Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows
Archived information is provided for reference, research or recordkeeping purposes. It is not subject à to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
3. The Federal Strategy
The federal government has had effective privacy management practices in place for many years. Most large federal institutions that routinely collect personal information about Canadians keep this information on-site only. For example, Statistics Canada only keeps personal information on its government premises, and the Canada Revenue Agency stores and backs up all Canadian taxpayer information on-site only.
The USA PATRIOT Act, however, drew attention to the fact that best practices should be more uniform throughout government. It also drew attention to the need for additional measures that would build upon and complement existing safeguards. The federal government's action plan in response to Canadians' concerns about the USA PATRIOT Act followed this approach:
- Awareness: The Secretariat made all 160 federal institutions aware of the latest issues surrounding the USA PATRIOT Act and transborder data flows that involved personal and other sensitive information.
- Risk identification and mitigation: The Secretariat asked each institution to conduct a review of its contracts to identify any potential risks related to the USA PATRIOT Act, assess the level of those risks, and outline corrective actions to address them.
Guidance on privacy in contracting:
- Federal institutions with identified risks were required to implement corrective action.
- To assist institutions, the Secretariat developed a guidance document to be used prior to entering into future contracts. The document includes a privacy checklist for contracts and advice on developing appropriate protective contract clauses.
- To share information and best practices, the Government of Canada has been in communication with, and has consulted, a wide range of parties, including its own experts, the Office of the Privacy Commissioner of Canada, and provincial governments.
- The federal government has also notified U.S. government officials of concerns in Canada related to the USA PATRIOT Act and promoted the use of existing arrangements between national security agencies and law enforcement agencies in the protection of personal and sensitive information.
- Ongoing follow up: The government will monitor potential privacy risks and follow up with additional measures, as required. These will include additional policy guidelines, the scheduled review of PIPEDA, expanded privacy training and awareness and the introduction of a privacy management framework that will outline a privacy governance and accountability structure.
Each component of the federal strategy is examined below in detail, beginning with the review of federal government contracting.
Federal contract review
A major component of the federal government's strategy was a review of contracts. In October 2004, the Secretariat asked all 160 institutions subject to the federal Privacy Act to conduct an assessment of their contracting activities and to report on the results.
The review was no small task. The federal government has a large number of contracts and information-sharing agreements in place. For example, Human Resources and Skills Development Canada and Social Development Canada have more than 40,000 Grants and Contribution agreements in place. Foreign Affairs Canada and International Trade Canada have more than 8,000 contractual agreements.
The main objective of the review was to determine if information that is being stored by private companies or is accessible under the terms of a contract was susceptible to disclosure, specifically under the USA PATRIOT Act. Institutions were asked to see if any of the companies hired to provide services were based in the U.S. or had affiliations in the U.S. that might allow personal information to be accessible under the U.S. legislation.
The review also involved looking at the nature of contracts to determine if there were sufficient clauses to protect personal information or other sensitive information and, if not, to identify potential weaknesses and produce a plan of corrective action to mitigate any risks.
The review focussed on the USA PATRIOT Act because it allowed institutions to more quickly identify any weaknesses and thus raise a flag about whether the institution's contracting might also be vulnerable to any other foreign laws that allow access to personal or other sensitive information. While the emphasis was on information that could be accessed through the USA PATRIOT Act, the results would also be an indicator in relation to transborder data flows in general.
Since the review was to be a large undertaking, an interdepartmental committee was formed.
The committee was led by the Secretariat and consisted of 14 key institutions. Each institution had a role in providing advice to the other committee member institutions and in assisting the overall review process.
The review was conducted in two phases. A preliminary phase was quickly carried out first among 17 federal institutions to identify any major weaknesses among the largest programs. None was found. A more comprehensive review was then carried out by all 160 institutions.
Federal institutions were asked to rate the status of their contracting agreements according to categories ranging from “no risk” and “low risk” to “medium risk” and “high risk.” The higher the risk, the more vulnerable the contracting could be under the USA PATRIOT Act and potentially other foreign laws that could be applied to obtain personal information about Canadians or other sensitive information.
The identification of risks did not mean that a problem actually existed, rather, that there could be a potential problem in the future.
