Skip to content |

Common menu bar links

Institutional links

Chief Information Officer Branch

Information, Privacy and Security Policy Division

Access to Information and Privacy

Report on Assessment of Privacy Concerns Related to USA PATRIOT Act

Versions:
Print Version

Guidance Document: Taking Privacy into Account Before Making Contracting Decisions

4. Getting Started

Building trust

From a policy perspective, the term “privacy” means more than just ensuring security and maintaining confidentiality of personal information by protecting against misuse or wrongful disclosure. Privacy also relates to the trust relationship that is built between individuals who provide personal information and those who collect it. It means providing individuals with a comfort level with respect to government handling of their personal information.

Privacy considerations are particularly relevant when considering contracts that may involve transferring personal information and data across borders. In such instances, the personal information is subject to foreign laws and thus potentially accessible.

The steps outlined in the next section are intended to assist program officials and privacy experts, in consultation with their legal counsel, to determine whether to enter into contracts involving the handling of personal information or, in some cases, to revisit the decision to contract if it has been determined beforehand.

Making an informed decision

As part of good management practices, federal institutions consider the costs and benefits of contracting for a service. All contracting decisions, including those that will involve personal information, take a number of important factors into account, such as the costs of program delivery and level of service, before entering into the contract.

The first step in the process is to identify any privacy risks. More information on this initial phase and other critical steps is provided in Step 1.0 and in Appendix A.

To identify all of the appropriate privacy and access to information measures government officials should take into account during the framing of a contract that involves personal or sensitive information,refer to Appendix B, “Privacy Protection Checklist. ” The checklist is a practical tool that guides the project authority through a series of privacy and access‑to‑information questions that ensure appropriate control, collection, use, disclosure, subcontracting, and other key factors in designing a contract.

The make‑or‑buy decision is based upon privacy, security,andother key business case considerations, such as quality and speed of service, the feasibility of carrying out the program or service in-house, the need for specialized expertise, trade obligations, and costs.

Making the procurement decision involves a multi-faceted analysis and should involve consultations with contracting, privacy, and other relevant officials within the government institution. Even when highly sensitive personal information is involved, appropriate privacy mitigation strategies, such as contract clauses, can be implemented so that the level of overall risk is reduced before contracting is initiated.

This guidance document is intended to promote a balanced approach and forms the basis of a well-informed decision on whether or not to contract out.

If a decision is made to proceed with a contract, Step 4.0 contains suggested wording for contract clauses that should be built into the contractual agreement to enhance privacy protection and reduce risks.