Want to stay current on e–commerce law? Sign up for Email Newsletter.
Alberta Privacy Commissioner Issues Report on Outsourcing
The Information and Privacy Commissioner of Alberta has released a report on information security, and privacy concerns arising from public sector outsourcing.
In 2004, privacy concerns inherent in outsourcing became a major issue when the government of British Columbia planned to outsource the public health insurance program to a U.S.-linked contractor. This plan was challenged by the British Columbia Government and Service Employee’s Union on the ground that if Canadians’ personal information was sent to the U.S., or made accessible by U.S. entities, this information might also be accessible by U.S. authorities under the USA PATRIOT Act. The BC Information and Privacy Commissioner issued a lengthy report on these issues in October 2004.
The objective of the Alberta report was not to duplicate what had been done in BC, but rather to outline the privacy issues and risks involved in outsourcing government programs to private contractors. Some of the risks and issues identified include:
- Outsourcing contracts do not always contain appropriate controls relating to privacy and information security.
- When personal information is housed outside of Canada, it may become susceptible to the laws of that jurisdiction (e.g,. the USA PATRIOT Act).
- Data-laden hardware (e.g, hard drives, computer tapes, microfiches, etc.), which is used in many outsourcing arrangements, can be lost in transit.
- Outsourcing increases the risk of communications being intercepted and databases being accessed by unintended users (ranging from foreign law enforcement agents to criminal hackers).
After a detailed examination of the outsourcing landscape in Alberta, the Commissioner made various recommendations, including:
- Amending applicable privacy legislation to define responsibility for outsourcing personal information and to make it clear that personal information can only be disclosed pursuant to an order of a Canadian court with appropriate jurisdiction.
- Taking a careful and systematic approach to outsourcing, including using a checklist or template of matters to consider (e.g., a privacy impact assessment).
- Using a model outsourcing contract and a checklist of contractual provisions to consider in outsourcing contracts. Such provisions might include: prohibiting the contractor from assigning or subcontracting the outsourcing contract without consent; requiring the contractor to give notice upon any demand for access to, or disclosure of, personal information received by the outsourcer; and, giving the public body the right to audit the contractor for compliance with the contract and for compliance with any legislation stipulated to be applicable to the contract.
- Operating from the first principle that personal information should only be outsourced within Alberta first, Canada second, and anywhere else third, depending on the specific circumstances.
- Requiring a privacy impact assessment for all outsourcing arrangements involving significant amounts of personal information.
- Requiring public bodies to keep a master inventory of all their outsourcing agreements, and to have someone specifically responsible for each such agreement.
The Alberta Report ends with a generally reassuring conclusion:
“Through generally cautious management and policy foresight, information resources entrusted to Alberta public bodies are for the most part secure within Alberta or Canada and not exposed to unintended users in foreign jurisdictions.”
However, the Alberta Commissioner does point out that outsourcing to U.S.-based companies continues to be an uncertain prospect, and recommends legislative and contractual improvements, as well as, “more rigorous attention” to the management of outsource arrangements by public bodies who choose them.
For additional information, visit:
http://www.gov.ab.ca/acn/200602/19490.pd