No to low risk: In these cases, information is gathered, maintained, and processed entirely by the Government of Canada without the use of any outside contractor (no risk) or, alternatively, a Canadian contractor is involved with operations only within Canada (low risk).
Low to medium risk: Information is located or maintained off-site by a Canadian company located in Canada but is also accessible by a foreign subcontractor, parent company, or affiliate. In these cases, laws from several different countries may apply.
Medium to high risk: The risk is considered to be “medium to high” when information is maintained and processed by a foreign-based company operating in a foreign jurisdiction. In these cases, there is a higher risk because such companies are more accountable to laws in their country than to laws in Canada.
The vast majority of contracting by the federal government is done inside Canada and therefore has a lower risk factor in relation to the possible application of the USA PATRIOT Act.
Of the responses from the 160 federal institutions, 83 per cent had their contracts classified under the “no to low risk” category. Contracts identified at 77 institutions were classified as “no risk” and at 57 institutions, some contracts were identified in the “low risk” category.
There were 19 institutions that informed the Secretariat that some of their contracts were classified in the “low to medium risk” category.
Only 7 institutions, in describing their contracting activities, identified a number of their contracts as having potential risks that could be classified in the “medium to high risk” category.
It should be noted that if an institution indicated that they had one contract that the Secretariat classified in the range of “medium to high risk,” the institution's final rating was consequently identified as “medium to high risk,”
To see a table of the complete review results to date, please refer to Appendix A.
No to low risk contracts
There are many examples of contracting that represent either no risk or a risk that is low. In certain cases, this is because the federal institution is operating under strict practices and procedures that provide a high standard of data protection. This is the case with Statistics Canada, which is governed by the Statistics Act.
Case study: Statistics Canada
The Statistics Act requires that only Statistics Canada employees who have taken an oath of secrecy and who have been security cleared can have access to confidential information. Access to confidential information is on a need-to-know basis.
The protection of confidentiality is Statistics Canada's highest priority. Data classified as confidential under the Statistics Act never leave Statistics Canada premises and are never out of the control of the Agency. Furthermore, all confidential statistical information is stored on an “electronic island” (i.e. none of the systems or networks that contain confidential data have external connections) thus making it impossible for data to be transmitted outside the Agency.
No hacker can get access to these secure data.
Statistics Canada has contracts with U.S. firms including those that are Canadian subsidiaries of U.S. companies. These contracts are for the delivery, development, and maintenance of software and hardware and provide no opportunity of access to confidential information. In fact, all possible precautions have been taken in this respect: for example, all contractors are themselves subject to the penalties under the Statistics Act, and they are never allowed onto Statistics Canada premises without being accompanied by regular employees of Statistics Canada. Even if a request were ever to be made by a U.S. authority to any contractor, it would therefore be physically impossible for them to provide any data given that they are never in possession of confidential information.
As a further measure, prior to the 2006 Census, Statistics Canada will conduct three independent security verifications of all census systems in order to validate the protection of confidential census information.
Statistics Canada is an example of a federal government institution where there is no contracting out of personal information that relates to the general public.
Case study: the Secretariat
The review determined that the majority of the contracting carried out for the federal government that involves personal information is for programs and services for federal employees. For example, the Secretariat oversees contracts related to insurance and health plans for federal employees.
The Public Service Management Insurance Plan is currently with The National Life Assurance Company of Canada, which has no offices in the U.S. As such,
there is “no risk”
” of application of foreign legislation for this contract. The situation is similar for contracts related to the administration of the Public Service Dental Care Plan and The Pensioners' Dental Services Plan.
The Public Service Health Care Plan andthe Public Service Disability Insurance Plan are under contract with Sun Life Assurance Company of Canada, which uses the services of another contractor, World Access Canada, for out-of-country and comprehensive claims. World Access Canada has a U.S. counterpart, but the arrangement calls for the U.S. office to be allowed temporary access to database information only in the event of a disaster in the Canadian office to ensure continuity of service to current and former public service employees.
The use of a U.S.-based office as an emergency back-up only is an example that several institutions identified as “low risk” for contracting agreements.
Personal information considered most at risk
Of the seven institutions that reported some specific contracts that could be classified as having potential medium to high risk in relation to the possible application of the USA PATRIOT Act, the majority of them identified their vulnerabilities in terms of contracts related to the processing of employee data such as payroll, pension, personnel security, travel, insurance, and career transition information.
