IT outsourcing contracts and their associated risks vary considerably. A detailed discussion of issues relating to IT outsourcing is contained in the Contract Management Framework for Information Technology Projects.
The Government of Alberta also has access to the resources of the Information Security Forum, which is an independent association of leading organizations that provide research on, and solutions for, key issues in information security. There are currently over 300 members worldwide, including nine Canadian provincial governments. Membership provides access to a library of research and tools, including detailed risk assessments, which are available under licence to Government of Alberta employees and contractors. For further information on any of these resources, email ciso@gov.ab.ca
A number of business units within the Government of Alberta have developed tools to ensure high standards in IT contracts. For example, Alberta Health and Wellness has produced a High Level Security Assessment (HLSA), which is to be completed by organizations contracting to perform IT services for the department. The HLSA is a comprehensive security assessment based on ISO 17799 Code of practice for information security management. It includes a review of the organization’s security management and architecture, access controls, application development, business continuity, as well as physical and systems security. The assessment is approved by the Alberta Health and Wellness Information Policy and Compliance Unit, as well as the Security Officer. Further information can be obtained from the Information Policy and Compliance Unit in Alberta Health and Wellness.
Related sections of this Guide
|
Chapter
| -
Contracting for service delivery
|
2.6
| -
Processing or storage of personal information outside Alberta
|
4.2
| |
4.7
| -
Costs of large-scale or complex FOIP requests
-
Privacy planning tool for it projects
-
Privacy Impact Assessment (PIA)
-
Tendering process
-
Drafting the contract: Protection of privacy
|
4.8
5.3
5.4
5.7
6.3
|
4.4
Contracts Involving Sensitive Personal Information What is sensitive personal information?
The FOIP Act does not create classes of personal information. This means that public bodies are required to protect all personal information in accordance with the Act’s provisions for collection, use, disclosure, retention, and protection. At the same time, the Act clearly permits the disclosure of certain personal information under conditions that are less restrictive than in other cases. For example, the Act permits public bodies to disclose
-
personal information about a deceased individual without restriction twenty-five years after death (section 40(1)(b) in conjunction with section 17(2)(i)),
-
an individual’s business contact information, provided that the disclosure does not reveal other personal information about that individual or another individual (section 40(1)(bb.1)), and
-
certain information about an individual’s participation in public events provided that this is not contrary to the public interest or the wishes of the individual (section 40(1)(b) in conjunction with section 17(2)(j) and section 17(3)).
The Act also recognizes that, while virtually any personal information may be sensitive in certain contexts (for example, disclosure of a home address may expose an individual to risk for personal or professional reasons), there are certain categories of personal information that are considered sensitive for all or most individuals. Section 17(4) of the Act states that it is presumed to be an unreasonable invasion of personal privacy to disclose such categories of information, including
-
an individual’s medical information,
-
personal information in a law enforcement record,
-
an individual’s financial information,
-
an individual’s educational history,
-
an individual’s employment history, and
-
personal evaluations and character references.
Assessing risk
In any contracting arrangement involving personal information, the public body should consider the degree of risk with respect to the privacy and security of personal information under the proposed contract with the prospective contractor. This requires a determination of the likelihood of a breach of privacy, and the severity of the impact if the breach were to occur.
The likelihood of a breach occurring may be affected by factors such as
-
the number of contracted staff who have access to the personal information,
-
the level and training of the contracted staff,
-
the use of subcontractors,
-
the security of the contractor’s IT system,
-
the distribution of IT resources (mobile offices, laptops, BlackBerries, etc.),
-
whether the contractor handles information from other organizations in the same location, using the same personnel, using the same IT system.
The severity of the impact of a breach may be affected by factors such as
-
the number of individuals whose personal information is contained in the database,
-
the number of data elements pertaining to each individual that are contained in the database,
-
the sensitivity of the personal information,
-
whether the contractor has direct access to the public body’s IT system (for example, some public bodies require the contractor to enter data directly into their information system).
In addition to these factors, specific contracts may pose special risks. These risks may arise, for example,
-
the contractor will be collecting the information in an individual’s residence,
-
the contractor will be collecting information about children, or
-
the information will be collected directly from children.
Public bodies that propose to implement projects involving the collection, use or disclosure of sensitive personal information will normally complete a formal Privacy Impact Assessment (PIA). This is the case whether the public body intends to do the work itself or to have the work done under contract. As an alternative to a PIA, some public bodies have developed an assessment tool in the form of a questionnaire designed for specific service providers. This approach is considered particularly useful for small and medium-sized organizations. The questions can be made very specific, which makes it easier for smaller contractors to respond. Also, the questions can be designed for specific types of organization and to address specific risks associated with the particular contract.
Related sections of this Guide
|
Chapter
| -
Fee-for-service contracts
-
Privacy Impact Assessment (PIA)
|
2.5
5.4
| -
Assessing privacy capabilities of smaller contractors
|
5.5
| -
Tendering process: Protection of personal information
|
5.7
| -
Drafting the contract: Protection of privacy
|
6.3; esp. cl. Bb
|
|