Treasury Board of Canada Secretariat
Symbol of the Government of Canada
Skip to content |

Common menu bar links

Home

Institutional links



Guidance Document: Taking Privacy into Account Before Making Contracting Decisions



5. Steps to follow

Steps 1 to 2, Pre-contract

Step 1.0: Contracts involving personal information

Once it is determined that personal information (as defined in the Privacy Act) about identifiable individuals will be involved in the program or service, and that a contract is being considered as an option, the institution's analysis should include the following:

1.1 compliance with the Privacy Act and Treasury Board privacy policies;

1.2 an invasion‑of‑privacy test; and

1.3 a Privacy Impact Assessment (PIA) or a Preliminary PIA (PPIA), if not already completed.

1.1 The Privacy Act and Treasury Board Privacy policies

When federal government functions or services are performed under contract by third parties, care must be taken to ensure that the government continues to fulfil its privacy obligations. The personal information must be managed so that the government institution conforms to the fair information practices embodied in sections 4 through 8 of the Privacy Act, the Privacy Regulations, the Treasury Board policy on Privacy and Data Protection and its Privacy Impact Assessment Policy. In particular, the institution must have the authority to collect the personal information that will be involved in the contract and the information must, in accordance with section 4 of the Act, relate "directly to an operating program or activity of the institution."

1.2 Invasion-of-privacy test

The invasion‑of‑privacy test was first developed for the Treasury Board manual, which contains guidelines for the policy on Privacy and Data Protection. The test suggests that institutions consider three interrelated risk factors:

  • the sensitivity of the personal information, including whether the information is detailed or highly personal (e.g., health information), and the context in which the information was collected;
  • the expectations of the individuals to whom the personal information relates (including the assurance that their information will be shared only on a need-to-know basis); and
  • the potential injury if personal information is wrongfully disclosed or misused, including the potential for identity theft or access by foreign governments.

The above privacy considerations will assist institutions in identifying potential risks with respect to the proposed program delivery instrument that should be mitigated as part of the contracting process. For additional guidance on this matter, please refer to Appendix A, "Invasion‑of‑privacy Test."

1.3 Privacy Impact Assessment Policy

Institutions subject to the Privacy Act are also subject to the Privacy Impact Assessment (PIA) Policy: http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12450.

Under the PIA Policy, institutions are required to consider conducting a PIA when any new program or service involves the collection, use, or disclosure of personal information or when any significant change is made to an existing program or service. This would include the contracting of a program or service to the private sector. The deputy head of the institution is responsible for determining whether initiatives warrant the conduct of PIAs. In some instances, where institutions do not yet have detailed information required for a comprehensive assessment or where a change to a program or service (or the contracting thereof) is not considered so significant as to warrant a full PIA, it may be appropriate to conduct a preliminary PIA.

Step 2.0: Assess privacy risks against other considerations

Depending on the circumstances at the institution, there are a number of other factors that could be taken into account at this stage. The privacy risks identified and assessed in Step 1.0—in particular, the sensitivity of the information and the amount of control that the service provider has over the information—will need to be weighed against the following factors before reaching a final decision.

2.1 Laws of foreign jurisdictions

As part of doing business in circumstances that may allow the application of laws of foreign jurisdictions (e.g. subcontracts, change of ownership), institutions should give consideration to whether contracts or operations under contracts can be negatively affected by the foreign jurisdiction's economy, political reality, laws, or legal system. In some instances, these differences in a foreign environment may give rise to questions with respect to possible privacy risks.

Foreign search and seizure laws, for example, may require companies that are based within their jurisdiction, or that have ties to companies within their jurisdiction, to disclose information that is either under their control or to which they can obtain access, including information held under a contract or arrangement. The following scenarios provide examples of how such laws could potentially apply if Canada enters into a contract with a company:

Scenario A: Contract with a company operating in Canada and not in any foreign country

A company operating only in Canada that maintains personal information only in Canada is subject to Canadian legislation. There is an indirect risk of access if, under the terms of the contract, the Canadian company (the contractor) has the authority to subcontract and thus may subcontract with companies that are based in a foreign country or have links to foreign commercial organizations.

Scenario B: Contract with a company operating both in Canada and in a foreign country

An order pursuant to a foreign law could indirectly apply. A foreign-based company could be required to disclose personal information to which it has access or can obtain access, including information held by its Canadian affiliate under contract. Depending on the nature of the foreign legislation and the ease of access to the records by the foreign-based company, the Canadian affiliate may not be made aware of an order to produce information.