Other vulnerabilities identified by these institutions are related to contracts that involve the following:
- the construction of mission offices, staff quarters and residences for missions abroad (including building plans, specifications, drawings, and security systems);
- the disposal of immigration and consular records;
- the processing of client information for institutions that frequently carry out transactions across the border; and
- the processing of personal or commercial information about Canadians for the purpose of administering and enforcing the Competition Act.
For several of these contracts, institutions reported that they are working to minimize risks. Moreover, concerns will be addressed when the contracts come up for renewal, some contracts or arrangements will not be renewed and future contracts will include adequate clauses to ensure maximum security and privacy safeguards.
Risk management strategies and best practices
As part of the review process, federal institutions were asked to report on their risk management strategies, no matter how they classified their contracts.
Each federal institution is accountable for its own contracts and personal information under its control. Since each institution carries out different functions, strategies are customized to the business and client needs of the institution.
The review revealed that many strategies and best practices that were already in place are well suited to deal with some of the challenges related to today's transborder data flows.
Most federal institutions have been using privacy and security clauses in contracting agreements to provide a variety of protective measures. Some of the more effective best practices include the following:
- the segregation of personal information being handled under the contract from other records held by the contractor;
- audit trails to closely monitor how information is being handled;
- the limiting of right-to-access based upon specific user profiles;
- approval by the government of any subcontracting;
- the return or approved destruction of all records at the end of a contract;
- the signing of non-disclosure agreements; and
- the use of encryption technology allowing only government officials to view the decrypted data.
Some institutions that process particularly sensitive information ensure that the information is never removed from a federal government site.
In addition, a number of institutions that have information technology contracts limit the contractor's access to data so they can only undertake testing or maintenance.
In addition to the current practices in place, many institutions reported that they would implement additional mitigating measures to protect privacy as a result of the review findings.
Some indicated they would revise internal policies, practices, systems, training materials, controls, and safeguards to mitigate both existing and future unauthorized disclosure.
These revisions will include the following.
Reviews in advance of and during contracting
- The inclusion of an additional step in the solicitation checklist (used for every service contract) that asks for the review of direct and indirect risks involving personal and proprietary information;
- New internal processes to review all new agreements, including the use of multi-disciplinary teams to review proposed contracting arrangements; and
- The monitoring of all contracts where foreign companies have access to personal or other sensitive information.
- The requirement that part or all of the work be completed within the institution (especially when health information is involved) or within Canada;
- Ensure that personal information or other protected or classified information is shared with third parties only where warranted;
- Consultation with legal services for all future contracts where personal or sensitive information will be exchanged or provided to third parties to consider inclusion of provisions that prevent disclosure under any foreign legislation; and
- The modification of contract forms to allow contract authorities to better assess risk.
- The development of risk management approaches related to business and personal information to mitigate risks associated with foreign legislation, which will in turn be incorporated in the institution's corporate risk management framework;
- The amendment of training plans to increase department-wide awareness of risks; and
- The exploration of technology solutions to protect information flows.
The Secretariat has developed a document that provides policy guidance to assist federal institutions before they decide to become involved in contracting that includes personal or other sensitive information within Canada and across borders.
The document is meant to help institutions in first identifying and assessing potential privacy risks and then, if necessary, in taking appropriate measures. Its objective is to ensure the Government of Canada meets legal and policy obligations to safeguard personal information.
Advice on make-or-buy decisions
The guidance document emphasizes front-end protection of personal information through the use of contractual language and other measures. The idea is to put in place the necessary measures to mitigate privacy risks as much as possible before the contracting process is even initiated.
The document also reminds institutions that government policy requires that a business case be made for contracting, outlining the advantages to Canadians. If a business case is made, privacy implications are considered in consultation with appropriate internal officials—a step that must be completed before any process to acquire an outside supplier.
