1.What is the USA PATRIOT Act and why is it considered an issue related to the privacy and the protection of personal information?
The USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) was introduced in the United States in October 2001 as an anti-terrorism measure. The Act permits U.S. law enforcement officials, for the purpose of an anti-terrorism investigation, to seek a court order that allows access to the personal records of any person without that person’s knowledge. Under the Act, U.S. officials could access information about citizens of other countries, including Canada, if that information is physically within the United States or accessible electronically. The potential exists, therefore, for law enforcement agencies to obtain information about Canadians whose information might be handled under a contract between the federal government and a U.S.-based company.
2. Why is the protection of personal information a priority?
Privacy has long been considered a fundamental right in Canada. A number of public opinion surveys show that Canadians are concerned about the protection of their personal information. The Government of Canada, recognized internationally as a leader in the creation of privacy laws and policies, shares that concern and is committed to the protection of Canadians’ privacy.
3. How worried should I be that my personal information could be accessed under the USA PATRIOT Act?
The chances of this happening are remote.
4. How is it possible for my personal records to be accessible under the USA PATRIOT Act?
Today’s information technologies, such as the Internet, make it easy for organizations and individuals to exchange information quickly around the globe. The transfer of information across borders, including personal and sensitive information, is known as “transborder data flow”.
Transborder data flows are becoming more common as companies and governments take advantage of outsourcing. In today’s global economy, suppliers can be located anywhere in the world. Even if a domestic supplier is chosen, it may have offices located in other countries. When a supplier is hired to administer personal information and any part of its operations, including subcontractors, are outside of Canada, then the laws of the other country (or countries) may be applicable to information stored or accessible electronically in the foreign country. If a company located in the United States or with U.S. connections is hired, then the USA PATRIOT Act may be applicable.
5. If personal information is at greater risk when the information is outside of Canada, why not avoid using suppliers with connections to other countries?
• Federal government institutions have risk management strategies in place that examine all aspects of outsourcing. When highly sensitive information is involved, a priority is placed on keeping such information in direct control of the government or within Canadian borders.
• Having said this, the use of suppliers between countries has become an essential component of the world economy. While Canada uses suppliers based in other countries, companies based in Canada are also used by other nations. This has meant increased prosperity since one in every four jobs is related to international trade. Canadians also benefit from a global supply of goods and services.
• The Government of Canada is obligated to make certain contracting opportunities available to companies in other countries under a number of international arrangements including the North American Free Trade agreement (NAFTA) and the World Trade Organization. Canadian companies also benefit from access to contracts in other nations.
6. Has there been a case where personal information about a Canadian was accessed under the USA PATRIOT Act?
The federal government is not aware of any such case to date.
7. Is there other legislation similar to the USA PATRIOT Act?
Since transborder data flow is global, the issue is not restricted to the USA PATRIOT Act. There are other laws around the world that allow access to personal information in the interest of fighting terrorism and to thwart other criminal activities. Therefore, the Government of Canada has taken the view that measures to protect privacy should be broad in scope and not confined to just the USA PATRIOT Act.
8. When did the government conduct its review of outsourcing contracts, and what were the results of the review?
The review was initiated in late 2004 and completed in the summer of 2005.
TBS asked federal institutions that fall under the Privacy Act to rate the status of their outsourcing contracts in relation to the potential risk of personal information being accessed under the USA PATRIOT Act.
Most of the 160 federal institutions – more than 80 percent – rated their contracts as having no risk at all, or a low risk, because information is either being processed only by the government itself or by a company operating only in Canada.
Of the remaining institutions, outsourcing of some contracts was rated “Low to Medium” (19 institutions) because of a potential supplier connection outside of Canada and “Medium to High” (seven institutions) because information is being processed outside of Canada.
9. What action has the Government taken to downgrade the “Medium to High” risk departments and agencies to a lower risk category?
Only seven out of 160 institutions included in the assessment rated themselves in the “Medium to High category”. These institutions have already begun taking steps to mitigate potential risks by taking measures such as using contractual provisions and auditing and segregating databases. Moreover, the concerns will be addressed further when the contracts come up for renewal.
• TBS has produced a guidance document to assist federal institutions before they make a decision to engage in outsourcing that involves personal or other sensitive information, whether within Canada or across borders.
• The Government has asked the seven institutions that identified a medium to high risk to submit updates on their plans to address these risks and to report on those risks that have been addressed since submitting their initial assessment.