Scenario C: Contract with a company operating in a foreign country

Commercial organizations operating in a foreign country that hold personal information about Canadians in that country must comply with the laws of the foreign country. A foreign-based company could be required to produce personal information to which it has access or can obtain access as a result of a contract or arrangement with a Government of Canada institution.

The above examples could apply to any foreign jurisdiction with laws that can compel the production of information from companies operating within their borders. Note that it would be much more difficult for most foreign governments to target specific personal information that may be held by a company under the terms of a contract with the Canadian government than it would be to request information through an existing bilateral agreement. In considering the possible use of the USA PATRIOT Act by U.S. law enforcement to get information about Canadians, the Privacy Commissioner of Canada stated the following:

. . . US government agencies can rely on other established procedures to obtain information about Canadians that is held by government or the private sector in Canada. Longstanding information sharing agreements between security and law enforcement agencies in both countries, and the mutual legal assistance process, are the most likely vehicles for obtaining access to information held in Canada.

It should be noted that the Personal Information Protection and Electronic Documents Act (PIPEDA) or substantially similar provincial laws (in place only in British Columbia, Alberta, and Quebec) regulate the privacy practices of commercial organizations operating in Canada. None prevents contracting involving personal information, but they do require that
Canadian-based contractors include privacy-protective clauses in any subcontracts.

2.2 Analysis of possible application of international trade agreements

Before deciding whether or not to contract out for the handling of personal information, institutions should determine whether international trade agreements apply to the proposed procurement (Appendix C provides a brief overview of some key trade agreements). If such agreements apply to the procurement, the Government of Canada must ensure that its trade obligations are met and that requests for proposals are consistent with these obligations.

In practical terms this may mean that, in some cases, government institutions would not be able to require that information be retained in Canada.The applicability of trade agreements is therefore an important determination and may be influential in decisions to initiate a particular procurement approach or to examine alternatives. 

Government officials should consult with legal advisors to determine whether international trade agreements are applicable.

Steps 3 to 5, Contracting

Step 3.0: Building privacy into contracts

If the decision is to proceed with a contract, institutions should ensure adequate privacy protection is included in contract documents, as outlined in Steps 3.0 and 4.0. Government institutions can employ a variety of tools in the procurement process to ensure that any resulting contract will include adequate privacy protection. The evaluation criteria, the SOW, as well as other provisions of the RFP are among the most effective vehicles for ensuring upfront protection of personal information. The initial design and drafting of such procurement documents should establish overall privacy protection strategies and should produce the key provisions for ensuring appropriate privacy protection through contracts. All effective contracting solutions must take implementation costs into consideration.

3.1 Request for proposals / statement of work

One of the most fundamental risk considerations when establishing contracts that involve the handling of personal information is to ensure that the information will be collected, used, retained, and disclosed only for the purposes specified in the contract and that it will be accessible only to authorized individuals (on a need-to-know basis) for those purposes. Depending on the arrangement, this may require additional contractual safeguards, especially where the information is being accessed or held by a foreign-based contractor or a contractor with ties to a foreign jurisdiction.

Privacy risks must be considered at this early stage of the procurement process. It is imperative that all potential bidders or contractors are aware of any specific requirements associated with the performance of the contract at the RFP stage since such requirements will affect costs. The decision to include specific provisions in the RFP or SOW should be based on overall risk considerations, including potential privacy impacts and the need for contract clauses that mitigate risks. 

Any restrictions related to the access, use, and storage of personal information must be reflected in the procurement documents, including the RFP or the SOW. 

At the RFP or SOW stage

Based on the results of the invasion-of-privacy test and other risk factors, if it is determined that the risk level is relatively high, institutions may consider the following:

