Written By Stephen D. Burns and Daniel P. Furst

Canada's federal and provincial governments are changing the way Canada's public sector outsources the processing of information. Accordingly, every organization that offers data processing or similar outsourcing services to Canadian governments, departments, agencies and crown corporations should carefully review: (i) their proposals and contracts to ensure that they have been updated to address the changes to Canada's various public sector access to information and privacy laws, policy statements and model agreements; and (ii) their operations and service offerings to ensure that they comply with the new laws, policy statements and contract requirements.

Although similar in their objectives, there is significant variation in the scope and nature of the approaches taken by Canada's federal and provincial governments to address the perceived threat that certain foreign legislation, such as the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act¹(USA PATRIOT Act), may significantly reduce the protection and privacy of Canada's information when processed abroad or by an entity controlled by, or affiliated with, a foreign entity.

Before we outline the approaches currently being taken by the governments of Canada, British Columbia and Alberta, it is useful to first consider the genesis and scope of the USA PATRIOT Act.

USA PATRIOT Act

In the wake of the September 11, 2001 attacks on New York City and Washington, D.C., the U.S. Congress passed a series of amendments to various American laws known collectively as the USA PATRIOT Act. In many ways similar to Canada's own Canadian Security Intelligence Service Act,² the USA PATRIOT Act grants broad powers to American agencies to acquire (often in secret) personal information held by American companies and foreign companies affiliated with American companies, even outside the territory of the United States. The concern has been raised by various union and other groups that Canadian subsidiaries of American parents may be considered to be US-linked corporations subject to the USA PATRIOT Act such that their records may be accessible to the US government under the USA PATRIOT Act. While there are no known cases of such a risk materializing and while there are a variety of mutual cooperation arrangements in place between Canadian and US law enforcement by which criminal and terrorist conduct can be investigated and relevant information exchanged, the issue has persisted resulting in concerns in many Canadian jurisdictions about the advisability of outsourcing personal information gathered in Canada to data processors in the USA (or other jurisdictions with similar legislation).

As with private sector privacy, Canada's federal and provincial governments are each adopting their own approach to addressing the issues raised by the USA PATRIOT Act and similar foreign legislation. For example, the federal Treasury Board Secretariat has recently released a policy guidance document "Taking Privacy into Account Before Making Contracting Decisions",³ ("Policy Document") and a strategy paper entitled "Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows"⁴ ("Strategy Paper"). In addition, Alberta has proposed amendments to its Freedom of Information and Protection of Privacy Act⁵("Alberta FOIPPA") and British Columbia has already amended its Freedom of Information and Protection of Privacy Act⁶("BC FOIPPA").

Each of these governments has chosen a different approach to the perceived challenges of the USA PATRIOT Act. The federal government appears to have chosen the softest approach, with a policy document rather than a legislative change. British Columbia's response has been the most severe, enacting legislative changes that have led to unexpected and sometimes unwelcome results and Alberta has sought to moderate the problems of the British Columbia approach while still enacting a legislative solution.

The Federal Response

The Treasury Board of Canada Secretariat issued the much anticipated Strategy Paper and Policy Document on March 28, 2006, with the former explaining the strategy behind the federal response and the latter providing advice and direction to federal government agencies in respect of their contracting out activities in which information is handled or accessed by private sector agencies.

Strategy Paper

The Strategy Paper explains the federal government's decision not to enact any changes to the Privacy Act because such an action could encourage other foreign governments to do the same, choking off the economic benefits to Canada from work outsourced to Canadian suppliers.

Outsourcing is viewed by the federal government as a "pivotal means of providing more flexible and responsive services to Canadians".⁷ In a comment that may have been directed at the provinces that have changed or are considering changing their public sector access to information and protection of privacy legislation, the Strategy Paper explains that the federal government must respect international trade agreements that are not binding on provincial governments.⁸ In terms of economic impact, Canada is reported to be one of the four countries of the world that have gained the most from overseas outsourcing.⁹

As part of the federal government's strategy, an assessment of the contracting activities undertaken by the 160 federal institutions subject to the federal Privacy Act was undertaken. As part of that assessment, the interdepartmental committee tasked with the review, classified all federal departments as low, medium or high-risk for potential exposure of personal information to the USA PATRIOT Act and similar foreign laws, and determined that the highest risk departments were:

• Canada Post;
• Canadian Food Inspection Agency;
• Department of Justice;
• Foreign Affairs Canada;
• Industry Canada;
• International Trade Canada; and
• Public Works and Government Services Canada. ¹⁰

Organizations providing or seeking to provide outsourcing activities to these agencies will be well-advised to be particularly sensitive to the privacy issues arising in respect of such activities and to clearly address and meet or exceed the agency's privacy and data security requirements and expectations.

The review also highlighted that many federal institutions have already been using specific covenants in their contracts to address the privacy and data security issues that can arise in the context of certain outsourcing activities. The report found that some of the most effective measures already in place included: ¹¹

• the segregation of personal information being handled under the contract from other records held by the contractor;
• audit trails to closely monitor how information is being handled;
• the limiting of right-to-access based upon specific user profiles;
• approval by the government of any subcontracting;
• the return or approved destruction of all records at the end of a contract;
• the signing of non-disclosure agreements; and
• the use of encryption technology allowing only government officials to view the decrypted data.

In addition, the report identified that many federal institutions will be expanding their current practices to also include:¹²

• the inclusion of a new step in the solicitation checklist for service contracts that asks for the review of direct and indirect risks involving personal and proprietary information;
• use of multi-disciplinary teams to review proposed contracting arrangements;
• monitoring of all contracts where foreign companies have access to personal or other sensitive information;
• adding contractual requirements that part or all of the work be completed within the institution (especially when health information is involved) or within Canada;
• ensuring by contract that personal information or other protected or classified information is shared with third parties only where warranted;
• consultation with legal services for all future contracts where personal or sensitive information will be exchanged or provided to third parties to consider inclusion of provisions that prevent disclosure under any foreign legislation;
• modification of contract forms to allow contract authorities to better assess risk;
• exploration of technological solutions to protect information flows; amendment of training plans to increase department- wide assessment of risks; and
• development of risk management approaches related to business and personal information to mitigate risks associated with foreign legislation, which will in turn be incorporated in the institution's corporate risk management framework.

Policy Document

The Policy Document was issued to and provides advice to all federal government institutions subject to the Privacy Act and will guide federal government officials in the future. It includes a step-by-step process for identifying, rating and weighing privacy risk factors in order to help make informed decisions on contracting¹³ which any service provider is well advised to also consider when developing their response to an RFP or draft agreement. The step-by-step process includes:

Step 1.0:

Analyze whether a proposed contract complies with the Privacy Act, Treasury Board privacy policies, whether it passes an invasion-of-privacy test and whether the appropriate Privacy Impact Assessment (PIA) or Preliminary PIA has been conducted;

Step 2.0:

Assess privacy risks against a consideration of the laws of foreign jurisdictions and the possible application of international trade agreements;

Step 3.0:

Build privacy into contracts at the RFP/SOW stage; and

Step 4.0:

For RFP's and contracts involving personal information, mitigate risks by considering the following issues:

• establishing control over personal information,
• confidentiality provisions and limitations of access and use for purposes related to the contract,
• requiring audits and maintenance of documentation to facilitate audits,
• segregating personal information supplied by the government from other information,
• adding conditions for disclosures unrelated to the contract,
• inspecting the contractors' premises
• obliging a notification of breach, and
• requiring subcontractors to comply with privacy provisions of main contract.

In addition, the Policy Document contains a few RFP and contract sample clauses for high-risk situations¹⁴ and a 33- point privacy protection checklist of points to consider during the preliminary planning and implementation stages of the governmental contracting process.¹⁵ 

Focusing on a contractual, instead of a legislative solution, the federal government has sought to balance the competing demands of protecting Canada's information from foreign governments and protecting Canada's outsourcing industry from foreign retaliation should Canada require that all information only be processed in Canada and only by Canadian controlled organizations.

That being said, as the federal approach is to address the perceived risks of the USA PATRIOT Act through their contracts with their service providers, organizations seeking to provide outsourcing services to the federal government are well-advised to consider the current and expanded best practices identified in the federal Strategy Paper and Policy Document, and update their responses to RFPs, agreements and activities to address same.

Fortunately, the findings and strategy in the federal Strategy Paper and Policy Document point out where and how the federal government will be focusing its attention on this issue.

Editor's note: Part II of this article will discuss the responses of British Columbia and Alberta to the USA PATRIOT Act and its effect on public sector outsourcing.

1 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Pub. L No. 107-56, 115 Stat. 272 (2001). 2 Canadian Security Intelligence Service Act, R.S.C. 1985, c. C-23, as amended. 3 Available at: . 4 Available at: . 5 Bill 20: Freedom of Information and Protection of Privacy Amendment Act, 2006, passed second reading and considered in the Committee of the Whole as of April 10, 2006, available at: . 6 Bill 73: Freedom of Information and Protection of Privacy Amendment Act, 2004, S.B.C. 2004, c. 64. 7 Supra, note 4, at p. 11. 8 Supra, note 4, at p. 12. 9 World Investment Report 2004 – The Shift Towards Services, published by the United Nations Conference on Trade and Development, available at: . The other main beneficiaries of overseas outsourcing are Ireland, Israel and India. 10 Supra, note 4, Appendix A. 11 Ibid., p. 21. 12 Ibid., pp. 21-22.