• In addition, the Government initiated quarterly reporting against the implementation plans of these seven institutions.
• We have also requested quarterly progress reports on the commitments made by some key departments (such as Industry Canada and the Department of Justice) that play a part in the Government’s overall strategy.
10. Were institutions prepared to cope right away with the potential risks identified in the review?
• For the most part, yes. The review revealed that many strategies and best practices were already in place to meet challenges posed by today’s transborder data flows.
• Existing best practices included the segregation of personal information from other records held by contractors; audit trails to closely monitor how information is being handled; approval by the government of any subcontracting; the signing of non-disclosure agreements and the use of encryption technology allowing only government officials to view data.
• Some institutions that process particularly sensitive information ensure that the information is never removed from a federal government site.
11. Were any additional practices put into place to further mitigate risk?
• Yes, many institutions reported that they are implementing additional mitigating measures to guard against existing and future unauthorized disclosure.
• These expanded practices include internal processes to review all new outsourcing agreements and the monitoring of contracts where foreign companies have access to personal or other sensitive information.
12. Within the federal government, who is responsible for making sure government contracts address the issue of personal information being accessed by foreign laws?
The Treasury Board of Canada Secretariat (TBS) is responsible for coordinating the government’s action plan with respect to risks associated with the handling of personal information under contracts. However, it is the responsibility of each Government of Canada institution to identify and assess risks inherent to the institution’s own outsourcing activities and to develop its own strategies to mitigate or manage risks. TBS is providing guidance and advice regarding privacy and contracting to assist institutions.
13. What other measures are federal institutions putting into place to mitigate potential risks?
• Institutions are developing risk management approaches to reduce the risks associated with foreign legislation, which will be incorporated in their overall corporate risk management framework.
• TBS has prepared a guidance document (insert hyperlink) for federal institutions. The document includes a privacy checklist and up-front advice on considering privacy prior to initiating contracts. It also includes advice for developing specific privacy protection clauses that can be used in Requests for Proposals (RFPs) and contracts.
• Public service training programs will include modules to enhance awareness of risks.
• Technology solutions will be explored to protect information flows.
14. Who is responsible for protecting my personal information?
Protecting personal information is not just the responsibility of the federal government. All levels of government, private organizations and Canadians themselves share this responsibility.
15. Are there any laws that the federal government must follow to protect personal information under its control?
• Yes, each federal government institution is accountable under federal laws that apply to the operation of their programs and services.
• One law affecting most federal institutions is the federal Privacy Act. The Act was introduced in 1983to limit the collection, use and disclosure of personal information, and more than 160 federal institutions must follow the requirements of the Act.
• Ten additional institutions, or Crown corporations, were brought under the jurisdiction of the Privacy Act by Order in Council on August 31, 2005.
• Other federal laws such as the Income Tax Act, the Statistics Act, the Employment Insurance Act, the Old Age Security Act and the Canada Pension Plan Act, add an additional layer of privacy protection.
• The provinces have privacy laws, policies and procedures similar to the federal government relevant to their particular circumstances.
16. What about the private sector?
• The Personal Information Protection and Electronic Documents Act (PIPEDA) governs personal information used by private sector companies in most provinces and all territories.
• PIPEDA applies to any organization involved in commercial activity for the collection, use and disclosure of personal information.
• Under PIPEDA, a person has the right to know why a business wants to collect their personal information.
• Where provinces have privacy laws that are substantially similar to PIPEDA, the provincials law govern provincially regulated private sector operations within their borders.
17. Is there an organization in Canada looking out for my privacy rights?
The Privacy Commissioner of Canada looks out for the privacy rights of Canadians. The Commissioner can investigate complaints that are made under the Privacy Act and PIPEDA. The Commissioner also serves as an advocate for privacy rights, carries out privacy research and publishes information about privacy best practices.
18. What can I do to protect my personal information?
• You have the right to know and ask why a business or organization is collecting, using or disclosing your personal information such as your name, age, medical records, marital status and income. You also have the right to check personal information and correct any inaccuracies.
• If you have a concern about how your personal information is being handled, you can complain to the Office of the Privacy Commissioner of Canada or a provincial or territorial commissioner (depending upon the organization whose conduct has raised the concern). For more information about the Office of the Privacy Commissioner, visit its Web site at: http://www.privcom.gc.ca/.