  • In cases where international trade agreements do not apply, is there a requirement that the work must be conducted and data retained in Canada or Government of Canada facilities (e.g. foreign embassies, military facilities abroad)?
  • Is there a requirement for the contractor to segregate the government information or database from other information?
  • Is there a requirement for the provision of an information management and security plan by the contractor (i.e. documentation that details exactly how the information will be treated over its life cycle and how its security will be ensured)?
  • Is there a requirement to obtain assurances that the bidder can meet the requirements of the contract or demonstrate certain qualifications or certification before the RFP process (i.e. are bidders pre‑qualified based on their ability to manage personal information)?
  • Will the contractor be required to provide or make use of specific systems, equipment, or records with respect to the privacy and security of the government information?
  • What will be available to the contractor (e.g. facilities, systems, records, databases)?
  • Will the contractor be required to provide and maintain a list of personnel who will be authorized to access the government information or databases under the contract?
  • Will the Government of Canada have control of the information, and will the responsibilities for the handling (i.e. collection, use, storage, disposal, and disclosure) of the information be stipulated?
  • Will the contractor be required to maintain audit trails and report on all access to and disclosures of the government information or databases?
  • Will there be a need to demonstrate proof of government-authorized destruction?

Note: All contracts for services have an SOW or a description of requirements, which clearly describes the work to be carried out, the objectives to be attained, and the time frame. The SOW will be part of the RFP and the contract.

Where privacy risks are considered high, government institutions may wish to specifically evaluate the bidders' privacy protection strategies. If bidders will be required to produce a privacy management plan as part of the contract, government institutions may request that such plans be included in response to the RFP as part of the bidder's submission for evaluation during the procurement process. The federal institution could then assess such plans and give them appropriate weight in the evaluation criteria.

Step 4.0: Specific considerations for RFPs and contracts involving personal information

Important note:The Standard Acquisition Clauses and Conditions Manual (SACC), published by PWGSC, may provide adequate protection in many cases where contractual arrangements involving personal information are being made. It is therefore imperative that government officials consult their legal services and privacy officials regarding the application of additional or revised contractual language on a case-by-case basis.

The following are some considerations related to the protection of personal information that will be useful in mitigating the risk of possible unauthorized disclosure to foreign governments and in ensuring appropriate care and monitoring of contracts involving personal information. In some cases, these considerations for suggested clauses may already be requirements under other contracting and security  policies, directives, and guidelines that currently apply to most institutions subject to the Privacy Act. The intent of including the suggestions below is not to limit the requirements for privacy clauses but to point out that the following matters are of particular significance and should be considered in RFPs and contract clauses.

4.1 Establish control

It is important that the nature of the relationship between government institutions and contractors and their respective roles and obligations be clearly specified in contractual arrangements. A government institution cannot collect personal information unless it is directly related to an operating program or activity of the institution. 

The institution must examine the scope of its legal authority for a program or activity. Once the authority is established, contracts for the management of government programs and services should include provisions to ensure that the government institution maintains control over personal information or other records that are transferred to the contractor and, where appropriate, over information collected, created, obtained, or maintained by the contractor in fulfillment of the contract. Establishing control is necessary to enable the contracting institution to comply with its statutory obligations under the Privacy Act and the Access to Information Act. This is of particular importance when highly sensitive information is to be stored or processed in a foreign country by a foreign-based company, subsidiary, or third party, such as a subcontractor or agent. Government institutions can establish control by defining the institution's proprietary rights to the information in the contract, including the institution's right to obtain the records upon request. 

In addition, the government has a duty to include other specific privacy protection provisions in the contractual agreement to ensure that the contracting out of government programs and services does not result in a reduction of privacy protection. There may be instances where federal institutions subject to the Privacy Act enter into contractual agreements with organizations in the private sector that are subject to other legislative privacy requirements at the provincial or federal level, such as PIPEDA. Federal institutions faced with this kind of scenario should, in consultation with their institution's legal and privacy officials, conduct a thorough legislative and policy analysis of the requirements of both laws and develop contractual clauses in keeping with the more stringent privacy principles or standards of the two laws.

4.2 Confidentiality use for purposes related to the contract

Institutions should ensure that provisions are in place to limit access (including unauthorized access) to, or the ability to obtain the sensitive personal information for purposes not related to the contract, including any disclosure or access by a foreign-based parent company, other affiliates, or third parties, such as subcontractors or agents that are not directly named in the primary contract or arrangement. In cases where sensitive personal information is being accessed, government institutions should either include a requirement for the contractor to specifically identify and designate all contractor employees who will have access to the personal or proprietary data, or identify positions of employees who will have access. This would assist in revealing any incidents of unauthorized access, especially where audit trails are used.

