Managing Contracts under the foip act

1

Preface i

Contents 1

1.
Fundamentals 1

1.1
Overview 1

1.2
Key Concepts 3

Who is subject to the legislation 3

What is subject to the legislation 3

Custody and control 3

Application of the FOIP Act to contractors 5

Exclusions 6

Transfer of responsibility for a program within government 7

2.
Contracts and Agreements 8

2.1
Overview 8

2.2
Purchase Agreements for the Acquisition of Goods 9

2.3
Rental Agreements and Leases for Business Machines 9

2.4
Software Licensing Agreements 10

2.5
Fee-for-Service Contracts 11

2.6
Contracting for Service Delivery 13

2.7
Privatization 14

2.8
Public–Private Partnerships (P3s) 15

2.9
Information-Sharing Agreements 18

2.10
Joint Service Delivery Agreements 19

2.11
Grant Agreements 21

2.12
Agreements Where the Public Body is the Service Provider 22

3.
Interaction between the FOIP Act

and Other Legislation 24

3.1
Overview 24

3.2
Other Alberta Legislation 25

Paramountcy of the FOIP Act 25

Health Information Act (HIA) 26

Personal Information Protection Act (PIPA) 28

3.3
Federal Legislation 30

Paramountcy of federal legislation 30

Federal public-sector access and privacy legislation 31

Federal private-sector privacy legislation (PIPEDA) 33

3.4
United States Legislation 35

Safe Harbor 35

3.5
Extra-territorial Application of Foreign Law 36

USA PATRIOT Act 36

3.6
Jurisdictions with No Privacy Legislation 37

4.
Special Considerations

in Contracting 39

4.1
Overview 39

4.2
Processing or Storage of Personal Information Outside Alberta 40

4.3
IT Outsourcing Contracts 43

4.4
Contracts Involving Sensitive Personal Information 44

What is sensitive personal information? 44

Assessing risk 44

4.5
Contracting with a Member of a Professional Regulatory Association 46

4.6
Use and Retention of Information about Common Clients 47

4.7
Corporate Restructuring, Mergers and Buy-outs 49

4.8
Costs of Large-Scale or Complex FOIP Requests 50

4.9
Confidential Business Information 51

5.
Pre-contracting Processes 54

5.1
Overview 54

5.2
Business Case 54

5.3
Privacy Planning Tool for IT Projects 55

5.4
Privacy Impact Assessment (PIA) 55

5.5
Assessing Privacy Capabilities of Smaller Contractors 57

5.6
Organization of Records for Alternative Service Delivery 59

5.7
Tendering Process 59

Communicating requirements 59

Records under the control of the public body 59

Contractor’s administrative records 60

Records management 61

Protection of personal information 61

Access to information 62

Access to tender submissions 62

Rating and evaluation records 64

Personal information of contractors’ employees and agents 64

Retention of unsuccessful tender submissions 65

Approval of fees and charges 65

6.
Drafting the Contract 67

6.1
Overview 67

6.2
Records Management 68

Definition of “record” 69

Records collected, created, maintained, or stored 70

Transfer of records and conditions of management 70

Control of records 70

Records not under the control of the public body 71

Ownership of records 71

Segregation of records 72

Access by the public body 72

Retention and disposition of records 72

Notification prior to record destruction 75

6.3
Protection of Privacy 75

Definition of “personal information” 77

Responsibilities of the contractor for its employees, agents and subcontractors 77

Collection of personal information 78

Purpose of collection 78

Direct collection 79

Indirect collection 80

Accuracy and completeness 80

Correction 80

Protection of personal information 81

Personnel standards 82

Physical standards 82

Use and disclosure of personal information 83

Record of disclosures 85

Data matching 86

Disposition of records at the termination of the contract 86

6.4
FOIP Access to Information Requests 87

General clause 87

Responding to FOIP requests 87

6.5
Monitoring Compliance 88

6.6
Notification of Breach of Privacy 89

Consequences of breach 90

6.7
Offences and Penalties 90

6.8
Applicable Law 91

6.9
General Contractual Clauses with FOIP Implications 91

Assignment and subcontracting 92

Employee security checks 92

Impending litigation 92

Appendix 1
Checklist for Contract Managers 94

Preliminary Planning 94

Pre-Contracting 95

Tendering Process 97

The Contract 99

Appendix 2

Disclosure of Contracting Records 103

1.
Overview 103

2.
General Considerations 104

Harms test 104

Consent to disclosure 104

Exercise of discretion 104

Severing 105

3.
Mandatory Exceptions 105

Disclosure harmful to business interests of a third party (section 16) 105

Disclosure harmful to personal privacy (section 17) 108

Privileged information of a person other than a public body (section 27(2)) 109

4. Discretionary Exceptions 110

Confidential evaluations (section 19(1)) 110

Advice from officials (section 24) 111

Disclosure harmful to economic or other interests of the Government or a public body (section 25) 112

Privileged information of a public body (section 27(1)) 113

Appendix 3
Records Management Regulation 116

Appendix 4

Glossary of Terms 120

Directory: foip -> documents
documents -> Privacy Impact Assessment (pia) Questionnaire to assess the protection of privacy as per Part 2 of the Freedom of Information and Protection of Privacy Act (foip act) pia: {pia name or Number}
foip -> Ms. Sharon Pollyck Mgr of Leg. Serv. & Corp. Comm. City of Airdrie 400 Main Street se