Skip to content |

Common menu bar links

Institutional links

Chief Information Officer Branch

Information, Privacy and Security Policy Division

Access to Information and Privacy

Report on Assessment of Privacy Concerns Related to USA PATRIOT Act

Guidance Document: Taking Privacy into Account Before Making Contracting Decisions

Appendix B: Privacy Protection Checklist

The purpose of the Privacy Protection Checklist is to ensure that privacy requirements are taken into consideration during the preliminary planning and implementation stages of the government contracting process.

Notes: In this checklist

“personal information” means information about an identifiable individual that is recorded in any form as established under section 3 of the Privacy Act; and

“record” includes any correspondence, memorandum, book, plan, map, drawing, diagram, pictorial or graphic work, photograph, film, microform, sound recording, videotape, machine readable record, and any other documentary material, regardless of physical form or characteristics, and any copy thereof, in accordance with section 3 of the Access to Information Act.

YES	NO	N/A	DESCRIPTION
			Control and accountability Determine whether the contractual agreement should specify the following: 1. The types of records or personal information (list them) affected by the contract will remain: under the control of the government and subject to the Privacy Act and the Access to Information Act; or the sole property of the contractor;
			2. the contractor shall designate a senior individual within its organization to be the point of contract for complying with privacy/security obligations;
			3. the contractor shall provide the government with an up-to date list of all employees, subcontractors, or agents engaged in the contract who will have access to the personal information;
			4. all employees, contractors of the subcontractors, or agents to whom personal information may be accessible in the performance of the contract shall sign a privacy and confidentiality agreement;
			5. the contractor shall be fully and solely responsible for the actions of its employees, subcontractors, and agents who act on its behalf in the performance of their functions under the contract; and
			6. the contractor shall advise the government in advance in the event of any change in ownership of all or a part of the contractor’s business.
			7. the contractor shall immediately notify the government in the event of any proceedings for bankruptcy or insolvency brought by or against the contractor under applicable bankruptcy or insolvency laws or any notice of creditor’s remedies.
			Transborder data flows Determine whether the contractual agreement should specify the following: 8. the limitations on where the records and the personal information (including back-up tapes and archives) may be processed, stored or maintained by the contractor (refer to the accompanying guidance document for advice and for sample clauses); or
			9. that the contractor is prohibited from disclosing and/or transferring any personal information outside the boundaries of Canada, or allowing parties outside Canada to have access to it, without the prior written approval of the government.
			Collection of personal information Determine whether the contractual agreement should specify that: 10. the collection of personal information shall be limited to that which is necessary for the contractor to comply with the contract or the exercise of the contractor’s rights, under the agreement;
			11. the contractor must, unless otherwise directed in writing, collect personal information directly from the individual to whom the information relates;
			12. the contractor, at the time of collection of personal information, must notify an individual from whom it collects personal information: of the purpose for collecting it;
			of any statutory authority for the collection;
			whether response is voluntary or required by law;
			of any possible consequences of refusing to respond;
			of the individual’s right of access to and correction of the information; and
			of the number of personal information banks in which the personal information will be retained; and
			13. the contractor’s employees must effectively identify themselves to the individuals from whom they are collecting personal information and provide individuals with a means to verify that they are actually working on behalf of the government and authorized to collect the information.
			Accuracy of personal information 14. Determine whether the contractual agreement should specify that the contractor must make every reasonable effort to ensure the accuracy and completeness of any personal information to be used by the contractor or the government in a decision‑making process that will directly affect the individual to whom the information relates.
			Use of personal information 15. Determine whether the contractual agreement should specify that, unless otherwise directed in writing, the contractor shall use the personal information only for the purpose of fulfilling its obligations under the contract.
			Disclosure of personal information Determine whether the contractual agreement specify the following: 16. the contractor shall be prohibited from disclosing or transferring any personal information, except as necessary for the purposes of fulfilling its obligations under the agreement or unless otherwise directed to do so in writing; and
			17. if the contractor receives any request for disclosure of personal information for a purpose not authorized under the contract, or if it becomes aware that disclosure may be required by law, the contractor shall immediately notify the government about the request or demand for disclosure and must not disclose the information unless otherwise directed to do so in writing.
			Requests for information Determine whether the contractual agreement specify the following: 18. individuals can use an informal process to access records or their personal information directly from the contractor; and
			19. the responsibilities of both the government and the contractor in dealing with requests made under the Access to Information Act and the Privacy Act with respect to those records or personal information are to be considered under the control of the government but maintained by the contractor.
			Correction of personal information 20. Determine whether the contractual agreement should specify the responsibilities of both the government and the contractor with respect to requests made by individuals under the Privacy Act to correct or annotate personal information maintained by the contractor.
			Retention of records or personal information Determine whether the contractual agreement specify the following: 21. the retention and disposal requirements for records or personal information, including the maximum retention period and the disposal methods to be used; and
			22. the conditions governing the disposition of any transitory records that are created or generated by the contractor.
			Protection of personal information 23. Determine whether the contractual agreement shall oblige the contractor to ensure that the personal information is protected against such risks as loss or theft, as well as unauthorized access, disclosure, transfer, copying, use, modification, or disposal.
			Complaints and investigations Determine whether the contractual agreement should specify the following: 24. that the government and the contractor shall immediately notify each other when complaints are received pursuant to the Access to Information Act and the Privacy Act or other relevant legislation and of the outcome of such complaints; or
			25. the right of the Information Commissioner and Privacy Commissioner to access any records or personal information for the purposes of investigations under the Access to Information Act or the Privacy Act.
			Audit and inspection of records or personal information Determine whether the contractual agreement should specify the following: 26. that the government may, at any time and upon reasonable notice to the contractor, enter the contractor’s premises to inspect, audit, or require a third party to audit the contractor’s compliance with the privacy, security, and information management requirements under the contract and that the contractor must co-operate with any such audit or inspection; and
			27. the requirement of the contractor to maintain specific information to enable the conduct of information audits, i.e. the maintenance of some form of audit trail (electronic or paper form).
			Notification of breach Determine whether the contractual agreement should specify the following: 28. the contractor shall be obliged to notify the government immediately when it anticipates or becomes aware of an occurrence of breach of privacy or of the security requirements of the contract; and
			29. the contractor shall be required to indemnify the government for any liability in connection with any breach of its obligations under the contract.
			Subcontracting Determine whether the contractual agreement should specify the following: 30. the contractor must not subcontract the performance of any part of the services or functions under the contract without prior written approval; and
			31. despite any written approval to subcontract, the contractor remains fully responsible for the performance of services under the contract or subcontract.
			Termination or expiry of the contract Determine whether the contractual agreement should specify the folllowing: 32. all personal information and records must be returned to the contracting authority upon completion of the contract; and
			33. the obligations of the contractor to protect personal information shall continue even after the completion of the contract.