example, the RFP and SOW have particular requirements (technical or other), institutions may wish to allow Canada the right to inspect the work to ensure that the service provider is conducting the work in accordance with the specifications outlined in the RFP, the SOW, and the contract. 

4.7  Notification of breach

The Directive on Privacy Practices requires that government institutions implement a plan for addressing privacy breaches, when necessary.  Government institutions that are subject to Treasury Board policies should align any plans developed for addressing privacy breaches with similar requirements under the Policy on Government Security and its related directives and standards.

Given the government's obligations to protect personal information under its control, the responsibility to ensure confidentiality and the accountability for breaches should be extended to any contractor that is handling personal information on behalf of an institution. If a contractor is deemed to be at fault for a breach of confidentiality, the contractor should be prepared to accept the responsibility for a wrongful disclosure of personal information, the costs associated with the appropriate notification of the individuals whose information has been disclosed, and the possibility of termination of the contract. Institutions should specify that, immediately after the contractor becomes aware of a breach of confidentiality, the contractor must notify the government institution forthwith that the breach has occurred.

For additional guidance, government institutions can refer to the Guidelines for Privacy Breaches.

4.8  Notice of subcontractor and subcontractor obligations

Where appropriate, the government institution should carefully consider whether the contractor should be allowed to subcontract any services under the contract. If subcontracting is allowed, the contractor should be required to ensure that any subcontracting arrangement requires the subcontractor to comply with the privacy provisions of the contract between the contractor and the federal institution. The government institution may also wish to consider, on a case-by-case basis, where appropriate, whether the contractor must receive the institution's written approval of subcontract provisions before the subcontract is signed.

Step 5.0: Evaluation criteria and sample RFP and contractual language

The comprehensive assessment of federal contracts, initiated by the Treasury Board Secretariat, revealed that most of the contracts identified by institutions as having potential privacy risks involved data processing and management. To assist such institutions, the following examples of RFP clauses relate specifically to database development, location, and data processing and are intended to be applied only in circumstances where the privacy risk is assessed at a very high level.

Definition:A database is an organized collection of data that can be accessed quickly. Databases consist of fields, records, and tables. A field is a single piece of information (e.g. a telephone number); a record is a collection of fields (e.g. name, age, telephone number); and a table is a collection of records. To access information from a database, a database management system (DBMS) is needed. A DBMS is a collection of programs that enables the user to enter, organize, and select data in the database.

Database creation is the establishment of the structure of the database but not its data content. One must first create a database, then populate the database and, finally, process the data that is in the database.

Important note: In situations where the personal information is considered to be of a highly sensitive nature, the following sample clauses may be used, where appropriate, to address the risk of potential disclosure to foreign governments. Use of these clauses should be limited to situations where, in consultation with legal services and privacy officials, and based on the invasion of privacy test, it is determined that there is a high level of privacy risk (e.g. health information, income or financial information). Before implementing the clauses indicated below, institutions must consult their legal services and privacy officials. Government officials must also consult legal services before modifying or adapting such clauses to suit specific needs of a given contract or with respect to other program delivery instruments. Where institutions are subject to the requirements of the Policy on Government Security, the departmental security officer can provide advice on security procedures required by the Policy on Government Security.

The sample clauses identified below would need to appear in both the RFP and the contractual agreement.

Sample clauses for an RFP and contractual agreement

Canada has an obligation to ensure that Canadian statutes, regulations, and policies on privacy protection are respected. Where applicable, federal institutions must ensure that personal information is protected in accordance with the Privacy Act, R.S. 1985, c. P-21, the Personal Information Protection and Electronic Documents Act,2000, c. 5, and federal privacy policy instruments. Therefore, for the purposes of this requirement, where personal information will be involved in the contract, Canada requests the following from the Contractor:

Database and data processing
Where international trade obligations do not apply: Where international trade obligations do apply:

Certification from the Bidder stating the following:

The Bidder hereby certifies that it has reviewed the requirements of this RFP, the resulting contract clauses and, in particular, the requirements concerning the protection of personal information. The Bidder also certifies that it will comply with those terms and ensure that personal information that is managed, accessed, collected, used, disclosed, retained, received, created, or disposed of in order to fulfil the requirements of the Contract shall be treated in accordance with the Privacy Act R.S. 1985, c. P-21, the Personal Information Protection and Electronic Documents Act, 2000, c. 5, and Treasury Board Secretariat privacy policy instruments.

This certification shall be true and correct throughout the term of the resulting contract with the same force and effect as if continuously made throughout the term of the resulting contract.

Furthermore, the Bidder acknowledges that the Minister shall rely on this certification to award the contract. Should the Bidder fail to comply with this certification or in the event that verification or inspection by the Minister discloses a misrepresentation on the part of the Bidder, the Minister shall have the right to treat any contract resulting from this bid as being in default and to terminate it pursuant to the default provisions of the contract.

Note: It may be appropriate for government institutions, in certain circumstances where the privacy risk is determined to be high, to make the Contractor's access to the personal information conditional upon the certification remaining true. This way, as soon as a contractor is presented with an order that compels the production of personal information, the certification would no longer be valid and any subsequent access or disclosure of the personal information would constitute a breach of the contract and, in some cases, a breach of Canadian law related to security of information and privacy.

Database creation

1. The database must be located and only accessible in Canada. 1. The database must be located and only accessible in jurisdictions the laws of which do not override, conflict with, or impede the application of the Privacy Act, R.S. 1985,
c. P-21, the Personal Information Protection and Electronic Documents Act, 2000, c. 5, and Treasury Board Secretariat privacy policy instruments, either expressly or through subsequent application.
2. The database must be physically independent from all other databases, directly or indirectly, that are located outside Canada. 2. The database must be physically independent from all other databases, directly or indirectly, that are located in jurisdictions whose laws override, conflict with, or impede the application of the Privacy Act, R.S. 1985,
c. P-21, the Personal Information Protection and Electronic Documents Act, 2000, c. 5, and Treasury Board Secretariat privacy policy instruments either expressly or through subsequent application.

Data processing

1. All aspects of data processing must be conducted and only accessible in Canada. 1. All aspects of data processing must be conducted and only accessible in jurisdictions whose laws do not override, conflict with, or impede the application of the Privacy Act,
R.S. 1985, c. P-21, the Personal Information Protection and Electronic Documents Act, 2000, c. 5, and Treasury Board Secretariat privacy policy instruments either expressly or through subsequent application.

6. Technological Measures to enhance Privacy and Security

The purpose of this chapter is to identify key technological measures that will enhance privacy and security through the use of contract clauses.  The measures are intended for use in contracts that involve personal information and other sensitive information that is handled electronically. Such measures are essential for outsourced service delivery when IT systems are used to generate, modify, store and transport personal information.

As noted in other sections of this document, specific provisions in contractual agreements are necessary to ensure that personal information is properly protected when transferred to a vendor.  Contracts should specify the vendors' responsibilities for maintaining safeguards to protect personal information.

The contractor should have in place an effective management system to ensure that risks are assessed and appropriate safeguards are selected, implemented and monitored.   It is important that privacy and security requirements are addressed, and coordinated, at all stages of the information life cycle and the IT system development life cycle.  

Security and privacy have many common goals and need to be aligned.  Security controls are intended to protect personal information against loss, theft, unauthorized access, disclosure, copying, use or modification.  However, implementation of security measures alone cannot ensure that personal information is used in an appropriate way or in a way consistent with privacy requirements.  Privacy requirements must be taken into account so that appropriate security controls can be put in place.

Technical safeguards should be selected through a risk management process, which requires coordination of a Privacy Impact Assessment and a security risk assessment.  In some cases, selection of appropriate safeguards may involve a trade-off between the level of strength of the safeguard, impacts on use of the system by users, privacy and security risks, and costs.         

It is beyond the scope of this document to describe an exhaustive set of technical safeguards. This section describes some of the technical measures that apply to the specific privacy considerations identified in Step 4 of Chapter 5:   

  1. identification and authentication of authorized users;
  2. access controls to limit access to authorized users, including the types of functions that authorized users are permitted to exercise;
  3. audit logs and records created, protected and retained to verify that all access is authorized;     
  4. segregation of sensitive personal information through logical or physical data separation;
  5. inspections conducted to provide confidence that appropriate controls are in place, are properly implemented and operate as intended; and
  6. privacy breach detection, response and recovery practices.

Application of International Standard ISO/IEC 27001

When outsourcing IT services it is recommended that international standards be applied.  In particular, ISO/IEC 27001 Information Technology Security Techniques - Information Security Management Systems Requirements is highly recommended for outsourced IT services.  This standard:

  • is an internationally recognized standard that provides a common foundation for assessing security based on commercial best practises.
  • applies a process approach to manage information security risks in the context of the overall business risks.
  • addresses the full scope of security requirements of an information security management system (ISMS) including risk assessment, selection of safeguards, ongoing monitoring, management review, and continuous improvement.
  • is supported by a well established certification process to assess conformance to the standard and provide independent confirmation that an appropriate level of security is achieved.
  • and its companion standard ISO/IEC 27002 Code of Practice for Information Security Managementinclude requirements for a comprehensive set of controls (i.e., safeguards) in 11 categories.  These include the specific measures described in this section as well as other technical and non-technical measures.   
  • can reduce costs when unique government requirements do not apply. It is particularly relevant when contracting for commercially available services.    

Adoption ISO 27001 does not by itself guarantee a specific level of security and does not alleviate the need to understand and accept the risks.  A  ISO 27001 is particularly suited for commercial services and may need to be supplemented in cases where unique government requirements exist or a higher level of assurance is required.    

Identification and Authentication

It is necessary to identify authorized users prior to granting access to personal information.  Where there is a requirement to identify individuals, a secure authentication process is a critical requirement.  Electronic "authentication" is a term used to describe the technical means to verify a user's claim.

This is accomplished using a "token" that confirms something a user knows, possesses, or controls.   Examples of tokens include passwords, cryptographic keys, possession of a physical card or use of a biometric.

Emerging authentication standards define 4 levels of assurance that reflect the degree of confidence that is required based on the impact of a breach.  For example, a higher level of confidence is required for users that have access to or control over repositories of sensitive personal or other information.  

Equally important is an appropriate authentication process that respects the needs and privacy of its clients.  In some cases technical measures may be applied to provide anonymity, pseudo-anonymity, or to unlink personal information from the individual.

ISO/IEC 27001 contains a number of best practice controls that should be considered including:

  • A.11.2 User access management including: user registration, privilege management, user password management, and review of user access rights.
  • A.11.3.1 Password use.
  • A.11.4.2 User authentication for external connections.
  • A.11.5.1 Secure log-on procedures for operating systems.
  • A.11.5.2 User identification and authentication.
  • A.11.5.3 Password management system.

Summary Points on Identification and Authentication

  • The method of authentication should provide the appropriate level of assurance.   

Limiting Access

Where personal information or client data is collected, stored or maintained electronically, information must be secured and kept confidential through the use of adequate access controls.  The term access controls is used to describe both the physical and technical solutions to allow access to only authorized users and to restrict the functions they are able to perform. 

Generally speaking, the principle of least privilege should be applied, limiting each authorized individual's access to the minimum information and resources necessary to perform their legitimate duties and functions.  Access controls must be managed to define authorized individuals or groups, their roles, and their associated access privileges. Processes are also required to remove access rights when individuals no longer require access.

