Frequently Asked Questions: USA PATRIOT ACT Comprehensive Assessment Results
- What is the USA PATRIOT Act and why is it considered an issue related to
the privacy and the protection of personal information?
- Why is the protection of personal information a priority?
- How worried should I be that my personal information could be accessed under the USA
- How is it possible for my personal records to be accessible under the USA PATRIOT
- If personal information is at greater risk when the information is outside of Canada,
why not avoid using suppliers with connections to other countries?
- Has there been a case where personal information about a Canadian was accessed under
the USA PATRIOT Act?
- Is there other legislation similar to the USA PATRIOT Act?
- When did the government conduct its review of outsourcing contracts, and what were
the results of the review?
- What action has the Government taken to downgrade the "Medium to High" risk departments
and agencies to a lower risk category?
- Were institutions prepared to cope right away with the potential risks identified
in the review?
- Were any additional practices put into place to further mitigate risk?
- Within the federal government, who is responsible for making sure government contracts
address the issue of personal information being accessed by foreign laws?
- What other measures are federal institutions putting into place to mitigate potential
- Who is responsible for protecting my personal information?
- Are there any laws that the federal government must follow to protect personal information
under its control?
- What about the private sector?
- Is there an organization in Canada looking out for my privacy rights?
- What can I do to protect my personal information?
1.What is the USA PATRIOT Act and why is it considered an issue
related to the privacy and the protection of personal information?
- The USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism Act) was introduced in the United States in October
2001 as an anti-terrorism measure.
- The Act permits U.S. law enforcement officials, for the purpose of an anti-terrorism investigation,
to seek a court order that allows access to the personal records of any person without that person's
- Under the Act, U.S. officials could access information about citizens of other countries, including
Canada, if that information is physically within the United States or accessible electronically.
The potential exists, therefore, for law enforcement agencies to obtain information about Canadians
whose information might be handled under a contract between the federal government and a U.S.-based
2. Why is the protection of personal information a priority?
- Privacy has long been considered a fundamental right in Canada. A number of public opinion surveys
show that Canadians are concerned about the protection of their personal information. The Government
of Canada, recognized internationally as a leader in the creation of privacy laws and policies, shares
that concern and is committed to the protection of Canadians' privacy.
3. How worried should I be that my personal information could be accessed
under the USA PATRIOT Act?
- The chances of this happening are remote.
4. How is it possible for my personal records to be accessible under
the USA PATRIOT Act?
- Today's information technologies, such as the Internet, make it easy for organizations and individuals
to exchange information quickly around the globe. The transfer of information across borders, including
personal and sensitive information, is known as "transborder data flow".
- Transborder data flows are becoming more common as companies and governments take advantage of
- In today's global economy, suppliers can be located anywhere in the world. Even if a domestic supplier
is chosen, it may have offices located in other countries.
- When a supplier is hired to administer personal information and any part of its operations, including
subcontractors, are outside of Canada, then the laws of the other country (or countries) may be applicable
to information stored or accessible electronically in the foreign country. If a company located in
the United States or with U.S. connections is hired, then the USA PATRIOT Act may be applicable.
5. If personal information is at greater risk when the information is
outside of Canada, why not avoid using suppliers with connections to other countries?
- Federal government institutions have risk management strategies in place that examine all aspects
of outsourcing. When highly sensitive information is involved, a priority is placed on keeping such
information in direct control of the government or within Canadian borders.
- Having said this, the use of suppliers between countries has become an essential component of the
world economy. While Canada uses suppliers based in other countries, companies based in Canada are
also used by other nations. This has meant increased prosperity since one in every four jobs is related
to international trade. Canadians also benefit from a global supply of goods and services.
- The Government of Canada is obligated to make certain contracting opportunities available to companies
in other countries under a number of international arrangements including the North American Free
Trade agreement (NAFTA) and the World Trade Organization. Canadian companies also benefit from
access to contracts in other nations.
6. Has there been a case where personal information about a Canadian
was accessed under the USA PATRIOT Act?
- The federal government is not aware of any such case to date.
7. Is there other legislation similar to the USA PATRIOT Act?
- Since transborder data flow is global, the issue is not restricted to the USA PATRIOT Act.
There are other laws around the world that allow access to personal information in the interest of
fighting terrorism and to thwart other criminal activities. Therefore, the Government of Canada has
taken the view that measures to protect privacy should be broad in scope and not confined to just
the USA PATRIOT Act.
8. When did the government conduct its review of outsourcing contracts,
and what were the results of the review?
- The review was initiated in late 2004 and completed in the summer of 2005.
- TBS asked federal institutions that fall under the Privacy Act to rate the status of their outsourcing
contracts in relation to the potential risk of personal information being accessed under the USA
- Most of the 160 federal institutions – more than 80 percent – rated their contracts
as having no risk at all, or a low risk, because information is either being processed only by the
government itself or by a company operating only in Canada.
- Of the remaining institutions, outsourcing of some contracts was rated "Low to Medium" (19 institutions)
because of a potential supplier connection outside of Canada and "Medium to High" (seven institutions)
because information is being processed outside of Canada.
