Quebec CityFebruary 2005

PUBLIC SECTOR CIO COUNCIL

BC - USA Patriot Act Update

2

Background

BCGEU legal action (February 2004) – Outsourcing and Patriot Act.

Information and Privacy Commissioner Inquiry (over 500 submissions)

Public profile – media coverage, “Right to Privacy Campaign”, Fahrenheit 9/11

BC Government Submission

Commissioner’s Report/Recommendations (October 2004)

3

FOIPP Act Legislative Changes (Bill 73)

Amending protection of privacy provisions in the FOIPP Act to prevent the storage of, and access to, personal information outside of Canada

Amending protection of privacy provisions in the FOIPP Act to restrict the disclosure of personal information outside of Canada

Extending requirements and restrictions posed by privacy protection provisions to service providers and employees

Requiring the reporting of any requests received from jurisdictions external to Canada for unauthorized disclosure of personal information

Including “whistle-blower protection” in legislation to protect individuals who report violations of the disclosure rules

Creating offences and penalties for violation of disclosure rules and failure to report

Transitional provisions

4

Transitional Provisions

The new privacy provisions will apply to all contracts signed by Government Ministries with a contract commitment date later than October 12, 2004.

The provisions will also apply to contracts signed by all other public bodies (including Crown agencies, health authorities, municipalities, etc.) with a contract commitment date after Royal Assent (October 21).

However, a public body is expected to bring all existing contracts into compliance with the new provisions as soon as reasonably possible.

Commitment date means:

(a) in the case of a contract that a public authority is legally obliged to enter into as a result of a completed binding competitive process, the date on which the process was completed, or

(b) in any other case, the date on which the contract was entered into by the public authority;

5

Commissioner’s Report

Key points:

“A ban on outsourcing is not a practical or effective response”

“A sensible solution is to put in place legislative, contractual and practical mitigating measures against illegal and surreptitious access”

Commissioner called Bill 73 a “laudable piece of legislation’ and has suggested that the Federal government enacted similar provisions

Made 16 recommendations – 6 Federal; 2 joint; 8 BC (a number of which were not related to the Patriot Act – Information sharing agreements)

6

Commissioner’s recommendations

Further amendments to the FOIPP Act

Create and publish a litigation policy for challenging foreign orders

BC/Canada to jointly request USA not to seek personal information under the Patriot Act or similar mechanisms

Commit resources to ensure privacy mitigation measures are in contracts

Implement a program of regular third party compliance audits

TB to direct Ministries to include resources for audits and contract privacy measures in their service plans and budgets

Federal government should review legislation re Patriot Act

Federal government should review FOIPP amendments and consider implementing

7

Commissioner’s recommendations (cont.)

Conduct comprehensive audit of Information Sharing Agreements, publicly release report and address deficiencies

Conduct comprehensive review of data mining activities and develop legislation to regulate

Federal government should also implement ISA and data mining recommendations

Fully implement and expand section 69 of FOIPP Act (PID)

Make similar amendments to PIPA and PIPEDA

Federal government should review: anti-terrorism legislation International Trade and Investment Agreements to ensure they do not

impair provincial jurisdiction to maintain and enhance privacy protections Trans-national Data Protection and Oversight Standards in International

Agreements.

8

Mitigation Strategies

Mitigation measures include:1. Technology and Businesses Processes2. Employee Strategies3. Contractual Measures4. Corporate Structures

Procurement - privacy protection requirements/schedule

Legislative provisions

9

Next Steps

Rigorous mitigation provisions in contracts and corporate restructuring requirements

Sharing with other jurisdictions – federal/provincial discussions

Responding to Information and Privacy Commissioner’s Recommendations – on-going

Continuing Profile – FOI requests, media

Pending legal action

10

Guidelines and Resources

Information Policy and Privacy Branch Website: www.mser.gov.bc.ca/foi_pop/

Bill 73

Model Contract Language (Privacy Protection Schedule)

Privacy Protection Measures

Q & As – Proposed amendments to FOIPP Act in response to the USA Patriot Act

USA Patriot Act – Government Briefing

Link to Purchasing and Contract Management Resource Centre

Instructions on How to Apply Amendments to Contracts

Suggested RFP Language