Other recommendations in the document include the following:
- establishing control, where appropriate, so it is understood that the information is the property of the Government of Canada;
- making contract reviews a mandatory component of each contract in the event of a change in status or ownership of the company;
- stipulating that information be kept confidential and used only for purposes related to the contract or arrangement and that other uses or disclosures are to be approved by the Government of Canada;
- making employees of contracted firms sign written confidentiality agreements;
- specifying that information is to be segregated from other company records and information holdings and shall be delivered to the Government of Canada upon request;
- specifying the involvement and responsibilities of all subcontractors, agents, consultants, and advisors; and
- stipulating that an electronic audit trail is required for information stored in a database in order to easily determine who has access and when.
The guidance document is not meant to be used in isolation of other procurement and policy advice. It also does not advocate a universal approach since the circumstances for each institution and each contracting situation are different and need to be viewed on a case-by-case basis.
Each institution is accountable for its contracting and should therefore consider measures outlined in the document in consultation with its legal and privacy advisors.
Advice on contractual clauses
The guidance document contains advice on developing appropriate clauses that can be used, where appropriate, to address the risk of potential disclosure to foreign governments. These clauses, which should be addressed in the request-for-proposal process for bidders, are especially relevant where there may be a higher level of privacy risk, as in the case of collecting and storing health, income, or personal financial information.
Before such sample clauses are used, changed, or adapted, institutions are told they must consult their legal services and privacy officials to ensure the clauses are properly used and are not in conflict with obligations under existing international agreements.
Range of clauses
The guidance document suggests various clauses that can be built into contracts to ensure enhanced privacy protection.
Canadian control: Federal institutions should ensure that the Government of Canada maintains control over the information and can request the information at any time from the contractor.
Site inspections: Contracts can allow the government institution to inspect the contractor's premises.
Permission needed: Suppliers can be obligated to always ask for approval to disclose information.
Limited access: Access to information can be limited. For example, a contract should include a clause that states the information cannot be accessed for purposes not related to the contract, including any disclosure or access by a foreign-based parent company, other affiliates, or third parties such as subcontractors and agents not directly involved in the contract or arrangement.
Auditing: Especially when personal information or other protected or classified information is being accessed, there should be a requirement to have the supplier keep an audit trail to confirm that those who accessed information had the authority to do so and to allow the government institution to conduct audits.
Notification of breach: When a contractor becomes aware of a breach of confidentiality, he or she should be contractually obligated to notify the government. The terms of the contract should encourage reporting and quick remedial action on the part of the contractor.
The contractor should be required to accept the responsibility of wrongful disclosure and pay costs associated with the appropriate notification of individuals whose information may have been disclosed. The government may also require termination of the contract if there is a breach of confidentiality.
Subcontracting: A contract can stipulate whether any subcontracting is allowed. If so, subcontractors, including those operating outside of Canada, should be accountable to the same privacy restrictions as the contractor. The federal institution can also require that its written approval be obtained before a contractor can use any subcontractors.
To assist institutions in ensuring that adequate privacy protection clauses will be included when contracting out or outsourcing a government program or service-delivery function, the guidance document includes a privacy checklist. The checklist will be made available to all federal institutions on the Secretariat's Web site as a user-friendly electronic tool.
Any single strategy is likely to be insufficient in protecting personal information from disclosure outside Canada.
Federal institutions are therefore using a combination of strategies to prevent disclosure that includes a wide range of tools, such as contractual provisions, auditing, risk assessment, and technology.
In addition to the guidance document, the federal government is engaged in communications and consultations with organizations and individuals to share information, increase awareness about transborder data issues, and receive advice.
PIPEDA: The Privacy Commissioner of Canada is calling on Canadian businesses to continue to respect the privacy rights of Canadians concerning information the private sector possesses on individual Canadians, as legislated under PIPEDA.
Dialogue with the U.S.: Canadian and U.S. officials have discussed issues relating to cross-border information sharing. U.S. officials have been informed of the federal action plan, how Canadians perceive privacy issues and the USA PATRIOT Act, and the federal government's desire to have a continuing dialogue on achieving the right balance between privacy rights and effective law enforcement.
Continued co-operation between Canada and the U.S. will promote uninterrupted trade and other business between the two countries while respecting each country's concerns and needs.
Office of the Privacy Commissioner of Canada and the provinces: The Government of Canada, the Office of the Privacy Commissioner of Canada, and provincial governments are sharing information with each other and with the private sector on best practices to protect the security and privacy of Canadians and the interests of Canadian businesses.
- Date modified: