Has there been consultation with the public body’s legal advisors (as well as its FOIP coordinator and SRO, if applicable) regarding the form and structure of the contract to be used, and whether the detailed FOIP provisions should be included in the body of the contract, or in a schedule?
Does the contract define the terms “record” and “personal information”? If the contract involves a variety of record types, does the contract define those as well?
For further information see
6.2 Records management – Definition of “record”
6.3 Protection of privacy – Definition of “personal information”
What personal information will the contractor have to collect, create, maintain, or store?
For further information see
6.2 Records management – Records collected, created, maintained, or stored
Does the contract specify the types of information and records the contractor is expected to collect, create, maintain and store?
For further information see
6.1 Drafting the contract – Overview
6.2 Records management – Records collected, created, maintained, or stored
Does the contract state which records are transferred to the contractor and specify standards for their management, including general obligations under the FOIP Act and the RMR? Does the contract include specific conditions for maintaining the records?
For further information see
6.2 Records management – Transfer of records and conditions of management
Does the contract need to include a general clause stating that records created under the contract are subject to the FOIP Act, in addition to detailed clauses relating to matters of access to information and protection of privacy that are relevant to the specific contract?
For further information see
6.2 Records management – Control of records
Does the contract include a general clause respecting conditions that apply to assignment and subcontracting?
For further information see
6.9 General contractual clauses with FOIP implications
Does the contract specify which records of the contractor will be in the custody or under the control of the public body and which will be in the custody or control of the contractor?
6.2 Records management – Records not under the control of the public body
If the contract involves sensitive personal information, are the terms and conditions adequate in relation to the increased risks? Does the contract specify that the information must be segregated from the contractor’s other business records?
If the contract involves sensitive personal information, is there a requirement for employee security checks in the contract?
For further information see
4.4 Contracts involving sensitive personal information
6.9 General contractual clauses with FOIP implications – Employee security checks
Does the contract provide for the right of the public body to access the records?
For further information see
6.2 Records management – Access by the public body
Does the contract specify requirements respecting retention and disposition of records? Does the contract include conditions governing the disposition of records, including transitory records?
For further information see
2.7 Privatization
6.2 Records management – Retention and disposition of records
Does the contract include a requirement for the contractor to provide notification of destruction to the public body?
For further information see
6.2 Records management – Notification prior to record destruction
Does the contract include a general requirement with respect to the retention of records for the purposes of litigation?
For further information see
6.9 General contractual clauses with FOIP implications
Does the contract identify the responsibilities of the contractor with respect to requests for access under the Act?
For further information see
2.10 Joint service delivery agreements
6.4 FOIP access to information requests
If the contract involves personal information, does it specifically state the requirements of the Act with regard to all of the following that are relevant to the contract?
specific standards for the protection of personal information,
restrictions on the use and disclosure of personal information,
record retention periods, and
final disposition of the records
For further information see
6.3 Protection of privacy
Does the contract make it clear that the requirements of the FOIP Act apply to everyone working under the contract? Are requirements relating to employees of the contractor, such as FOIP training, included in the contract?
6.3 Protection of privacy – Responsibilities of the contractor for its employees, agents and subcontractors
If the contract involves the sharing of personal information with another public body or private-sector organization, does the contract specify the purposes for which the other entity may use or further disclose the information, how the information must be protected and disposed of, and how the contract will be monitored?
For further information see
2.9 Information-sharing agreements
4.5 Use and retention of information about common clients
Does the contract specify requirements for disaster recovery?
For further information see
6.3 Protection of privacy – Protection of personal information
If data matching or data linkage is part of the contract, does the contract specify terms and conditions?
For further information see
6.3 Protection of privacy – Data matching
Does the contract include clauses allowing the monitoring of performance to ensure compliance with the FOIP Act and the Records Management Regulation (RMR)?
For further information see
6.5 Monitoring compliance
Does the contract specify terms of access by the public body for the purposes of monitoring the contractor’s operations?
For further information see
6.5 Monitoring compliance
If the contract involves personal information, does the contract specify what the contractor must do in the event of a breach of privacy?