More robust access controls may be necessary for users who have privileged access that gives them the capability for widespread or unlimited access to sensitive information, or to control critical functionality of the system.  Additional measures such as segregation of duties may be applied to ensure that no one individual has excessive access privileges.   

ISO/IEC 27001 contains a number of best practice controls that should be considered including:

  • A.11.1.1 Access control policy.
  • A.11.4 Network access control.
  • A.11.5 Operating system access control.

Summary Points on Limiting Access

  • Use policies and technical systems to limit and restrict access to authorized individuals for necessary and legitimate purposes only.
  • Access rights should be restricted to the minimum information and resources necessary to perform legitimate duties.

Segregating Sensitive Information

The contract should require separation of Government of Canada "sensitive" information from other data holdings of the company or other clients.  This process is known as "segregating" data.  Segregation allows tighter control of personal and other sensitive information and establishes distinct boundaries where access controls can be applied. 

There are a number of ways this can be done, both physically and logically.  Physical segregation of networks and servers provides the highest degree of segregation, but at higher costs.  Increasingly, virtual networks and servers use software to create separation and reduce costs.  Sensitive data repositories should be segregated into a protected network zone to isolate data from Internet-based threats.

Servers can be segregated using separate physical servers or by using Virtual Machine technology to run logically isolated servers on the same physical server.  While this technology can provide a high degree of separation, caution is required as computing resources are increasingly shared in cloud computing environments that provide a shared pool of computing resources to serve multiple consumers.

Segregation Using Encryption

Encryption can provide a high degree of segregation to protect personal and other sensitive information.  Information that is encrypted using a strong cryptographic algorithm is effectively protected from anyone that does not have the key that allows for de-encryption.

Encryption is especially important when sensitive information is either transmitted or stored in higher risk environment.  For example, personal information should be encrypted when transmitted over insecure networks such as the Internet.  Personal information should be encrypted on storage devices that are at risk of loss or theft such as backup media, portable storage devices, and laptops.  Encryption may also be applied to other storage technologies such as Storage Area Networks or Data Base Management Systems (DBMS) to provide a high degree of separation.       

Cryptography must be properly implemented and the keys must be securely managed. The Communication Security Establishment Canada (CSEC) is the government authority on cryptography and should be consulted on approved methods and appropriate standards.  In particular, the Federal Information Processing Standard (FIPS) 140-2 should be applied to ensure the cryptographic modules are securely implemented. 

Summary Points on Segregation

  • Institutions should then ensure that commensurate levels of segregation controls are employed by the contractor.
  • Encryption should be used for transmission over insecure networks and for storage devices that are at risk of loss or theft.  

Audit Trails

The collection of historical usage information (e.g., access times and dates, user names, modifications of data, etc.)  into an audit trail is a fundamental element in providing detection of anomalies.  Not only must audit information be collected, but it also needs consistent and periodic review by competent processes to look for anomalies. 

Audit logs and records should be implemented to verify that only authorized users access personal information and to ensure that access can be linked to specific individuals and that they are held accountable for misuse (e.g., date, time and IP address can be captured).  Such audit logs allow for the monitoring, detecting misuse, and investigating of privacy breaches. 

Audit logs should be created and maintained in a secure manner to preserve evidence. Retention and use of audit logs must also preserve the privacy rights of users. 

Paper audit trails are cumbersome to store and costly to maintain, while electronic audit trails may require more stringent access controls.  Audit trails can either be maintained by the Contractor at its work site, which implies periodic visits by  institutional officials to examine the recorded information or it can supplied to the institution by the Contractor on an ongoing basis.  A Real-time audit trail feed from the contractor to the institution provides the highest value possible as it provides greater protection from tampering; however this type of audit trail is more costly and requires technically competent personnel to monitor and review.

ISO/IEC 27001 contains a number of best practice controls that should be considered including:

  • A.10.10 Monitoring including: audit logging, monitoring system use, protection of log information, administrator & operator logs, fault logging, and clock synchronization.
  • A.15.3 Information systems audit considerations including: information systems audit controls and protection of information systems audit tools.

Summary Points on Audit Logs

  • Audit logs should be used for monitoring access, detecting misuse, and investigating privacy breaches.
  • Audit logs should be created and maintained in a secure manner to preserve evidence.

Detection, Response and Recovery

Breaches may be caused by inadvertent errors or malicious actions by employees, third parties, partners in information-sharing agreements or intruders.

It is extremely important that outsourced agreements include measures to detect data breaches and that they outline the required procedures for response and recovery of information, if and when a privacy or other security breach occurs.  Detection, response and recovery measures focus primarily on the improper or unauthorized access, use or disclosure of personal or other sensitive information, and the appropriate actions to take when such incidents occur . 

Reporting of incidents can be a conflict of interest to the supplier since such reports may illustrate a breach of contract, which may have severe penalties.  Therefore, institutions should consider real-time audit feeds so that vendor reported incidents can be independently verified in the audit trail.  Time to notify is an essential criteria for determining the program's ability to respond and recover from security incidents.

Automated intrusion detection and analysis technologies should be considered to provide real time alerts, especially if repositories of personal information are exposed to external threats.  Intrusion detection data must respect legal requirements and privacy rights.

Incident handling procedures need to be documented, including escalation procedures depending on the severity of the breach.  Responding to a privacy breach requires immediate action to stop the breach and to secure the system, notify both the government institution and the individual(s) affected, and document the actions taken.  Once the system is back to normal operation follow-up actions should be taken to resolve problems or lessons learned.    Institutions should refer to the TBS document entitled Guidelines for Privacy Breaches, for suggested procedures that can be passed on to contractors.

It is recommended that contractual clauses require immediate reporting of any privacy breaches or security incidents, and corrective actions taken. 

ISO/IEC 27001 contains a number of best practice controls that should be considered including:

  • A.13.1 Reporting information security events and weaknesses.
  • A.13.2 Management of information security incidents and improvements including: responsibilities & procedures, learning from information security incidents, and collection of evidence.

Summary Points on Detection, Response and Recovery

  • Document detection, response and recovery procedures in the agreement, including escalation procedures and notification (reporting) requirements.

Inspections, Reviews or Assessments

Contracts should identify the measures to oversee the contractor's privacy and security practices and verify that appropriate privacy and security controls are in place.  More extensive inspection and monitoring processes may be necessary to achieve a higher level of confidence in situations involving highly sensitive personal information or extensive information flows.

A recommended approach is to stipulate a requirement for ISO 27001 certification.  This is a standards-based conformity assessment process that provides independent verification by a recognized certification body.  For those organizations that are subject to the Policy on Government Security, ISO 27001 certification will satisfy the requirement for Certification and Accreditation.   It is recommended that the contract include a requirement for full disclosure of all related ISO 27001 certification documentation to allow the Government of Canada to fully assess the risks, including ISO 27001 certification reports, audits, risk assessments and risk treatment plans.

Summary Points on Inspections

  • Identify the measures to oversee the contractor's privacy and security practises.
  • ISO 27001 certification is recommended.

Contacts

Questions regarding the application of the Treasury Board Secretariat privacy policy instruments and the Contracting Policy should be directed to the appropriate responsibility centre within each institution.

Should you have any questions related to the guidance provided in this document, please do not hesitate to contact the Information and Privacy Policy Division, Chief Information Officer Branch, Treasury Board of Canada Secretariat, at (613) 946-4945 or by e-mail at
ippd-dpiprp@tbs-sct.gc.ca.

References

Appendix A: Invasion-of-privacy Test

An invasion-of-privacy test provides guidance in determining whether a contract that would involve personal information would result in harm or injury to an individual. There are three main factors that should be taken into account in any invasion-of-privacy test: sensitivity of the information, expectations of the individuals, and probability and gravity of injury. 

1)   Sensitivity of the information

Determine what type of personal information will be involved in the contract.

  • How detailed is the personal information (tombstone data such as name and address or highly detailed personal information, including longitudinal information)?
  • What is the severity of the breach (determined by such factors as the number of individuals whose information is in the database and the amount of individual information collected)?
  • Is the information of a highly sensitive personal nature (e.g. health and financial information) or does it appear to be fairly innocuous information (e.g. tombstone information)?
  • What is the purpose of the work (i.e. statistical in nature, program administration, regulatory enforcement, or possible criminal enforcement)?
  • What is the context surrounding this information? (The name and address of an individual can be innocuous or extremely sensitive depending on the context; for example, names and addresses of individuals participating in a youth employment program are less sensitive than a similar list containing names and addresses of Hepatitis C and HIV compensation victims.)
  • What is the amount of control that the service provider will have over the information?

From a privacy standpoint, particular attention should be given to the decision related to contracting highly sensitive information. If information is highly detailed, sensitive, and extremely personal, institutions should consider alternatives that increase the institutions' direct control over the information where possible. Alternatively, institutions should consider implementing a very high standard of security and confidentiality that may be well beyond the minimum requirements when contracting the handling of such information. This will assist in providing Canadians with a comfort level when it comes to their personal information.

Note: The invasion-of-privacy test suggested above has been adapted from the public interest invasion-of-privacy test outlined in Chapter 2-4 of the Treasury Board Manual on Privacy and Data Protection.

2)   Expectations of the individual

Determine or establish the expectations of the individuals with respect to their personal information. The conditions that govern the collection of the personal information usually are the best source for determining the expectations of the individuals.

  • Where personal information has already been collected by the government institution, verify what conditions were established at the time the information was first collected from the individual:
  • Was there a commitment or promise not to disclose to any other party or institution?
  • Was there a caveat stating that the information could be disclosed in a manner consistent with the original purpose for its collection?
  • Was the information compiled or obtained under guarantees that preclude some or all types of disclosure?
  • Was the information unsolicited or given freely or voluntarily with little expectation of it being maintained in total confidence?

If personal information is to be collected by the government institution from the contractor, or the government institution has exercised control over the contractors' records, establish the conditions for the collection and the expected use and disclosure of the personal information in accordance with the fair information practices embodied in the Privacy Act. For example:

  • Will the institution provide clear direction to the contractor regarding its obligation with respect to the collection of personal information on behalf of the Government of Canada?
  • Will the institution ensure that the contractor informs individuals of the purpose of the collection and obtains consent (where relevant) for the collection, use, and disclosure? This also includes ensuring that individuals are informed of any statutory authority for the collection, of their right to refuse to provide any or all of the requested information and any possible consequences of such refusal, and of their right of access and correction.
  • Will the institution ensure that the contractor informs individuals of other possible uses and disclosures related to the information?
  • Would an individual feel comfortable knowing that his or her personal information could be accessed by a third party under contract?
  • Would the individual expect a third party to be involved in the handling of such personal information?
  • What level of confidentiality and security would the individual expect?

3)   Probability and gravity of injury

Determine the probability of injury if the personal information was wrongfully disclosed or if a breach of security or confidentiality occurred. Injury should be interpreted as any harm or embarrassment that will have direct negative effects, for example, on an individual's career, reputation, financial position, safety, health, or well-being. The following factors will assist in determining the extent of probable injury:

  • Would the contract involve the personal information of few or numerous individuals (e.g. will the contract deal with one or two individuals or will it involve the personal information of hundreds or thousands of individuals)?
  • If the information is considered sensitive, can it be surmised that any disclosure carries a probability of causing measurable injury (e.g. identity theft, fraud, emotional distress, or negative effects on an individual's career, reputation, financial position, safety, health, or well-being)?
  • Is there a risk in terms of the possible application of foreign laws (i.e. potential for disclosure to foreign government for uses unrelated to the contract)?
  • How grave or serious could the potential injury be?

The following table will assist in determining risks related to possible application of foreign laws as a result of a contract involving the handling of personal information.

No Risk

Databases maintained and processed on a Government of Canada site only, or databases located or maintained off-site and processing conducted by a Canadian company that operates in Canada only.

Records storage/archival and disposal handled on a Government of Canada site only or by a Canadian company operating in Canada only.

Low Risk

Databases located or maintained off-site and processed by a company in Canada, with potential access by a foreign subcontractor or potential access by foreign parent company or affiliate (with risk mitigation strategies in place).

Records storage/archival and disposal handled off-site by a company in Canada, with potential access by a foreign subcontractor or potential access by foreign parent company or affiliate (with risk mitigation strategies in place).

Medium  Risk

Database maintained and processing conducted by a foreign-based company in a foreign jurisdiction (with risk mitigation strategies in place).

High Risk

Database maintained and processing conducted by a foreign-based company in a foreign jurisdiction (with no risk mitigation strategies in place). Records storage/archival and disposal handled by foreign-based company in foreign jurisdiction.

Note: Institutions may wish to consider other factors unique to their situations. For this reason, institutions are encouraged to develop guidelines on the application of the invasion-of-privacy test within their institution.

The use of effective mitigation strategies by federal institutions will result in reducing the level of risk. These strategies could include the use of non-technological solutions, such as including the privacy clauses suggested in this document, or the implementation of technological solutions, such as encryption.



Appendix B: Privacy Protection Checklist

The purpose of the Privacy Protection Checklist is to ensure that privacy requirements are taken into consideration during the preliminary planning and implementation stages of the government contracting process.

Notes: In this checklist

"personal information"
means information about an identifiable individual that is recorded in any form as established under section 3 of the Privacy Act; and
"record"
includes any correspondence, memorandum, book, plan, map, drawing, diagram, pictorial or graphic work, photograph, film, microform, sound recording, videotape, machine readable record, and any other documentary material, regardless of physical form or characteristics, and any copy thereof, in accordance with section 3 of the Access to Information Act.

YES

NO

N/A

DESCRIPTION

     

Control and accountability

Determine whether the contractual agreement should specify the following:

1. The types of records or personal information (list them) affected by the contract will remain:

  1. under the control of the government and subject to the Privacy Act and the Access to Information Act; or
  2. the sole property of the contractor;
      2. the contractor shall designate a senior individual within its organization to be the point of contract for complying with privacy/security obligations;
      3. the contractor shall provide the government with an up-to date list of all employees, subcontractors, or agents engaged in the contract who will have access to the personal information;
      4. all employees, contractors of the subcontractors, or agents to whom personal information may be accessible in the performance of the contract shall sign a privacy and confidentiality agreement;
      5. the contractor shall be fully and solely responsible for the actions of its employees, subcontractors, and agents who act on its behalf in the performance of their functions under the contract; and
      6. the contractor shall advise the government in advance in the event of any change in ownership of all or a part of the contractor's business.
      7. the contractor shall immediately notify the government in the event of any proceedings for bankruptcy or insolvency brought by or against the contractor under applicable bankruptcy or insolvency laws or any notice of creditor's remedies.
     

Transborder data flows

Determine whether the contractual agreement should specify the following:

8. the limitations on where the records and the personal information (including back-up tapes and archives) may be processed, stored or maintained by the contractor (refer to the accompanying guidance document for advice and for sample clauses); or

      9. that the contractor is prohibited from disclosing and/or transferring any personal information outside the boundaries of Canada, or allowing parties outside Canada to have access to it, without the prior written approval of the government.
     

Collection of personal information

Determine whether the contractual agreement should specify that:

10. the collection of personal information shall be limited to that which is necessary for the contractor to comply with the contract or the exercise of the contractor's rights, under the agreement;

      11. the contractor must, unless otherwise directed in writing, collect personal information directly from the individual to whom the information relates;
      12. the contractor, at the time of collection of personal information, must notify an individual from whom it collects personal information:
  • of the purpose for collecting it;
     
  • of any statutory authority for the collection;
     
  • whether response is voluntary or required by law;
     
  • of any possible consequences of refusing to respond;
     
  • of the individual's right of access to and correction of the information; and
     
  • of the number of personal information banks in which the personal information will be retained; and
      13. the contractor's employees must effectively identify themselves to the individuals from whom they are collecting personal information and provide individuals with a means to verify that they are actually working on behalf of the government and authorized to collect the information.
     

Accuracy of personal information

14. Determine whether the contractual agreement should specify that the contractor must make every reasonable effort to ensure the accuracy and completeness of any personal information to be used by the contractor or the government in a decision-making process that will directly affect the individual to whom the information relates.

     

Use of personal information

15. Determine whether the contractual agreement should specify that, unless otherwise directed in writing, the contractor shall use the personal information only for the purpose of fulfilling its obligations under the contract.

     

Disclosure of personal information

Determine whether the contractual agreement specify the following:

16. the contractor shall be prohibited from disclosing or transferring any personal information, except as necessary for the purposes of fulfilling its obligations under the agreement or unless otherwise directed to do so in writing; and

      17. if the contractor receives any request for disclosure of personal information for a purpose not authorized under the contract, or if it becomes aware that disclosure may be required by law, the contractor shall immediately notify the government about the request or demand for disclosure and must not disclose the information unless otherwise directed to do so in writing.
     

Requests for information

Determine whether the contractual agreement specify the following:

18. individuals can use an informal process to access records or their personal information directly from the contractor; and

      19. the responsibilities of both the government and the contractor in dealing with requests made under the Access to Information Act and the Privacy Act with respect to those records or personal information are to be considered under the control of the government but maintained by the contractor.
     

Correction of personal information

20. Determine whether the contractual agreement should specify the responsibilities of both the government and the contractor with respect to requests made by individuals under the Privacy Act to correct or annotate personal information maintained by the contractor.

     

Retention of records or personal information

Determine whether the contractual agreement specify the following:

21. the retention and disposal requirements for records or personal information, including the maximum retention period and the disposal methods to be used; and

      22. the conditions governing the disposition of any transitory records that are created or generated by the contractor.
     

Protection of personal information

23. Determine whether the contractual agreement shall oblige the contractor to ensure that the personal information is protected against such risks as loss or theft, as well as unauthorized access, disclosure, transfer, copying, use, modification, or disposal.

     

Complaints and investigations

Determine whether the contractual agreement should specify the following:

24. that the government and the contractor shall immediately notify each other when complaints are received pursuant to the Access to Information Act and the Privacy Act or other relevant legislation and of the outcome of such complaints; or

      25. the right of the Information Commissioner and Privacy Commissioner to access any records or personal information for the purposes of investigations under the Access to Information Act or the Privacy Act.
     

Audit and inspection of records or personal information

Determine whether the contractual agreement should specify the following:

26. that the government may, at any time and upon reasonable notice to the contractor, enter the contractor's premises to inspect, audit, or require a third party to audit the contractor's compliance with the privacy, security, and information management requirements under the contract and that the contractor must co-operate with any such audit or inspection; and

      27. the requirement of the contractor to maintain specific information to enable the conduct of information audits, i.e. the maintenance of some form of audit trail (electronic or paper form).
     

Notification of breach

Determine whether the contractual agreement should specify the following:

28. the contractor shall be obliged to notify the government immediately when it anticipates or becomes aware of an occurrence of breach of privacy or of the security requirements of the contract; and

      29. the contractor shall be required to indemnify the government for any liability in connection with any breach of its obligations under the contract.
     

Subcontracting

Determine whether the contractual agreement should specify the following:

30. the contractor must not subcontract the performance of any part of the services or functions under the contract without prior written approval; and

      31. despite any written approval to subcontract, the contractor remains fully responsible for the performance of services under the contract or subcontract.
     

termination or expiry of the contract

Determine whether the contractual agreement should specify the folllowing:

32. all personal information and records must be returned to the contracting authority upon completion of the contract; and

      33. the obligations of the contractor to protect personal information shall continue even after the completion of the contract.

Appendix C: Key International Trade Agreements

Agreement on Internal Trade

The Agreement on Internal Trade (AIT) applies to most government institutions including seven Crown corporations. The AIT applies to the procurement of goods valued at $25,000 or more and to the procurement of services and construction valued at $100,000 or more. The following services are not covered by the AIT:

  • services by licensed professionals including doctors, dentists, nurses, pharmacists, veterinarians, engineers, land surveyors, architects, chartered accountants, lawyers and notaries;
  • hauling aggregate on highway construction projects;
  • services of financial analysts or the management of investments;
  • management of government financial assets and liabilities;
  • health and social services; and
  • advertising and public relations services.

In addition, the AIT does not apply to procurement related to cultural industries, Aboriginal culture, national security, or financial services.

North American Free Trade Agreement

The North American Free Trade Agreement (NAFTA) applies to most government institutions including ten Crown corporations. NAFTA applies to the procurement of goods valued at more than $27,300 (Canada-U.S.) and $76,600 (Canada-Mexico), to the procurement of services valued at $76,600 or more, and to construction contracts worth $9.9 million or more. For Crown corporations, NAFTA applies to the purchases of goods and services valued at $383,300 or more and construction contracts valued at $12.2 million or more.

The Agreement on Government Procurement of the World Trade Organization

The Agreement on Government Procurement of the World Trade Organization (WTO-AGP) applies to most government institutions. The WTO-AGP applies to the procurement of goods or services valued at $221,300 or more and construction requirements valued at $8.5 million or more. The WTO-AGP is a multilateral agreement that aims to secure greater international competition for government procurement.

NAFTA and WTO-AGP

In addition to some general exceptions like procurements related to national security, products for handicapped persons, philanthropic institutions or prison labour, and measures necessary to protect public morals, order or safety, the following specific commodities are excluded from NAFTA and WTO-AGP coverage:

  • ship building and repair;
  • urban rail and transportation components, materials, iron, steel and equipment;
  • transportation services that are part of, or incidental to, a procurement contract;
  • communications, detection and coherent radiation equipment in Federal Supply Classification (FSC) 58;
  • oil purchases related to any strategic reserve requirement;
  • purchases made in support of the safeguarding of nuclear materials;
  • dredging work; and
  • the following FSCs for the departments of Transport, Communications, and Fisheries and Oceans:
    70 (automatic data processing equipment, software supplies and support equipment);
    74 (office machines, text processing systems and visible record equipment); and
    36 (special industry machinery).

In addition, the following five groups of service contracts are completely excluded from NAFTA and WTO-AGP:

  • research and development;
  • health and social services;
  • financial and related services;
  • utilities; and
  • communications, photographic, mapping, printing, and publications services.

Note: Dollar limits shown are known to change with inflation and for other reasons. Notification of such changes are issued through Contracting Policy Notices.

Source: The above information has been reproduced from information on "Trade Agreements" contained on the Contracts Canada Website..

Explanatory Notes for the Privacy Protection Checklist

A.    Introduction

A.1  Preamble

The Access to Information Act and the Privacy Act apply only to those federal institutions listed in schedules of each Act and grant individuals a right of access to records or personal information under the control of government institutions, subject to specific exceptions and exclusions. The Privacy Act also imposes statutory obligations on government institutions to manage personal information in accordance with sections 4 to 8 of the Act, which establish a code of fair information practices regarding the collection, accuracy, use, disclosure, retention, and disposal of personal information.

The acts do not apply to private sector contractors. This means that government institutions must ensure that the contract does not weaken the right of public access to information or significantly affect their ability to protect personal information of individuals when contracting out the management of a government program or service. The most effective means to require that an outside service provider respects the statutory requirements of the Access to Information Act and the Privacy Act is to insert, where appropriate, relevant access to information and privacy clauses in the contractual agreement.

The clauses required will vary depending on the relationship and nature of the services to be provided. In some cases, clauses may be needed to deal with the disclosure of personal information to the service provider to enable contract performance. In other cases, clauses may be needed to meet the collection requirements of the Privacy Act where contract deliverables will result in the collection of personal information by the contractor on behalf of the government institution. In other cases, where the contracting party is acting on the government institution's behalf by performing government services or functions, clauses may be needed to stipulate who has control of the records or personal information transferred to, or collected, created or maintained by, the contractor in the performance of the contract and ensure that the requirements under both acts applicable to records or personal information deemed to be under the control of the government institution are fully met.

Appropriate contract clauses would ensure that the government institution's responsibility for the protection of personal information continues to be fulfilled by the contractor and, where applicable, individuals continue to have a right of access to their personal information and to records relevant to the government institution's accountability for the program or services performed under the contract.

A.2  Purpose

The following explanatory notes[1] complement the Privacy Protection Checklist to guide government institutions in developing access to information and privacy clauses that are consistent with their obligations under the legislation. The clauses are meant for situations where an outside service provider (hereinafter referred to as the contractor[2]) is required to handle records or personal information on behalf of a government institution or contracting authority[3] while performing government services or functions. The questions found in the checklist serve to highlight the specific access to information and privacy requirements that should be considered when drafting government contracts.

A.3  Overview

As every contract is unique, not all questions in the Privacy Protection Checklist will apply to all contract situations. For example, a contract involving only the storage or archiving of personal information or the operation or maintenance of a computerized system containing personal information may not require privacy protection clauses that address the collection, accuracy, use, disclosure or correction of personal information. Each Checklist question should be answered taking into consideration the sensitivity of the personal information involved and the nature and scope of the services to be provided by the contractor on behalf of the government institution. Institutions are encouraged to consult their legal advisors and Access to Information and Privacy (ATIP) officials to determine any specific needs for access and privacy clauses that may apply to their particular contracting circumstances.

The Checklist questions and the explanatory notes provided in this document are not necessarily all-inclusive; there may be other legislative privacy requirements at the provincial or federal level to consider, including departmental or program-specific legislation and the possible application of the Personal Information Protection and Electronic Documents Act.  Government institutions faced with this kind of scenario should, in consultation with their institution's legal advisors and ATIP officials, conduct a thorough legislative and policy analysis of the requirements of all applicable laws and develop contractual clauses that ensure first and foremost that the government institution meets its legal obligations. If more than one law applies, institutions may also wish to adopt the most stringent privacy principles or standards.

B.  Explanatory notes concerning the Checklist questions

Both the checklist and the explanatory notes are meant to provide guidance only and government institutions should not rely solely on them in the preparation of a contract or any other document. Again, institutions are encouraged to consult their departmental legal and ATIP experts for advice in this regard.

Control and accountability

Principle

The Access to Information Act and the Privacy Act apply to records and personal information "under the control" of government institutions. Thus, the issue of control is of primary importance to ensure that the information and privacy rights of individuals under these acts are upheld when records are transferred to or generated by a contractor, while fulfilling its obligations on behalf of a government institution.

It is government policy that institutions must respect their obligations under the Access to Information Act or the Privacy Act when contracting out.

Generally, unless there is valid justification, government institutions should include provisions in contractual agreements to ensure that records that are either transferred to, created, collected, or maintained by the contractor in the fulfilment of a contract relevant to the delivery of government services remain under the control of the contracting government institution and are subject to both the Access to Information Act and the Privacy Act.

In addition to access to information provisions, the contractual agreement should include privacy protection clauses to ensure that any personal information contained in the records, as defined in section 3 of the Privacy Act, is managed by the contractor in conformity with the code of fair information practices embodied in the Privacy Act and its regulations, as well as the Treasury Board Secretariat Policy on Privacy Protection.

The contractor should assume full responsibility for the performance of its obligations and functions under the contract.

1.  Should the contractual agreement specify the types of records or personal information (list them) affected by the contract that will remain:
  1. under the control of the government and subject to the Privacy Act and the Access to Information Act; or
  2. the sole property of the contractor?

Contracting out government programs or service-delivery functions does not relieve the government of its access and privacy obligations for records or personal information held by private sector companies on its behalf. Institutions proposing to contract out government programs or services should prepare a case analysis involving several public interest tests, including how information and privacy rights of Canadian citizens under the Access to Information Act and the Privacy Act will be maintained.[4]

When evaluating the access to information and privacy implications of contracting out, government institutions must determine whether the records (including personal information) that will be transferred [5] to, or collected, created, or maintained, by the contractor in the performance of the government program or service, are under the control of the government institution. If the government institution establishes control, the records will be covered by the Access to Information Act and the Privacy Act. To this end, the institution would be required to specify a number of conditions in the contract that are consistent with its duties and obligations under the acts and that make the contractor's responsibilities very clear with respect to those records and personal information.

From a legal perspective, the records are to be covered by the Access to Information Act and the Privacy Act when they are considered to be under the control of the federal institution. As long as records are under the control of a government institution, the legal requirements of the acts apply.

A government institution cannot avoid its statutory obligations [6] under the Access to Information Act and the Privacy Act by claiming that it does not have possession of specific records. There may, however, be legitimate circumstances where an institution wants to obtain a service from an independent contractor without ever taking control of the personal information created thereunder, while also protecting the information. For example, a government institution using a private polling firm to conduct a survey to assess client or employee satisfaction and determine how to improve service may not necessarily want to retain control of the personal information collected by the contractor. In fact, the deliverables may require that the contractor provide all information collected during the survey in a non-identifiable format. In such cases, the contractor should be required to destroy the key permitting it to link statistical data to individual respondents once the survey is completed and all survey data has been compiled and validated. The contractor should also be required to protect the information until it has been destroyed or rendered completely anonymous.

In other instances, it may also be desirable that a contract clearly identify and list any business records of the contractor (e.g. administrative, financial, accounting or human resources records) that are necessary for the contractor's performance under the contract but are not considered the property of or under the control of the government institution. The contract should specify that the documents would be considered to be under the control of the government institution if the government has possession of contractor documents or the power to produce them.

The contract should also specify that the records deemed to be under the control of the government institution but in the possession of the contractor must be segregated from the contractor's other business records or data holdings for security reasons and to facilitate the administration of the Access to Information Act and the Privacy Act (e.g. individuals' access and correction rights).

2.  Should the contractual agreement specify that the contractor shall designate a senior individual (or individuals) within its organization who would be responsible for ensuring the contractor's compliance with the privacy and security obligations under the contract and be the first point of contact with the government institution for any privacy and security issues?

The Treasury Board Security and Contracting Management Standard[7] indicates that departments are responsible for protecting sensitive information and assets under their control during all phases of the contracting process.  The standard prescribes the use of contractual clauses to specify security requirements.

The Industrial Security Manual, which is produced by the Canadian and International Industrial Security Directorate, Public Works and Government Services Canada (PWGSC), contains specific provisions that apply to any contractor that has been authorized to store or handle protected or classified government information or assets that requires a Designated Organization Screening or a Facility Security Clearance. Among other things, such contractors must appoint a company security officer to carry out security responsibilities.

Although there is no requirement in the Industrial Security Manual for a contractor to name someone to be responsible for ensuring the contractor's compliance with the privacy obligations under the contract, the government institution has a duty to ensure that the contractor is taking reasonable steps to ensure that contractors put in place effective privacy protection practices. One of these steps is to have a person in charge of privacy management for the contractor. Thus, depending on the sensitivity of the personal information involved and the nature and scope of the services to be provided by the contractor for the government institution, there may be a need for the contractor to assign one senior individual (or individuals) to be accountable for administration and compliance with the privacy requirements of the contract and to be the first point of contact for such issues. The government institution would be required to do the same.

3.  Should the contractual agreement specify that the contractor shall provide the government with an up-to-date list of all employees, subcontractors or agents engaged in the contract who will have access to the personal information?

Government institutions may wish to consider whether they need to know the identity of the contractor's employees who will have access to personal information. In most cases, it may only be necessary to list the positions or categories of employees of the contractor who need access to personal information to carry out their duties under the contract rather than listing each employee by name. This would provide more flexibility for contracts with a lengthy duration or where there is a high staff turnover. In such cases, the contract should specify the types or elements of personal information that may be accessed by each category of employees, as well as the specific circumstances under which employees of the contractor will require access to the information. The contract should also stipulate the security requirements and access controls that will be in place.

In cases where the information to be accessed under the contract is highly sensitive,[8] government institutions may wish to impose further conditions, as follows:

  • to limit the number of individuals (e.g. employees of the contractor, subcontractors, or agents) who would be allowed to have access to the personal information for the purpose of the contract;
  • to identify in the contract the names of each individual who will access the personal information, specifying how, why, and when access is permitted (a list of the individuals would be annexed to the original contract); and
  • to maintain, throughout the contract, an up-to-date list, by position, of all officials who access personal information in the performance of the contract and to provide the government institution with a copy of that list at any time, upon request.[9]
4.  Should the contractual agreement specify that all contractors' employees, subcontractors or agents to whom personal information may be accessible in the performance of the contract shall sign a privacy and confidentiality agreement?

It is of utmost importance that, in any outsourcing or contracting agreement, all of the contractor's staff (e.g. employees of the contractor, subcontractors, or agents) engaged in the performance of the contract are fully aware of their obligations to protect personal information. To this end, the contract should stipulate that the contractor train relevant employees in the privacy and security requirements of the contract and commit to using discipline, if necessary, to ensure that employees comply with those requirements.

Depending on the sensitivity of the personal information involved, the contract may also require the contractor to ensure that, before allowing any employee to have access to any personal information held in connection with the contract, each employee signs a privacy and confidentiality undertaking with the contractor, in a form acceptable to the government institution. The undertaking should specify that discipline, up to and including termination of employment, may result if the employee, without authority, intentionally accesses, uses, discloses, or disposes of personal information contrary to the terms of the contract. The undertaking is to be maintained on file by the contractor for the duration of the contract and for a specified period of time after completion of the contract. The employees should also be advised that a copy of their undertaking could be disclosed to the government institution upon request.

5.  Should the contractual agreement specify that the contractor shall be fully and solely responsible for the actions of its employees, subcontractors, and agents who act on its behalf in the performance of their functions under the contract?

The contractor must be made fully responsible for the performance of its obligations and functions under the contract. The overall responsibility of the contractor for ensuring that its employees, agents, and subcontractors adhere to the terms and conditions of the contract, including requirements to protect personal information under the control of the government institution, should be explicit in the contract.

6.  Should the contractual agreement specify that the contractor shall advise the government in advance in the event of any change in ownership or control of all or a part of the contractor's business?

