The contract should address access by the public body to records and information that relate to the contract and that are in the custody of the contractor. The contract must ensure that the public body can comply with the access provisions of the FOIP Act. The public body should consider including
-
a general clause stating that all records transferred or collected, maintained or stored by the contractor under this contract remain under the control of the public body for the purposes of the FOIP Act;
-
clauses dealing with requests for access to records made under the FOIP Act;
-
a statement regarding offences and penalties for altering, falsifying, concealing, or destroying records, or directing another person to do so; and
-
conditions of storage of information (including media format, data and file specification), disaster recovery, and a business resumption plan.
General clause
The following general clause pertaining to the FOIP Act can be useful in setting the stage for subsequent, more detailed descriptions of the contractor’s obligations. However, the public body should not rely exclusively on a general clause as it is unlikely to be effective if a dispute arises. Therefore, the contract needs to deal with the details of what is required of the contractor regarding an access request.
Model Clause Nn
The contractor acknowledges that the Freedom of Information and Protection of Privacy Act applies to all information and records transferred to or collected, created, maintained, or stored by the contractor under this contract.
|
Responding to FOIP requests
The records in the custody of a contractor may be the subject of a FOIP request if they are under the control of the public body. It is important that the contract clearly state the responsibilities of both the public body and the contractor in dealing with access requests. For example:
Model Clause Oo
Records and information transferred to or collected, created, maintained, or stored by the contractor for the Minister under this contract are subject to the access and privacy provisions of the Freedom of Information and Protection of Privacy Act. If the Minister receives a request for any records or information that are in the contractor’s custody, it will be the contractor’s responsibility to provide the records [or copies of the records, as the case may be], at the contractor’s expense. The contractor must provide them to the Minister [pursuant to the Minister’s direction] within __ calendar days from notification by [name of the official].
|
Large-scale or complex FOIP requests may involve a considerable financial burden to the contractor. If the public body has made arrangements to assist with the contractor’s costs, the above clause should be revised to specify the arrangements.
The contract should also address the responsibilities of the contractor in the event that the contractor receives a FOIP access request directly from the requester. For example:
Model Clause Pp
If a contractor receives a request for access under the FOIP Act for records in the custody of the contractor as a result of this contract but under the control of the public body, the contractor must
-
immediately advise the requester to make the request to the Minister;
-
immediately advise the Minister of the request made to the contractor and forward any copy of the request to the Minister; and
-
must not disclose the information in the records unless otherwise directed by the Minister.
|
6.5
Monitoring Compliance Section 38 of the FOIP Act specifically places a duty upon the head of a public body to protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, or destruction. Also, the public body must ensure that it is capable of responding to any FOIP request and to inquiries from the Information and Privacy Commissioner.
The public body should consider setting up processes to allow the public body to demonstrate that it is complying with the Act. The extent of these processes will depend on the scope of the services covered by the contract and the duration of the contract. Some processes to consider are:
-
requirements for the contractor to provide regular reports on compliance, and
-
on-site audits or evaluations of compliance.
The following models clauses may be considered:
Model Clause Qq
In addition to any other rights of inspection or audit the Minister may have under this contract or under statute, the Minister, a person authorized by the Minister, or the Auditor General of Alberta, may, at any reasonable time and on reasonable notice to the contractor, inspect and evaluate the contractor’s compliance with the privacy, security and information management requirements under this contract through any or all of the following:
-
on-site visit,
-
observation of the performance of the services in progress,
-
access to records and the ability to make copies of the records,
-
oral or written communications or with any clients, employees, agents, or subcontractors of the contractor.
|
OR
Model Clause Qq.1
The contractor will prepare a procedure in a manner specified by the Minister to monitor the compliance of the contractor and the contractor’s agents and subcontractors with respect to the information management, privacy and security requirements under this contract, and provide a written report on the monitoring in a manner and at a time specified by the Minister.
|
AND/OR
Model Clause Rr
The contractor must review the Privacy Impact Assessment [or other similar document] at least once every __ months. The contractor must indicate in writing that there are no material or substantive changes to the Assessment, or identify material changes that may affect the privacy, security or information management of the records in the custody of the contractor under this contract. Without limiting the generality of the foregoing, such material changes may relate to changes to IT systems, administrative procedures, the contractor’s privacy organizational framework, subcontractors, and agents.
|
OR
Model Clause Rr.1
The contractor will notify the Minister in writing immediately of any material changes to the contractor’s operation that might have an adverse effect on the privacy, security and information management of the records in the custody of the contractor under this contract.
|
Share with your friends: |