represented by the President of the Treasury Board, 2006
Catalogue No. BT22-104/2005E-PDF
This document is available on the Treasury Board of Canada Secretariat
Web site at www.tbs-sct.gc.ca
This document is also available in alternate formats on request.
Table of Contents
Executive Summary 6
1. Introduction 11
Role of the Treasury Board of Canada Secretariat 11
Purposes of the report 11
2. Background 12
Today’s information economy 12
Transborder data flows and contracting 12
Privacy is a fundamental right in Canada 12
Public opinion 13
B.C. and the USA PATRIOT Act 13
A global issue 14
Submission from the Privacy Commissioner of Canada 15
Balancing privacy with other priorities 15
A shared responsibility 17
Approach comprises 4 steps: 19
3. The Federal Strategy 20
Federal contract review 21
Policy guidance 27
Other activities 30
4. Action Plan of the Privacy Commissioner of Canada 32
5. Building on the Existing Foundation 33
Laws governing information collected by the federal government 33
PIPEDA and the private sector 34
Federal policies 34
Roles of federal institutions 34
Federal experience and expertise 35
6. Follow-up Actions—The Way Ahead 36
Appendix B: Existing Foundation Details 45
The Government of Canada takes the issue of privacy very seriously, including concerns about possible privacy risks posed by foreign legislation, such as the USA PATRIOT Act.1
These laws point to the need for current privacy best practices to become more uniform throughout the federal government and for additional measures to build upon and complement the existing safeguards.
For over a quarter century, Canada has been a world leader in privacy. It has introduced ground breaking legislation and policies designed to respect the personal information of its citizens.
Recent trends and events, however, have raised new concerns about whether the personal information of Canadians is adequately protected by governments and companies when it travels outside of Canada’s borders.
Transborder data flows and contracting
The emergence of new information technologies, such as the Internet, allows information to be transferred quickly and easily across borders. This includes personal information and other sensitive information. The transfer of such information across borders is known as “transborder data flows.”
Transborder data flows are becoming more common as companies and governments take advantage of outsourcing, a practice in which a supplier is hired under contract to manage certain activities, often because the institution does not have adequate internal resources to improve efficiency and levels of service. Federal government institutions are among the organizations that contract out or outsource some programs and services.
Information under foreign laws
It is not uncommon for an organization in Canada to outsource the management of personal information about Canadians to a company in the U.S. or elsewhere. Information stored or accessible outside of Canada can be subjected not only to Canadian laws but also to laws in the other country.
One such law is the USA PATRIOT Act. The Act permits U.S. law enforcement officials to seek a court order allowing them to access the personal records of any person for the purpose of an anti terrorism investigation, without that person’s knowledge.
In theory, it means U.S. officials could access information about Canadians if that information is physically within the U.S. or accessible electronically.
British Columbia court case sparks national debate
In 2004, a court case in British Columbia (B.C.) sparked a national debate on the potential impact of the USA PATRIOT Act on the privacy of Canadians.
The British Columbia Government and Service Employees’ Union sought an order to stop the provincial government from hiring the Canadian affiliate of a U.S. company to administer the province’s medical records, claiming that the contract would make the records vulnerable under the USA PATRIOT Act.
The union lost the court case and is appealing. The province, meanwhile, proceeded with the contract using the U.S.-based firm but added new privacy measures.
In addition to the court case, the Information and Privacy Commissioner for B.C. conducted a review. The Commissioner for B.C. concluded that the issue was larger than the USA PATRIOT Act, that transborder data flows could make Canadians’ information accessible under other foreign laws, and that the matter should be addressed by both the public and private sectors.
The Privacy Commissioner of Canada agreed with the results of the B.C. review, and together with the B.C. Commissioner, called for actions to be taken by the federal government to enhance protection of Canadians’ personal information that can flow across borders.
The federal government’s strategy
The Government of Canada responded to the USA PATRIOT Act concerns and other transborder data issues with a federal strategy. It is confident that the right to privacy related to key federal personal and sensitive information can be both respected and achieved.
The strategy was created with the following factors in mind.
Shared responsibility: The federal government is not alone. Other governments, the private sector, and Canadians themselves all have a role to play in the protection of privacy.
Balanced approach: Privacy needs to be weighed against other important considerations. Among these are the following: the need to ensure that contracting protects privacy and results in improved service to Canadians; international trade agreements that allow for fair and equitable treatment of foreign companies and play a major role in the health of Canada’s economy; and the need to protect the public safety and national security.
Build on existing measures: The latest measures are an extension of privacy safeguards put into place long before the USA PATRIOT Act was enacted. They complement previous statutes such as the Privacy Act, enacted in 1983 to impose obligations on federal government institutions to respect the privacy rights of Canadians. The Personal Information Protection and Electronic Documents Act (PIPEDA), which took full effect in January 2004, protects personal information held by the private sector. In addition, the Government of Canada was the first national government in the world to introduce a mandatory Privacy Impact Assessment Policy. The Policy requires government departments to build in privacy protection when changing or creating programs and services that collect personal information.
The federal strategy consists of the following steps.
1. Awareness: The government made all of its 160 institutions that are subject to the federal Privacy Act aware of the privacy issues raised by the USA PATRIOT Act.
2. Risk identification and mitigation: Institutions reviewed their contracting and outsourcing arrangements to identify any risks under the USA PATRIOT Act, assess the seriousness of those risks, take corrective actions as needed, and report to the Treasury Board of Canada Secretariat (the Secretariat).
Here are the results reported to the Secretariat:
Most of the federal institutions, 83 per cent, had their contracting classified as “no risk” (77 institutions) or “low risk” (57 institutions) under the USA PATRIOT Act or other foreign legislation. Of the remaining institutions, many with mandates that include international activities, contracting risks were rated as “low to medium” (19 institutions) and “medium to high” (7 institutions). It should be noted that, if an institution identified only one contract as high risk, the institution was classified in the high risk category. That said, in all cases where risks were identified, institutions have taken, or are planning, remedial actions to mitigate risks.
3. Guidance on privacy in contracting: For many years, federal institutions have had privacy and security safeguards in place to protect personal and other sensitive information that is handled or accessible under contract. Risk management strategies are also in place to cope with emerging privacy issues and, where necessary, institutions have outlined further measures to mitigate risk.
Existing Best Practices include the following: Prior to initiating a contract, inspections of private sector facilities may be carried out by government security experts to ensure that adequate protection is available for information handled or stored off government premises by a contractor; the requirement that core information stays at home—in other words, part or all of the work must be completed within the department or within Canada; the return of records or approved destruction of all records at the end of a contract; the inclusion of contractual clauses to address confidentiality; and the signing of non-disclosure agreements.
Guidance document: The government has recently issued a policy guidance document for federal institutions that provides a privacy checklist and upfront advice on considering privacy prior to initiating contracts. It also includes specific considerations for maximizing privacy protection that can be used to develop clauses to include in requests for proposals (RFP) and contracts.
4. Follow up: The government will be taking additional steps to further mitigate risk.
Highlights of ongoing measures and those planned for within the next year:
Follow-up assessment of federal contracting activities, ongoing contract advice, and implementation of risk management strategies for contracting where information may potentially be at risk under the USA PATRIOT Act or other foreign laws.
Ensuring that key government policies are in step with privacy issues and reflect the new global reality.
The exploration of technology and data architecture solutions to protect information flows, including the use of encryption technology and electronic audit trails.
Continued monitoring of new technologies, trends, and events to address their possible effects on privacy.
The development of additional guidelines to cover government-to-government information sharing (within Canada and abroad), auditing of contracts, and technical solutions to protect privacy.
Increased awareness and training related to transborder data flows and existing federal safeguards.
Highlights of planned measures between one to two years:
A scheduled 2006 review of the PIPEDA and determination if the federal Privacy Act should also be reviewed.
The development of a privacy management framework to establish high standards of privacy protection throughout the federal government.
Addressing privacy and transborder data flows for the recently announced Security and Prosperity Partnership (SPP) between Canada, Mexico, and the U.S.
The federal government will also continue to share best practices in protecting transborder data flows with provincial and territorial governments as well as the private sector and foreign governments.