A corporation buyout or merger involving the contractor may create a potential conflict of interest or may introduce unanticipated information, privacy, and security risks. Requiring the contractor to advise the government institution in advance in the event of a change in ownership or control of all or part of the contractor's business would enable the government institution to undertake an assessment of the potential impact on information, privacy, and security that may result from the change. The institution should include a right to terminate the contract in such circumstances, at its discretion. This would be of particular importance if the proposed new owner or partner is located is in a foreign country or has ties with U.S.-based companies or other foreign organizations or for other reasons of public policy (e.g. Canada does not contract with Iran).

7.  Should the contractual agreement specify that the contractor shall immediately notify the government in the event of any proceedings for bankruptcy or insolvency brought by or against the contractor under applicable bankruptcy or insolvency laws or any notice of creditor's remedies?

Depending on the nature of the contract and the sensitivity of the services or functions to be performed by the contractor on behalf of the government institution, there may be a need to specify in the contract that the contractor shall advise the government institution or contracting authority in the event of any proceedings for bankruptcy or insolvency brought by or against the contractor under applicable bankruptcy or insolvency laws, including any notice of creditor's remedies made against the contractor. Government institutions should consult with their legal advisors and contracting experts before including any such clause in their contract.

The fact that a contractor is experiencing financial difficulty or has filed under any of the bankruptcy or insolvency laws could have very serious implications on how the contractor is capable of meeting the requirements of the contract or of completing contract performance. Upon being notified that the contractor has become insolvent or has filed for bankruptcy,[10] it is essential that prompt action be taken to ensure that the government's rights are protected in any formal proceedings and to determine whether the contractor is still capable of performing or meeting the requirements of the contract. Intensive monitoring of the contractor's performance would be required in such circumstances and, to the extent permitted by the laws of Canada, the government institution should specify in the contract that it may, at its option, immediately terminate all or any part of the contract.

Transborder data flows

Principle

Government institutions have an obligation to ensure that personal information collected, used, processed, accessed, disclosed, retained, received, created, or disposed of in order to fulfil the requirements of a contract shall be protected against any possible risks related to the issue of transborder flow of information. This would include the potential exposure of personal information of Canadians to U.S. authorities under the USA PATRIOT Act or other similar foreign laws.

8.  Should the contractual agreement specify any limitations on where the records and personal information (including back-up tapes and archives) may be processed, stored or maintained by the contractor (Refer to the Guidance Document for advice and sample clauses)?

One mechanism to deal with the risks associated with transborder flow of information is to have the work done in Canada and to have personal information segregated to a system not accessible by entities outside Canada (e.g. a government-organization contractor-operated (GOCO) facility or partnership) subject to applicable trade laws. The contract should therefore stipulate whether there are any geographical restrictions related to processing, storing, maintaining, or accessing records containing personal information by the contractor or an affiliate. This is particularly important if the contractor is located in a foreign country or is a subsidiary of a foreign organization.

The inclusion of a clause of this nature will depend on the sensitivity of the personal information involved, the type of contract, the work to be performed and whether the government institution has control of the information, the company performing the work, and the level of risk of exposure to U.S.-based or other foreign companies or subcontractors. Guidance on how to make that decision is contained in Steps 3 to 5 "Contracting" and in Appendix A of the Guidance Document, which also offers examples of contractual language that could be used to address the risk of potential disclosure to foreign governments. It is important that institutions consult with their legal advisors and ATIP officials before implementing, modifying, or adapting any of the clauses that are offered as examples in the Guidance Document. There may also be a requirement to consult with the departmental security officer concerning any security requirements under the Policy on Government Security.

9.  Should the contractual agreement specify that the contractor is prohibited from disclosing or transferring any personal information outside the boundaries of Canada, or allowing parties outside Canada to have access to it, without the prior written approval of the government?

Where appropriate, the contract may stipulate that the contractor is prohibited from disclosing or transferring any personal information to third parties outside Canada or from allowing such parties to have access to it without the prior written approval of the institution. Once information goes beyond Canada's borders, it may be either impractical or impossible for a government institution to prevent any unauthorized use, disclosure, or transfer of that information or even, in some cases, to access its own information.

Collection of personal information (sections 4 and 5 of the Privacy Act)

Principle

Under section 4 of the Privacy Act, a government institution shall collect personal information only when it relates directly to an authorized program or activity of the institution.

Subsection 5(1) of the Privacy Act requires that, wherever possible, government institutions shall collect personal information intended to be used for an administrative purpose directly from the individual to whom it relates. There are limited exceptions to this rule; for example, law enforcement activities.

Subject to exceptions referred to in subsection 5(3) of the Privacy Act, government institutions are required to inform individuals of the purpose for which the information is being collected and the intended uses to be made of it.

10.  Should the contractual agreement specify that the collection of personal information shall be limited to that which is necessary for the contractor to comply with the contract or the exercise of the contractor's rights under the agreement?

In cases where the contractor is required to collect personal information on behalf of the government institution in performing government services or functions and the personal information is under the control of the government institution, the contract should specify the purposes for which the contractor may collect personal information under the contract and the institution's authority [11] for such a collection. The contract should also stipulate the type or elements of personal information that may be collected by the contractor on behalf of the institution and from whom such personal information is collected. A similar clause should be considered when the contractor is required under the contract to create personal information.

The contract should also specify that the contractor must limit its collection of any personal information to what is necessary for the purpose of the contract or the exercise of the contractor's rights under the agreement (i.e. information that would be required by the contractor to substantiate its rights to receive payment).

It is important to remember that when specifying the nature of the personal information to be collected by the contractor, the government institution must ensure that the contractor does not collect more personal information from individuals than the government institution itself would be allowed to collect under the Privacy Act for a similar authorized operating program or activity of the institution. Notification and direct collection requirements (or exceptions) for personal information intended to be used for an administrative purpose must be respected.

In cases where the institution obtains a service from an independent contractor without taking control of the personal information, but where the contract deliverables will result in a collection of personal information by the government institution, the contract should specify the personal information to be provided to the government institution as part of the deliverables. The government institution must ensure that only personal information directly related to the program or activity is collected as part of the deliverables and that the indirect collection requirements under the Privacy Act are met.

11. Should the contractual agreement specify that the contractor must, unless otherwise directed in writing, collect personal information directly from the individual to whom the information relates?

When the contractor collects personal information on behalf of the government institution by performing government services or functions and the personal information is under the control of the government institution, the contract should specify that, unless otherwise directed in writing by the institution, the contractor must collect it directly from the individual to whom the information relates. The method and manner of collection should also be specified in the contractual agreement.

12. Should the contractual agreement specify that the contractor, at the time of collection of personal information, must notify an individual from whom it collects personal information:
  • The purpose and authority for the collection;
  • Any uses or disclosures that are consistent with the original purpose;
  • Any uses or disclosures that are not related to the original purpose;
  • Any legal or administrative consequences for refusing to provide the personal information; and
  • The rights of access to, correction of and protection of personal information under the Privacy Act.

Subsection 5(2) of the Privacy Act recognizes an individual's right to know and understand the purpose for which his or her personal information is being collected and how it will be used. The Treasury Board Directive on Privacy Practices has expanded on how such notice is to be given. It is one of the most fundamental privacy principles because without appropriate notice an individual cannot make an informed decision whether or not to provide personal data.

When a contractor collects personal information on behalf of the government institution by performing government services or functions and the personal information is under the control of the government institution, the contract should require that the contractor notify,[12] at the time of collection, individuals from whom it collects personal information of the purpose and authority for the collection; any uses or disclosures that are consistent with the original purpose; any uses or disclosures that are not related to the original purpose; any legal or administrative consequences for refusing to provide the personal information; and the rights of access to, correction of and protection of personal information under the Privacy Act.

13. Should the contractual agreement specify that the contractor's employees must effectively identify themselves to the individuals from whom they are collecting personal information and provide individuals with a means to verify that they are actually working on behalf of the government and authorized to collect the information?

Where the contractor is required to collect personal information from individuals in person, the contract should specify that the contractor's employees must effectively identify themselves to the individuals from whom they are collecting personal information and provide them with a means to verify that they are actually working on behalf of the Government of Canada and authorized to collect the information. As a matter of good practice, the contractor's employees should carry a letter provided by the government institution confirming that the personal information is being collected on behalf of the Government of Canada and present a photo identification in a format and manner approved by the institution when collecting personal information from individuals in person at their place of residence.

When collecting personal information by telephone, the contractor's employees should provide individuals with the title, business address, and telephone number of a government official who can confirm the authority and the purposes for which the information is being collected and answer any other questions the individuals might have about the collection.

Accuracy of personal information (subsection 6(2) of the Privacy Act)

Principle

Subsection 6(2) of the Privacy Act stipulates that government institutions must take all reasonable steps to ensure that personal information that is used for an administrative purpose is as accurate, up-to-date, and complete as possible. This requirement is intended to minimize the possibility that a decision affecting an individual will be made on the basis of inaccurate, obsolete, or incomplete information.  

14.  Should the contractual agreement specify that the contractor must make every reasonable effort to ensure the accuracy and completeness of any personal information to be used by the contractor or the government institution in a decision-making process that will directly affect the individual to whom the information relates?

If any personal information collected by the contractor under the contract is used, or is available for use, by the contractor while performing government services or functions or by the government institution itself in a decision-making process that directly affects the individual to whom the information relates, the contract should require the contractor to make every reasonable effort to ensure the information is accurate, up-to-date, and complete.

In some instances, the contract may specify joint responsibility for data accuracy and integrity by the government institution and the contractor. For example, where the contractor's obligation is limited to ensuring that the data provided to it are accurately recorded and stored, it will be the government institution's responsibility to review and amend the data to ensure accuracy and completeness. In such situations, the contract should specify that the contractor should take all reasonable steps to ensure that personal information provided to it in connection with the contract is accurately recorded and is not amended, except as directed by the government institution.

Alternatively, the contractor may be required to update personal information at specified intervals by either directly contacting the affected individuals, or indirectly from other sources if the government institution has the authority to collect the information indirectly from a third party.

Use of personal information (section 7 of the Privacy Act)

Principle

Without the consent of the individual to whom it relates, personal information under the control a government institution shall only be used for the purpose for which it was collected, or for a use consistent with the original purpose, or for a purpose for which the information may be disclosed within or outside the institution under subsection 8(2) of the Privacy Act.

15.  Should the contractual agreement specify that, unless otherwise directed in writing, the contractor shall use the personal information only for the purpose of fulfilling its obligations under the contract?

The government institution must ensure that the personal information under its control but in the physical possession of the contractor is not used in a manner inconsistent with the government institution's obligations [13] under the Privacy Act. The contractor should be prohibited from using any personal information held in connection with the contract in any way other than for the specific purpose of fulfilling its obligations under the contract.

The contract should expressly specify the purpose(s) for which the contractor may use the personal information and stipulate that use for any other purposes must have prior express written authorization from the government institution. It should also state that these restrictions survive the contract.

Disclosure of personal information (section 8 of the Privacy Act)

Principle

Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed to third parties except in the limited number of situations set out in subsection 8(2) of the Privacy Act.

16.  Should the contractual agreement specify that the contractor shall be prohibited from disclosing or transferring any personal information, except as necessary for the purposes of fulfilling its obligations under the agreement or unless otherwise directed to do so in writing?

Assuming an Act of Parliament does not prohibit the disclosure of the personal information, the government institution may disclose personal information to a contractor with the consent of the individual to whom the information relates or, where the disclosure is authorized under subsection 8(2) of the Privacy Act, without consent. The contractor's ability to collect the personal information from the government institution may be subject to legislative privacy requirements at the provincial or federal level, such as the Personal Information Protection and Electronic Documents Act, and any such requirements must be taken into account in the contract.

Generally, the contract should specify that, unless the government institution otherwise directs in writing, the contractor is prohibited from disclosing or transferring any personal information held in connection with the contract in any way other than in accordance with the contract. The government institution must also ensure that personal information under its control but in the physical possession of the contractor is not disclosed in a manner inconsistent with the government institution's obligations under the Privacy Act. To this end, the contract should expressly stipulate how, when, and why personal information under the control of the government institution may be disclosed or transferred by the contractor to perform the government services or functions under the contract as well as the authority for such disclosures or transfers.

17.  Should the contractual agreement specify that if the contractor receives any request for disclosure of personal information for a purpose not authorized under the contract, or if it becomes aware that disclosure may be required by law, the contractor shall immediately notify the government about the request or demand for disclosure and must not disclose the information unless otherwise directed to do so in writing?

In some instances, the contract should specify that if the contractor receives any request for disclosure of personal information, other than those stated in the contract, or if it becomes aware that disclosure may be required by law (i.e. demand for disclosure from a court of law, an investigative body, or from a foreign jurisdiction), the contractor must immediately advise the government institution of the request or demand for disclosure and must not disclose the information unless otherwise directed to do so in writing by the institution.

While the contractor may have a legal duty to disclose personal information, it should let the government institution know as soon as possible so that the institution may consider its position in relation to the legality of the demand for disclosure and have the opportunity to intervene in any proceedings before any disclosure is made. The contract should specify that failure on the part of the contractor to notify the government institution of any such disclosure beforehand, even where disclosure is required by law, would be considered a material breach of the contract and may result in termination of the contract.

The government institution may also request that the contractor keep a record of any disclosures of personal information that have been made. Maintaining such a record or register may be of particular importance when sensitive personal information is involved. The register of disclosure should contain the following information and should be made available to the government institution immediately upon request:

  • the date of the disclosure;
  • the name of the entity or person to whom the information was disclosed and, if known, the address of such entity or person;
  • a brief description of the information disclosed;
  • a brief statement of the purpose of such disclosure, which includes an explanation of the basis for such disclosure;
  • the format of the record (e.g. paper, electronic);
  • the method of transmission; and
  • the name of the person who made the disclosure.

Requests for information (section 12 of the Privacy Actand section 4 of the Access to Information Act)

Principle

Government institutions should provide individuals with informal access to government records or their personal information whenever possible.

Where informal access to the requested government records or personal information cannot be given, the requestor must be informed, as appropriate, of his or her rights under the Access to Information Act or the Privacy Act.

18.  Should the contractual agreement specify that individuals can use an informal process to access records or their personal information directly from the contractor?

It is important that the contract clearly state the responsibilities of both the government institution and the contractor in dealing with access requests for records or personal information in the custody of the contractor but under the control of the government institution.

First, the contract should specify whether the contractor would be allowed to provide informal access to certain types of information as a matter of course without the necessity for an individual to submit a formal access request under the Access to Information Act or the Privacy Act , as the case may be. Where appropriate, this informal release process should be encouraged to reduce administrative costs.

If the government institution authorizes the contractor to provide routine informal access, the contract must clearly identify the types of records, including any elements of personal information, that could be routinely released by the contractor. The contract must also specify the circumstances, the conditions, and the restrictions [14] under which the contractor may make such records or personal information informally available to individuals upon request. In allowing the contractor to disclose information on an informal basis, the government institution must be satisfied that such informal disclosures by the contractor can be made because no exceptions under the Access to Information Act apply, the disclosures will be in accordance with the privacy requirements of the Privacy Act, and the privacy and confidentiality requirements of any other applicable legislation or Treasury Board policies and guidelines will be respected.

19.  Should the contractual agreement specify the responsibilities of both the government and the contractor in dealing with formal request made under the Access to Information Act or the Privacy Act with respect to those records or personal information considered under the control of the government but maintained by the contractor?

The contract should also include provisions establishing how the contractor and the government institution will deal with formal access requests made under the Access to Information Act and the Privacy Act for records or personal information held by the contractor but under the control of the government institution in connection with the contract. For example, the contract could specify that if the contractor receives a request under the Access to Information Act or the Privacy Act from an individual for records or personal information, the contractor must promptly advise the individual to make the request directly to the ATIP coordinator of the government institution involved and provide that official's name and contact information to the requester. The contractor may also offer to forward the individual's request to the ATIP coordinator of the government institution for direct action along with copies of all records that may be relevant to the request. If the government institution receives a request pursuant to the Access to Information Act or the Privacy Act for any records or personal information in the custody of the contractor, the government institution must promptly notify the contractor about the request and ask the contractor to produce forthwith copies of all records that may be relevant to the request and to forward them promptly to the ATIP coordinator.

The contract should also stipulate whether the provision by the contractor of copies of all records that may be relevant to formal request pursuant to the Access to Information Act or the Privacy Act to the government institution should be made at the contractor's expense. It is important to remember that large-scale or complex requests may involve a considerable burden to the contractor. If the government institution makes arrangements to assist with the contractor's costs in this regard, it should be reflected in the contract.

The contract should also clearly state that destroying, altering, falsifying, or concealing records to avoid providing access to them under the Access to Information Act is an offence under the Act. For example, it could state that the contractor acknowledges that section 67.1 of the Access to Information Act specifies that a person who wilfully destroys, alters, falsifies, or conceals any record that is subject to the Act or directs another person to do so with the intent to obstruct a request for access to records is guilty of an offence and is liable to a fine of not more than $10,000.

In cases where other legislative privacy requirements at the provincial or federal levels may also apply, such as the Personal Information Protection and Electronic Documents Act, the manner in which such requests will be processed should also be reflected in the contract. For example, the contract should describe the authority and procedures that will be used by the contractor to provide access to personal information held by the contractor in connection with the contract and the need to liaise with the government institution about procedures and requests.

Correction of personal information (paragraph 12(2)(a) of the Privacy Act) 

Principle

Paragraph 12(2)(a) of the Privacy Act provides that every individual given access to personal information about him or herself that has been used, is being used, or is available for use for an administrative purpose is entitled to request correction of the information or that a notation be attached to information where the individual believes there is an error or omission therein.

20.  Should the contractual agreement specify the responsibilities of both the government and the contractor with respect to requests made by individuals under the Privacy Act to correct or annotate personal information maintained by the contractor?

Under the Privacy Act, an individual has the right to challenge the accuracy and completeness of his or her personal information and to have it amended, if appropriate. In most cases, formal requests for correction or notation of personal information held by a contractor on behalf of the government institution will be received and dealt with by the government institution, which will obtain relevant information from the contractor and instruct the contractor to act as appropriate.

The contract should establish a process to ensure that the contractor will correct the information if the government institution determines that a correction or notation is necessary. For example, the contract could specify that upon being directed in writing by the institution to correct or annotate any personal information, the contractor must do so. Further, it could state that, if so directed by the institution, the contractor must also provide the corrected or annotated information to any other party to whom the contractor has disclosed the personal information for an administrative purpose over the course of the two years prior to the request for correction being received by the government institution, requiring any of those parties to attach a copy of the correction or notation to the personal information in their custody.

The contract should also specify that if the contractor receives a formal request for correction of personal information from a person other than the government institution, the contractor must immediately advise the person to make the request directly to the ATIP coordinator of the government institution involved. The contractor must also provide that official's name and contact information to the requester or offer to forward the individual's request for correction to the ATIP coordinator of the government institution for direct action and reply.

In those cases where other legislative privacy requirements at the provincial or federal level, such as the Personal Information Protection and Electronic Documents Act, allow formal requests for correction by individuals, the contract should specify how such requests will be processed. For example, the contract should describe the authority and the procedure that will be used by the contractor to correct any personal information held by the contractor in connection with the contract and the need to liaise with the government institution about both procedures and individual requests for correction.

Retention of records or personal information (subsection 6(1) of the Privacy Act and
subsections 4(1) and (2) of the Privacy Regulations)

Principle

Personal information must be retained and disposed of in accordance with approved records retention and disposal schedules.

Unless the individual consents to earlier disposal, personal information that has been used in a decision-making process directly affecting the individual must be kept for a minimum of two years after the last time it was so used and, where a request for access to the information has been received, until such time as the individual has had the opportunity to exercise all his or her rights under the Privacy Act.

Records should be properly disposed of in a manner consistent with their security designation.

Subsection 12. (1) of the Library and Archives of Canada Act directs that "No government or ministerial record, whether or not it is surplus property of a government institution, shall be disposed of, including by being destroyed, without the written consent of the Librarian and Archivist or of a person to whom the Librarian and Archivist has, in writing, delegated the power to give such consents."

For further information:

Treasury Board Management of Government Information policies, which can be found at http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?section=text&id=12742

Library and Archives Canada, Multi-Institutional Disposition Authorities, which can be found at  http://www.collectionscanada.gc.ca/government/disposition/007007-1008-e.html.

21.  Should the contractual agreement specify the retention and disposal requirements for records or personal information, including the maximum retention period, as well as the disposal methods to be used?

In accordance with subsection 6(1) of the Privacy Act and subsection 4(1) of the Privacy Regulations, personal information that has been used by a government institution for an administrative purpose shall be retained for at least two years following the last use of the information unless the subject individual consents to its earlier disposal and, where a request for access to the information has been received, until such time as the individual has had the opportunity to exercise all his or her rights under the Act.

Records containing personal information in the possession of the contractor but under the control of the government institution must comply with these requirements. In addition, the Library and Archives of Canada Act and the Treasury Board Directive on Recordkeeping require that government institutions schedule all of their information holdings for retention and disposal. This means that each government institution must ensure that there is an appropriate retention and disposition schedule for the records under its control, including those common administration records covered by the Multi-Institutional Disposition Authorities.

The retention and disposal schedule for records, including personal information, that are held by the contractor but under the control of the government institution must be approved before the contract is signed. This would require consultation with information management staff of the government institution and also possibly with staff of the Library and Archives Canada to determine if special procedures might apply for preserving historical or archival records that may be transferred to the contractor or generated for the government institution by the contractor.

In most cases, provisions in the contract relating to the disposal or destruction of the records may not be required provided that the contract clearly stipulates the contractor's obligation to provide the records to the government institution on request and to destroy the records only after having been directed to do so in writing by the government institution.

In cases where records must be retained and disposed of by the contractor in accordance with the government institution's records retention and disposal schedule, the contract should include a timetable for the retention and disposal of personal information to ensure that the information will be kept by the contractor for a stipulated period of time and no longer. The schedule must specify the maximum retention period for the information and the method of destruction applying to each category of record, as required under the Operational Security Standard on Physical Security for the destruction of classified and protected information. The disposal methods chosen will depend on factors such as the sensitivity of the information, how much information is to be destroyed, and the form in which it is recorded.

The government institution may also require a notification from the contractor when records are due for disposal in accordance with the instructions contained in the approved records retention and disposal schedule. Such a notification would allow the institution to ensure that the contractor only disposes of records that should be destroyed. When required, the contractor must also notify the institution when destruction has taken place.

Depending on the sensitivity of the personal information involved and the nature and scope of the services to be provided under contract, the institution may also require that the contractor maintain a record of destruction or a log of the disposal of any records considered under the control of the government institution that have been authorized to be disposed of under the contract. The record of destruction or log should contain at least the following information and should be made available to the institution immediately upon its request:

  • details of the records that were disposed of (e.g. file name, file number, date(s) of the records);
  • the method of destruction (paper copy shredded or electronic copy deleted from all files);
  • the date of destruction (day, month, year); and
  • the name and position title of the person who carried out the destruction of the records.
22.       Should the contractual agreement specify the conditions governing the disposal of any transitory records that are created or generated by the contractor?

If a record retention and disposal clause is used in the contract, a complementary clause relating to transitory records [15] should be included.

Before considering any clause to address transitory records, however, it is important to understand that transitory records may be destroyed routinely without recourse to a disposal schedule or authorization process once they are no longer useful for the purpose for which they were created (unless they are the subject of a request under the Access to Information Act or the Privacy Act). For example, a telephone message slip may be thrown in the garbage once the call has been returned, or handwritten notes of a meeting may be destroyed once necessary information has been transcribed and added to the relevant file.

It is crucial that government institutions adhere to good information and records management practices and be familiar with the applicable legislative and policy requirements for the management of such records. The routine destruction of transitory records is a healthy records management practice and, within a well-structured records management program, it should not give rise to an alleged offence under section 67.1 of the Access to Information Act  (see question 19).

When incorporating a clause relating to transitory records, the contract should describe what is meant by transitory records (the above-mentioned link to the Authority for the Destruction of Transitory Records provides a definition and a fairly comprehensive list of such records) and specify that the contractor may dispose of those records when they are no longer required. These may be disposed of without the need for a record of destruction.

The contract should also specify that any transitory records in existence when the government institution advises the contractor of the receipt of a request made under the Access to Information Act or the Privacy Act must be included in the records to be processed for responding to the request. Such records must also be retained until such time as the request (and any subsequent complaint) has been fully processed.

Protection of personal information (sections 6, 7, and 8 of the Privacy Act[16] and the Policy on Government Security[17])

Principle

Government institutions that are subject to Treasury Board policies are responsible for protecting sensitive information and assets under their control in accordance with the Policy on Government Security and its operational standards. This policy applies equally to the contracting process as it does to internal government operations.

Government institutions must have in place appropriate security measures to ensure that, throughout its life cycle, personal information under their control is protected and not vulnerable to unauthorized use, disclosure, alteration, or destruction.

For further information:

Treasury Board Security and Contracting Management Standard, which can be found at http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12332&section=text

Treasury Board Personnel Security Standard, which can be found at http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12330&section=text

23.  Should the contractual agreement oblige the contractor to ensure that personal information is protected against such risks as loss or theft, as well as unauthorized access, disclosure, transfer, copying, use, modification or disposal?

The contract should stipulate that the contractor is obliged to protect classified or personal information by making reasonable security arrangements that meet the standards of the Policy on Government Security or for institutions that are not subject to that policy, their own internal security standards. To this end, the contract must describe the administrative, technical, and physical security measures and safeguards that must be taken by the contractor to protect the information in its custody but under the control of the government institution from both external and internal sources.[18]

These security requirements should apply to information recorded in any form, such as paper and electronic records (i.e. a database). While the general security requirements for hard copy and electronic records may be the same, the contract should describe any safeguards or security measures that may be specific to each information medium.

It is important to remember that the nature and extent of these measures and safeguards will vary depending on the sensitivity of the information that has been transferred to, or collected by, the contractor. Other factors may include the amount, distribution, format, and method of storage of the information and the circumstances of the contract. For example, more stringent controls might be appropriate where the contractor handles sensitive personal information or significant amounts of personal information. In those cases, a schedule setting out the security measures and safeguards to be taken by the contractor to protect the information should be annexed to the contractual agreement. The contract should also specify that the contractor cannot vary the security procedures set out in the schedule without the prior written approval of the government institution.

Government institutions should consult with their security personnel and, if necessary, with systems or information technology personnel to determine which administrative, physical, and technical safeguards or security measures the contractor should put in place to meet the required standards. They may also need the expertise of information management staff and legal advisors.

Complaints and investigations (section 30 of the Access to Information Act and section 29 of the Privacy Act)

Principle

The Information Commissioner of Canada and the Privacy Commissioner of Canada are responsible for investigating complaints from people who believe they have been denied rights under the Access to Information Act or the Privacy Act respectively.

For more information:

Treasury Board of Canada Secretariat Review of Decisions Under the Access to Information Act, which can be found at http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=13781&section=text

Treasury Board of Canada Secretariat Review of Decisions under the Privacy Act, which can be found at http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=25503&section=text

24.  Should the contractual agreement specify that the government institution and the contractor shall immediately notify each other when complaints are received pursuant to the Access to Information Act and the Privacy Act or other relevant legislation and of the outcome of such complaints?

Subject to applicable laws, the contract should specify that the government institution and the contractor will immediately notify each other when complaints are received pursuant to the Access to Information Act or the Privacy Actor other applicable privacy legislation [19] in connection with records or personal information held by a contactor on behalf of the institution and, if necessary, of the outcome of such complaints.

If personal information is disclosed as part of the notice, the disclosure must be with consent or authorized under subsection 8(2) of the Privacy Act. Consideration of other applicable privacy legislation at the provincial or federal level, such as the Personal Information Protection and Electronic Documents Act, may also need to be taken into account.

25.  Should the contract specify the right of the Information Commissioner and the Privacy Commissioner to access any records or personal information for the purposes of investigations under the Access to Information Act or the Privacy Act?

The contractor must be advised of the powers of the Information Commissioner of Canada and of the Privacy Commissioner of Canada, as may be the case, to investigate any complaints made pursuant to the Access to Information Act or the Privacy Act that relate to records or personal information deemed to be under the control of the government institution but in the physical possession of the contractor. The contract should also stipulate that the contractor will be required to co-operate and assist the government institution during any investigation of such complaints by the Information Commissioner or the Privacy Commissioner, and that the contractor's officials may have to be interviewed by investigators of the Commissioners' offices.

Audit and inspection of records or personal information

Principle

The government institution should have the right, from time to time and on reasonable notice, to access the contractor's premises to recover any or all of its records and for auditing purposes to ensure compliance with the terms of the contract.

Subsection 37(1) of the Privacy Act provides that the Privacy Commissioner may, at his or her discretion, carry out investigations to ensure compliance with the requirements contained in sections 4 to 8 of the Act. These requirements concern the collection, use and disclosure, retention, and disposal of personal information.

Under subsection 34(2) of the Privacy Act and subsection 36(2) of the Access to Information Act, the Privacy Commissioner and the Information Commissioner, respectively, have the right to examine any information recorded in any form under the control of a government institution.

26.  Should the contractual agreement specify that the government may, at any time and upon reasonable notice to the contractor, enter the contractor's premises to inspect, audit or to require a third party to audit the contractor's compliance with the privacy, security, and information management requirements under the contract, and that the contractor must co-operate with any such audit or inspection?

As part of their accountability responsibilities in managing contracts, government institutions should consider, on a case-by-case basis, the inclusion of appropriate clauses to monitor the compliance of the contractor with respect to the information management, privacy, and security requirements under the contract.

Such a clause should give the government institution access to the contract-related facilities, records, and equipment to ensure that the contractor and its employees are complying with their obligations under the contract. The government institution should have the right to inspect or audit the contractor's practices and procedures related to security, collection, use, disclosure, retention, and disposal of records and personal information considered to be under the control of the government institution. Such a clause, however, must clearly prohibit access to information that is outside the scope of the contract.

The contract should also specify that the institution may authorize a third party to inspect and evaluate on its behalf, at any reasonable time and on reasonable notice to the contractor, the contractor's compliance with the privacy, security, and information management requirements under the contract. It should be made clear in the contract that such a notice would not be required in circumstances in which notice is not practicable or appropriate (e.g. caused by a regulatory request with shorter notice or investigation of theft or where the government institution has reasonable suspicion of abuse or breach of contract).

The contract should not reduce, limit, or restrict in any way the function, power, right or entitlement [20] of the Information Commissioner of Canada to carry out investigations of complaints made under the Access to Information Act in respect of records under the control of government institutions; andthe Privacy Commissioner of Canada to carry out investigations of complaints made under the Privacy Act, or compliance reviews undertaken at the discretion of the Privacy Commissioner under section 37 of the Act, in respect of personal information under the control of government institutions.

27.  Should the contractual agreement specify the requirement of the contractor to maintain specific information to enable the conduct of information audits, i.e. the maintenance of some form of audit trail (electronic or paper form)?

The contractor should be required to maintain an audit trail or other appropriate means of control (to the extent that this is technologically practical and cost-effective) in order to detect unauthorized or unjustified access to personal data. Such a system should be capable of monitoring and logging user activities on the system and of producing a list of users who have accessed an individual's record or a list of records accessed by a specific user. This information would have to be provided to the government institution immediately upon request.

Notification of privacy breach

Principle

If an individual fails to safeguard, releases without appropriate authority, or uses information for unauthorized purposes, such action may constitute a contravention of the Access to Information Act, the Privacy Act, or other Acts of Parliament and a breach of the Policy on Government Security

The contractor should be obliged to immediately notify the government institution when it becomes aware that it has breached the contractual provisions relating to security, unauthorized disclosure, destruction, removal, modification, or use of government information held by the contractor in connection with the contract.

Notification of the government institution is required if any conditions of the agreement are breached.

Contractors engaged in classified or protected contracts or subcontracting should ensure that the Canadian and International Industrial Security Directorate (CIISD)at Public Works and Government Services Canada is immediately notified of any breach or compromise, and that a written report is submitted to the CIISD as soon as possible. Investigation of breaches or instances of compromise shall be coordinated by the CIISD.

For more information:

"Responsibilities of the Company Security Officer," Chapter 1 of the Industrial Security Manual, which can be found at http://iss-ssi.pwgsc-tpsgc.gc.ca/msi-ism/index-eng.html.  

28.  Should the contractual agreement specify that the contractor shall be obliged to notify the government immediately when it anticipates or becomes aware of an occurrence of breach of privacy or of the security requirements of the contract?

The contract should require the contractor to immediately notify the government institution when it anticipates or becomes aware of an occurrence of breach of any contractual provision relating to the security or management of personal information deemed to be under the control of the institution. This would apply to any situations where personal information may have been compromised, including unauthorized access, destruction, use, modification, or disclosure of personal information.

When notifying the institution about a breach, the contractor should be required to provide the following information in writing to the institution:

  • the nature of the information that was breached (type and date of the information, name(s) of the person(s) whose information is affected);
  • when the breach occurred (if known);
  • how the breach occurred (if known);
  • who was responsible for the breach (if known);
  • what steps the contractor has taken to mitigate the matter; and
  • what measures the contractor has taken to prevent recurrence.

Government institutions should consult their legal advisors and contracting experts before developing any such clauses.

29.  Should the contractual agreement specify that the contractor shall be required to indemnify the government for any damages in connection with any breach of its obligations under the contract?

The contractor should assume full responsibility for any negligent or wilful act or omission of any of its employees or subcontractors respecting unauthorized access, destruction, use, modification, or disclosure of personal information. There should be significant, effective remedies and penalties for violation of contract terms and conditions governing the protection of personal information.

This should include a requirement for the contractor to indemnify the government institution for any losses or damages incurred as a result of any breach of the contractor's privacy and security obligations under the contract. The consequences of such breaches may include the possible termination of the contract or any other action the institution considers appropriate, including the following:

  • demanding the immediate return of all of the government institution's records and personal information in the custody of the contractor, at the expense of the contractor;
  • requiring that the contractor issue notice, at its own expense, to any third party whose information was improperly used or disclosed; or
  • compensating the government institution for any costs it has incurred in directly sending such notices to the individuals concerned.

Government institutions should consult their legal advisors and contracting experts before developing any such clauses. This should include processes for dispute resolution, and for appropriate remedies if contractors or subcontractors breach the contract.

Subcontracting

Principle

Except for subcontracts previously permitted in the contract or as allowed for in the general terms and conditions of the contract, the government institution should carefully consider whether the contractor should be allowed to subcontract any other services or functions under the contract.

If subcontracting all or part of the activities covered by the contract is allowed, only qualified subcontractors should be permitted.

The contractor should be required to ensure that any subcontract requires the subcontractor to comply with access, privacy, and security provisions that are consistent with those contained in the contract between the contractor and the government institution.

The assignment of a subcontract does not relieve the contractor of any contractual obligations or impose any liability upon the Crown in relation to the subcontractor.

For further information:

Chapter 8, "Contract Management" of the Supply Manual, which can be found at http://www.tpsgc-pwgsc.gc.ca/app-acq/ga-sm/index-eng.html.

30.  Should the contractual agreement specify that the contractor must not subcontract the performance of any or all parts of the services or functions under the contract without prior written approval?

Where appropriate, the government institution should carefully consider whether the contractor should be allowed to subcontract any services or functions under the contract involving the government's records or personal information. In situations where subcontracting all or part of the contract may introduce unanticipated privacy and security considerations, the contract should contain relevant clauses that prevent subcontracting without the prior written approval of the government institution or the contracting authority.

Particular care should be taken with respect to subcontractors that are located or have ties outside of Canada because this could result in personal information being accessed by a foreign jurisdiction.[21] A government institution should assess the risk and consider contract measures to mitigate the risk, such as prohibiting the contractor from using subcontractors, giving the government institution the right to approve any subcontractor, or requiring the government institution's written approval for any proposed change to a subcontractor identified in the contractor's tender, proposal, or other submission.

Before giving its written approval to subcontracting, the government institution may impose terms and conditions it deems appropriate with respect to the suitability of the subcontractor, the services or functions that may be carried out by a subcontractor, and the imposition of any geographic restrictions as to where the work may be conducted and the data maintained or stored by a subcontractor.

Should the government institution or contracting authority consider it appropriate to give approval to the contractor to subcontract all or part of the activities covered by the contract, it should ensure, at a minimum, that

  • all of the contractor's terms and conditions under the primary contract to protect records or personal information that are relevant to the subcontractor's role in the provision of the services and functions under the contract are included in the agreement between the contractor and a subcontractor;
  • the agreement between the contractor and the subcontractor specifies which records, including personal information, relating to the services performed by the subcontractor remain under the control of the government institution; and
  • arrangements are in place, where appropriate, to ensure that the privacy and confidentiality undertaking referred to in question 4 is signed by each employee of the subcontractor who will access personal information deemed to be under the control of the government institution.
31.  Should the contractual agreement specify that, despite any written approval to subcontract, the contractor remains fully responsible for the performance of services under the contract or subcontract?

In the event of the government institution's acceptance of a subcontractor, the contractor should not be relieved of its responsibilities for any activities that will be assumed by the subcontractor.

The contract between the government institution and the contractor is the primary source of the contractor's obligations in relation to the records or personal information considered to be under the control of the government institution. For this reason, it is important that the contract specify that the contractor is fully responsible for the performance of the contract notwithstanding the subcontractor's performance of any part of the contract.

Although the government may not have direct contractual rights against the subcontractor, having such a clause included in the contract would allow the government to continue to have contractual remedies against a contractor in the event that a subcontractor breaches any of the information, privacy, or security clauses in the contract.

It should be noted that the contractor's responsibility in subcontracting is also dealt with in question 5, which suggests that the contractor be fully and solely responsible for the actions of its employees, subcontractors, and any agents acting on its behalf in the performance of any functions under the contract.

Termination or expiry of the contract

Principle

Upon termination or expiry of the contract, or upon request of the government institution, the contractor will cease any and all use of the personal information and will return all relevant records or personal information to the institution, including any copies, or destroy it in a manner designated by the institution or otherwise agreed to by the parties.

32.  Should the contractual agreement specify that all personal information and records must be returned to the contracting authority upon completion of the contract?

The contract should adequately deal with what will happen to the government institution's records or personal information that are in the custody of the contractor on completion or termination of the contract.

For example, the contract should specify that, unless otherwise instructed in writing by the government institution, the contractor shall return all records or personal information collected, generated, or maintained by the contractor in the course of providing the services under the contract and are deemed to be under the control of the institution to the institution upon expiry or termination of the contract.

If the contract requires that data be destroyed or deleted by the contractor upon termination or expiry of the agreement, adequate security measures and time frames should be specified in the contract. Where the records to be destroyed involve sensitive information, the government institution may also require that the contractor provide a detailed record of destruction, as specified in question 21. The contract may also specify that, if deemed appropriate by the government institution, government representatives may be present to oversee the destruction of the records.

33.  Should the contractual agreement specify that the obligations of the contractor to protect personal information shall continue even after completion of the contract?

Even though contracts will normally provide for all records or personal information to be returned to the government institution at the end of the agreement or to be destroyed, it is prudent to ensure that the protection that existed during the contractual agreement remains in effect after the agreement has ended should any personal information inadvertently remain with the contractor. In addition, specific contractor employees will have knowledge of confidential information, even after the contract has expired. Where a breach occurs or comes to light after an agreement has ended, relevant contractual clauses concerning confidentiality should continue to apply and remedies may be sought.


[1].     Acknowledgements: This document has been developed based on work that has been conducted by the Access and Privacy Branch, Alberta Government Services, on managing contracts under the Freedom of Information and Protection of Privacy Act.

[2].     Contractor means one who contracts to perform work or furnish materials in accordance with a contract. (Government of Canada, Public Works and Government Services Canada (PWGSC),Supply Manual)

[3].     Contracting authority means:

  1. The appropriate Minister as defined in paragraph (a) or (b) of the definition "appropriate Minister" in section 2 of the Financial Administration Act.
  2. A corporation named in Schedule II to the Financial Administration Act.
  3. Defence Construction (1951) Limited, the National Capital Commission or the National Battlefields Commission. (Ibid.)

[4].     Under the Treasury Board Secretariat Directive on Privacy Impact Assessment, government institutions must complete a PIA when contracting out or transferring a program or activities to another level of government or the private sector results in substantial modifications to the program or activities.

[5].     Before transferring any records containing personal information to a contractor, the government institution must ensure that there is nothing in its enabling legislation that could prevent any such disclosure to the contractor. Assuming the institution's own legislation does not prohibit such disclosure, the institution must then ensure that disclosure is permitted by one of the disclosure provisions in section 8 of the Privacy Act.

[6].     Where a government institution has failed to exercise control where it should have, it would be still subject to the requirements of the Access to Information Act and the Privacy Act in relation to that information, and the individual may be able to assert his or her rights under these acts against the government institution.

[7].     The Policy on Government Security applies to all departments within the meaning of Schedules I, I.1, II, IV and V of the Financial Administration Act (FAA), unless excluded by specific acts, regulations or Orders in Council.

        Certain agencies and Crown corporations can enter into agreements with the Treasury Board of Canada Secretariat to adopt the requirements of this policy and apply them to their organization.

[8].     There may be cases where privacy considerations may be so significant that they may lead an institution to decide against contracting out. This has particular relevance for outsourcing information technology systems that hold highly sensitive personal data.

[9].     This would assist in clearly identifying incidents of unauthorized access, especially where audit trails are used.

[10].  In the event a contractor has filed, or is suspected to have filed, for bankruptcy, the government institution or contracting authority must contact the court that has jurisdiction in the area of the contractor and obtain confirmation from the bankruptcy clerk of the court. Confirmation may also be obtained from the Office of the Superintendent of Bankruptcy Canada (OSB), which provides an insolvency name search service. By contacting OSB and paying a fee, you can find out whether a person or entity has begun insolvency proceedings. The service is available on the Internet at https://strategis.ic.gc.ca/sc_mrksv/bankruptcy/bankruptcySearch/engdoc.

[11].  In certain cases, the authority to collect personal information will be clearly articulated in law; the Income Tax Act offers a good example of this. In most cases, however, the institution's enabling statute will simply refer to an operating program or activity. In still other cases, the institution's enabling statute may make no specific reference to a particular program or activity, but a strong case can be made that the program or activity under examination is consistent with and in furtherance of the institution's statutory mandate. In the absence of clear statutory authority to collect personal information, institutions should consult their legal services.

[12].  Under subsection 5(3) of the Privacy Act, this requirement may not apply where notifying the individual would likely result in the collection of inaccurate information or prejudice the use for which the information is collected.

[13].  Government institutions should ensure that any obligations the contractor has under the contract do not go beyond a use that the government institution would be permitted under the Privacy Act. In other words, a government institution cannot, through a contract, avoid its own obligations under the Privacy Act by authorizing a private service provider to use the personal information in a manner that the institution itself is not permitted.

[14].  Whether the contractor is allowed to disclose the record or personal information would be determined by the various exceptions and exemptions in the Access to Information Act and the Privacy Act.

[15].  Transitory records are defined by Library and Archives Canada as "records that are required only for a limited time to ensure the completion of a routine action or the preparation of a subsequent record. Transitory records do not include records required by government institutions or Ministers to control, support or document the delivery of programs, to carry out operations, to make decisions or to account for activities of government."

[16].  These sections of the Privacy Act deal with retention, disposal, accuracy, use, and disclosure. There is no specific provision in the Privacy Act that focuses on the protection of information. Any protection offered to personal information is ancillary to the main objective of these sections and would apply where the government institution retains control of the personal information.

[17].  The Policy on Government Securityexplains how to protect personnel and assets, including information and information technology systems, and assure service delivery.

[18].  According to Gartner Inc. (one of the world's leading providers of research and analysis about the global information technology industry), an estimated 70 per cent of unauthorized access to information in both public and private sectors is committed by internal employees, as are more than 95 per cent of intrusions that result in significant financial losses.

[19].  There may be other legislative privacy requirements at the provincial or federal level to consider, including the possible application of the Personal Information Protection and Electronic Documents Act, which could apply to the personal information that will be collected, used, disclosed, or disposed of by the contractor in the fulfillment of its obligations under the contract with the government. Government institutions should therefore consult with their legal advisors on this matter.

[20].  Broad investigation powers, including access to the contractor's premises, may be needed to permit investigations by either commissioner (or any compliance review that may be undertaken at the discretion of the Privacy Commissioner) for information deemed to be under the control of the government but in the physical possession of a contractor.

[21].  According to the Canadian and International Industrial Security Directorate (CIISD) at Public Works and Government Services Canada (PWGSC), "Contractors shall not award a CLASSIFIED / PROTECTED subcontract to organizations located outside Canada without the PRIOR written approval of CIISD'S (PWGSC) contracting authority. The security status of foreign organizations must be verified through CIISD before entering into any commercial commitments. In addition, any transfer of CLASSIFIED / PROTECTED information to a foreign country must be channeled through CIISD.


Page details

Date modified: