Written By Stephen D. Burns and Daniel P. Furst

The Response By British Columbia

In British Columbia, the privacy and data protection issues arising as a result of the USA PATRIOT Act came to a head when objections were raised to a plan by the provincial government to outsource the administration of the provincial health insurance plan to a U.S.-linked contractor.

In this case, the B.C. Government and Service Employees Union (BCGSEU) brought suit seeking to prevent the outsourcing on grounds that included a concern about the U.S. outsourcer being secretly compelled to disclose the personal information of British Columbians under the USA PATRIOT Act. The Office of the Information & Privacy Commissioner for British Columbia investigated the issue and prepared an extensive report in October 2004 on the implications for public sector outsourcing in British Columbia as a result of the USA PATRIOT Act.¹

The Government of British Columbia responded by amending the BC FOIPPA. The amendments to the legislation included, new provincial offences, with fines of up to $500,000, for outsourcing service providers who:

• store, access or disclose personal information of a British Columbia public sector body outside of Canada, subject to a few narrowly defined exceptions;
• fail to provide notice to the Minister of Management Services of any foreign demand for disclosure of personal information held by the service provider; or
• discipline, suspend, demote, harass or otherwise disadvantage an employee who, acting in good faith and on the basis of reasonable belief, complies with the notice obligations above or acts to insure compliance with the British Columbia legislation.

Following the amendments to the BC FOIPPA, British Columbia proceeded with its outsourcing plan but required the U.S.-based outsourcer to set up a British Columbia-based subsidiary overseen by Canadian directors and committed to maintaining the relevant records inside British Columbia. The amendments to the BC FOIPPA made it more difficult for outsource service providers to comply with a USA PATRIOT Act disclosure order, and were designed, in part, to force American authorities to seek personal information directly from British Columbia government, as opposed to through a secret order issued to one of British Columbia's outsource service providers.

Alberta's Office of the Information and Privacy Commissioner generated its own report entitled "Public-sector Outsourcing and Risks to Privacy" in February 2006,² and reviewed the changes in contracts between British Columbia's public bodies and outsourcing service providers since the BC FOIPPA was amended. The Commissioner found that the following new features were appearing in such contracts:³ requirements for segregated data access; requirements to keep individual user logs; more use of non-disclosure agreements (between individual service provider employees and the public body, between employees of a sub-contractor and the service provider, and between employees of the sub-contractor and the public body); annual oath requirements for service provider and sub-contractor employees; restrictions on access of foreign- based employees to personal information, where these employees work on transition and transformation activities; limitations on data access generally, including data remote access; corporate internal limitations on data access, cutting off extra-provincial access; alarm notification facilities to alert the public body to copying or unusual access activity; prohibitions on service provider staff outbound Web and e-mail access; restrictions on data portability hardware to only designated personnel; dedicated service provider privacy officers to monitor compliance; and financial penalties in contract in the event of disclosure or privacy breaches.

Accordingly, it appears that outsourcing service providers are taking measures to effectively segregate their information holdings by country or province, or physically storing data abroad but in an encrypted manner where the key is kept under the control of the Canadian subsidiary.

It was reported that one unintended consequence of the amendments to the BC FOIPPA is that British Columbia public bodies are now experiencing disruptions in access to data by staff on assignment outside of the province. Furthermore, because of the prohibition on storing, accessing or disclosing personal information outside of Canada, economic costs have increased — as in the cases of 24/7/365 helpdesks that may not be practical entirely within Canada, or of highly specialized software where there may be only one help desk in the world.

The Response By Alberta

Like British Columbia, Alberta has introduced legislation to amend its public sector freedom of information and protection of privacy legislation. The proposed amendments include or address many of the recommendations made by Alberta's Information and Privacy Commissioner in his report on "Public-sector Outsourcing and Risks to Privacy" released in February 2006, and in particular these amendments, if passed would serve to: limit the kinds of judicial orders which allow for the disclosure of personal information by a public body without notice or consent, only to those orders made by courts, persons or bodies with jurisdiction in Alberta; limit the rules of court under which a public body may disclose personal information without notice or consent, only to rules of court binding in Alberta that relate to the production of information; clarify that the Alberta FOIPPA does not affect the power of a court or tribunal in Canada to compel the production of documents or the testimony of a witness; and create an offence under the Act, with a two-year limitation period, for disclosing personal information under the authority of a court, person or body not having jurisdiction in Alberta or of a rule of court not binding in Alberta.

In addition, Alberta's commissioner has recommended the creation of an Alberta government checklist or model outsourcing contract, which would include the following provisions: ⁴ a prohibition on assignment or subcontracting of the outsourcing contract without the written consent of the public body; a requirement of notification by the outsourcer in the event of notice of creditor's remedies or court applications for bankruptcy or protection from creditors; a requirement of notice on any demand for access to or disclosure of personal information received by the outsourcer; a requirement of notice of any loss or unauthorized access to personal information by the outsourcer or its employees; a right to audit for both compliance with the contract and with any legislation stipulated to be applicable to it (i.e., Alberta FOIPPA, the Health Information Act, etc.); a requirement for the outsourcer to have in place a system to monitor or audit its own use and disclosure of the personal information, with an access provision for the public body to review those logs on certain conditions; and stipulated consequences for breach including mandatory return of all copies of personal information and assistance in recovering lost or otherwise disclosed personal information.

Some Practical Advice

In light of the recent changes in how Canada's public sector is outsourcing the processing of their information and the concern of both levels of government about possible exposure of personal information to USA PATRIOT Act or similar foreign orders, we suggest that every business seeking an outsourcing contract from a federal or provincial government address these concerns up front. In particular, we suggest addressing privacy and data security in your proposals and contracts, where appropriate, in a manner that shows both a sophisticated understanding of the issues and the government's changing expectations of its service providers.

1 Available at: .
2 Available at: .
3 Ibid., pp. 29-30.
4 Ibid., p. 34.