9. What action has the Government taken to downgrade the "Medium to High" risk
departments and agencies to a lower risk category?
- Only seven out of 160 institutions included in the assessment rated themselves in the "Medium to
High category". These institutions have already begun taking steps to mitigate potential risks by
taking measures such as using contractual provisions and auditing and segregating databases. Moreover,
the concerns will be addressed further when the contracts come up for renewal.
- TBS has produced a guidance document to assist federal institutions before they make a decision
to engage in outsourcing that involves personal or other sensitive information, whether within Canada
or across borders.
- The Government has asked the seven institutions that identified a medium to high risk to submit
updates on their plans to address these risks and to report on those risks that have been addressed
since submitting their initial assessment.
- In addition, the Government initiated quarterly reporting against the implementation plans of these
- We have also requested quarterly progress reports on the commitments made by some key departments
(such as Industry Canada and the Department of Justice) that play a part in the Government's overall
10. Were institutions prepared to cope right away with the potential
risks identified in the review?
- For the most part, yes. The review revealed that many strategies and best practices were already
in place to meet challenges posed by today's transborder data flows.
- Existing best practices included the segregation of personal information from other records held
by contractors; audit trails to closely monitor how information is being handled; approval by the
government of any subcontracting; the signing of non-disclosure agreements and the use of encryption
technology allowing only government officials to view data.
- Some institutions that process particularly sensitive information ensure that the information is
never removed from a federal government site.
11. Were any additional practices put into place to further mitigate
- Yes, many institutions reported that they are implementing additional mitigating measures to guard
against existing and future unauthorized disclosure.
- These expanded practices include internal processes to review all new outsourcing agreements and
the monitoring of contracts where foreign companies have access to personal or other sensitive information.
12. Within the federal government, who is responsible for making sure
government contracts address the issue of personal information being accessed by foreign laws?
- The Treasury Board of Canada Secretariat (TBS) is responsible for coordinating the government's
action plan with respect to risks associated with the handling of personal information under contracts. However,
it is the responsibility of each Government of Canada institution to identify and assess risks inherent
to the institution's own outsourcing activities and to develop its own strategies to mitigate or
manage risks. TBS is providing guidance and advice regarding privacy and contracting to assist
13. What other measures are federal institutions putting into place
to mitigate potential risks?
- Institutions are developing risk management approaches to reduce the risks associated with foreign
legislation, which will be incorporated in their overall corporate risk management framework.
- TBS has prepared a guidance document (insert hyperlink) for
federal institutions. The document includes a privacy checklist and up-front advice on considering
privacy prior to initiating contracts. It also includes advice for developing specific privacy protection
clauses that can be used in Requests for Proposals (RFPs) and contracts.
- Public service training programs will include modules to enhance awareness of risks.
- Technology solutions will be explored to protect information flows.
14. Who is responsible for protecting my personal information?
- Protecting personal information is not just the responsibility of the federal government. All levels
of government, private organizations and Canadians themselves share this responsibility.
15. Are there any laws that the federal government must follow to protect
personal information under its control?
- Yes, each federal government institution is accountable under federal laws that apply to the operation
of their programs and services.
- One law affecting most federal institutions is the federal Privacy Act. The Act was introduced
in 1983to limit the collection, use and disclosure of personal information, and more than 160 federal
institutions must follow the requirements of the Act.
- Ten additional institutions, or Crown corporations, were brought under the jurisdiction of the Privacy
Act by Order in Council on August 31, 2005.
- Other federal laws such as the Income Tax Act, the Statistics Act, the Employment
Insurance Act, the Old Age Security Act and the Canada Pension Plan Act,
add an additional layer of privacy protection.
- The provinces have privacy laws, policies and procedures similar to the federal government relevant
to their particular circumstances.
16. What about the private sector?
- The Personal Information Protection and Electronic Documents Act (PIPEDA) governs
personal information used by private sector companies in most provinces and all territories.
- PIPEDA applies to any organization involved in commercial activity for the collection,
use and disclosure of personal information.
- Under PIPEDA, a person has the right to know why a business wants to collect their personal
- Where provinces have privacy laws that are substantially similar to PIPEDA, the provincials
law govern provincially regulated private sector operations within their borders.
17. Is there an organization in Canada looking out for my privacy rights?
- The Privacy Commissioner of Canada looks out for the privacy rights of Canadians. The Commissioner
can investigate complaints that are made under the Privacy Act and PIPEDA. The
Commissioner also serves as an advocate for privacy rights, carries out privacy research and publishes
information about privacy best practices.
18. What can I do to protect my personal information?
- You have the right to know and ask why a business or organization is collecting, using or disclosing
your personal information such as your name, age, medical records, marital status and income. You
also have the right to check personal information and correct any inaccuracies.
- If you have a concern about how your personal information is being handled, you can complain to
the Office of the Privacy Commissioner of Canada or a provincial or territorial commissioner (depending
upon the organization whose conduct has raised the concern). For more information about the Office
of the Privacy Commissioner, visit its Web site