4.3 Audits required or permitted (including verification of tracing and audit trails)

In addition to standard audit provisions, when sensitive personal information is being accessed, institutions should consider a requirement to stipulate that the supplier or service provider maintain specific information to enable the conduct of informational audits. Audits of security and privacy, for example, will require maintenance on the part of the contractor of some form of audit trail (electronic or paper form) to demonstrate that those who accessed information had the proper authority to do so.

4.4 Segregation of information

The contracting authority should consider including provisions to ensure that mechanisms are in place requiring that all sensitive personal information disclosed to a contractor by the Government of Canada, or collected or created pursuant to a contract or arrangement with the Government of Canada, is separated or segregated from other records or company data holdings. Institutions should qualify the nature of the segregation, which may include the physical separation of data (e.g. data held on a magnetic tape), the logical separation of data (e.g. record or user ID), or a combination of both physical and logical separation.

Note: References to segregation of information in the contract must be consistent with the terms established in the RFP and SOW, as well as the PWGSC SACC manual.

4.5 Conditions for disclosures unrelated to the contract 

The government institution should consider placing specific requirements for the contractor to account for and obtain prior approval of all disclosures of sensitive personal information unrelated to the contract (see 4.2, "Confidentiality use for purposes related to the contract").

4.6 Inspection

Where a government institution establishes control (see 4.1, "Establishing control"), it may also wish to put in place broad powers to inspect the contractor's premises when sensitive personal information is involved. Past contracts related to records disposition have highlighted the importance of inspecting facilities and the actual work that is being conducted under contract. It is important that government institutions verify (not necessarily through audit) that the work is being conducted in the manner specified in the SOW and respects the conditions outlined in the RFP. If, for example, the RFP and SOW have particular requirements (technical or other), institutions may wish to allow Canada the right to inspect the work to ensure that the service provider is conducting the work in accordance with the specifications outlined in the RFP, the SOW, and the contract. 

4.7 Notification of breach

Given the government's obligations to protect personal information under its control, the responsibility to ensure confidentiality and the accountability for breaches should be extended to any contractor that is handling personal information on behalf of an institution. If a contractor is deemed to be at fault for a breach of confidentiality, the contractor should be prepared to accept the responsibility for a wrongful disclosure of personal information, the costs associated with the appropriate notification of the individuals whose information has been disclosed, and the possibility of termination of the contract. Institutions should specify that, immediately after the contractor becomes aware of a breach of confidentiality, the contractor must notify the government institution forthwith that the breach has occurred.

4.8 Notice of subcontractor and subcontractor obligations

Where appropriate, the government institution should carefully consider whether the contractor should be allowed to subcontract any services under the contract. If subcontracting is allowed, the contractor should be required to ensure that any subcontracting arrangement requires the subcontractor to comply with the privacy provisions of the contract between the contractor and the federal institution. The government institution may also wish to consider, on a case‑by‑case basis, where appropriate, whether the contractor must receive the institution's written approval of subcontract provisions before the subcontract is signed.

Step 5.0: Evaluation criteria and sample RFP and contractual language

The comprehensive assessment of federal contracts, initiated by the Treasury Board of Canada Secretariat, revealed that most of the contracts identified by institutions as having potential privacy risks involved data processing and management. To assist such institutions, the following examples of RFP clauses relate specifically to database development, location, and data processing and are intended to be applied only in circumstances where the privacy risk is assessed at a very high level.

Definition:A database is an organized collection of data that can be accessed quickly. Databases consist of fields, records, and tables. A field is a single piece of information (e.g. a telephone number); a record is a collection of fields (e.g. name, age, telephone number); and a table is a collection of records. To access information from a database, a database management system (DBMS) is needed. A DBMS is a collection of programs that enables the user to enter, organize, and select data in the database.

Database creation is the establishment of the structure of the database but not its data content. One must first create a database, then populate the database and, finally, process the data that is in the database.

Important note: In situations where the personal information is considered to be of a highly sensitive nature, the following sample clauses may be used, where appropriate, to address the risk of potential disclosure to foreign governments. Use of these clauses should be limited to situations where, in consultation with legal services and privacy officials, and based on the invasion of privacy test, it is determined that there is a high level of privacy risk (e.g. health information, income or financial information). Before implementing the clauses indicated below, institutions must consult their legal services and privacy officials. Government officials must also consult legal services before modifying or adapting such clauses to suit specific needs of a given contract or with respect to other program delivery instruments. Where institutions are subject to the requirements of the GSP, the departmental security officer can provide advice on security procedures required by the GSP.

The sample clauses identified below would need to appear in both the RFP and the contractual agreement.

Sample clauses for an RFP and contractual agreement

Canada has an obligation to ensure that Canadian statutes, regulations, and policies on privacy protection are respected. Where applicable, federal institutions must ensure that personal information is protected in accordance with the Privacy Act, R.S. 1985, c. P-21, the Personal Information Protection and Electronic Documents Act,2000, c. 5, and federal privacy policies. Therefore, for the purposes of this requirement, where personal information will be involved in the contract, Canada requests the following from the Contractor:

Database and data processing

Where international trade obligations do not apply:

Where international trade obligations do apply:
Database creation

1. The database must be located and only accessible in Canada.

1. The database must be located and only accessible in jurisdictions the laws of which do not override, conflict with, or impede the application of the Privacy Act, R.S. 1985,
c. P-21, the Personal Information Protection and Electronic Documents Act, 2000, c. 5, and Treasury Board privacy policies either expressly or through subsequent application.

2. The database must be physically independent from all other databases, directly or indirectly, that are located outside Canada.

2. The database must be physically independent from all other databases, directly or indirectly, that are located in jurisdictions whose laws override, conflict with, or impede the application of the Privacy Act, R.S. 1985,
c. P-21, the Personal Information Protection and Electronic Documents Act, 2000, c. 5, and Treasury Board privacy policies either expressly or through subsequent application.
Data processing

1. All aspects of data processing must be conducted and only accessible in Canada.

1. All aspects of data processing must be conducted and only accessible in jurisdictions whose laws do not override, conflict with, or impede the application of the Privacy Act,
R.S. 1985, c. P-21, the Personal Information Protection and Electronic Documents Act,2000, c. 5, and Treasury Board privacy policies either expressly or through subsequent application.

Certification from the Bidder stating the following:

The Bidder hereby certifies that it has reviewed the requirements of this RFP, the resulting contract clauses and, in particular, the requirements concerning the protection of personal information. The Bidder also certifies that it will comply with those terms and ensure that personal information that is managed, accessed, collected, used, disclosed, retained, received, created, or disposed of in order to fulfil the requirements of the Contract shall be treated in accordance with the Privacy Act R.S. 1985, c. P-21, the Personal Information Protection and Electronic Documents Act, 2000, c. 5, and Treasury Board privacy policies.

This certification shall be true and correct throughout the term of the resulting contract with the same force and effect as if continuously made throughout the term of the resulting contract.

Furthermore, the Bidder acknowledges that the Minister shall rely on this certification to award the contract. Should the Bidder fail to comply with this certification or in the event that verification or inspection by the Minister discloses a misrepresentation on the part of the Bidder, the Minister shall have the right to treat any contract resulting from this bid as being in default and to terminate it pursuant to the default provisions of the contract.

Note: It may be appropriate for government institutions, in certain circumstances where the privacy risk is determined to be high, to make the Contractor's access to the personal information conditional upon the certification remaining true. This way, as soon as a contractor is presented with an order that compels the production of personal information, the certification would no longer be valid and any subsequent access or disclosure of the personal information would constitute a breach of the contract and, in some cases, a breach of Canadian law related to security of information and privacy.

Contacts for more information

Questions regarding the application of the Treasury Board policy on Privacy and Data Protection and the Contracting Policy should be directed to the appropriate responsibility centre within institutions.

Should you have any questions related to the guidance provided in this document, please do not hesitate to contact the Information and Privacy Policy Division, Chief Information Officer Branch, Treasury Board of Canada Secretariat, at ippd-dpiprp@tbs-sct.gc.ca or by telephone at (613) 946-4945.

References

Policy on Privacy and Data Protection
http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_128/siglist-eng.asp

Privacy Impact Assessment Policy
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12450

Contracting Policy
http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/Contracting/contractingpol-eng.asp

Government Security Policy
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12322

Risk Management Policy
http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/RiskManagement/riskmanagpol-eng.asp

Integrated Risk Management Framework
http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/RiskManagement/rmf-cgr-eng.asp

Standard Acquisition Clauses and Conditions (SACC) Manual
http://sacc.pwgsc.gc.ca/sacc/contents-e.jsp

Industrial Security Manual
http://www.ciisd.gc.ca/text/ISM/ch1-e.asp

 




Date Modified: 2006-03-28

Top of Page
Important Notices