The purpose of the model clauses in this chapter are to ensure that a public body continues to meet its obligations under the FOIP Act when contracting out a service. The clauses are limited to the collection, use and disclosure of personal information, the security of the personal information, and access to information in the custody of a public body.
The FOIP Act may also have implications for other general contractual matters, such as
-
an assignment of the contract (for example, in the case of a corporate buy-out or merger);
-
subcontracting;
-
employee security or background checks; and
-
impending litigation.
Assignment and subcontracting
A corporate buy-out or merger involving the contractor may create a potential conflict of interest, or may introduce unanticipated information privacy and security considerations. This may include issues such as different corporate privacy frameworks and culture and the impact of extra-provincial privacy legislation. A general contractual clause addressing the possibility of a buy-out or merger may include a requirement for the contractor to provide a Privacy Impact Assessment or a similar assessment to the Minister upon any request by the contractor to assign the contract.
For similar reasons, contract clauses concerning subcontracting may include a requirement for the contractor to perform a Privacy Impact Assessment and obtain approval from the Minister before engaging a subcontractor or agent. A contractor may also be required to specify in a subcontract or agency contract that all records transferred to or collected, created, maintained, or stored by the subcontractor in performing services on behalf of the contractor remain under the control of the Minister and are subject to the FOIP Act.
Employee security checks
It may be appropriate to require the contractor to screen employees who will have access to the personal information. Any security requirement should be based on an assessment of risk of unauthorized collection, use, disclosure and destruction of personal information and any other relevant circumstances, including the sensitivity of the personal information.
It may be appropriate to require a contractor to obtain a Canadian Police Certificate for employees that will be collecting information directly from or about children, or collecting information in other similar sensitive circumstances.
Consideration needs to be given to the level of security screening that will be appropriate in the circumstances, as well as what results will be required.
Impending litigation
Litigation imposes specific obligations with regard to record retention; these obligations are similar to the obligations that arise when a public body receives a FOIP request. A contract should address the responsibilities of the contractor where a contractor becomes aware that there is a reasonable possibility of impending litigation in relation to the performance of services under the contract.
Appendix 1
Checklist for Contract Managers Preliminary Planning -
What kind of contract or agreement is involved and are there any specific access or privacy issues associated with this type of contract?
For further information see
-
2.2 Purchase agreements for the acquisition of goods
-
2.3 Rental agreements and leases for business machines
-
2.4 Software licensing agreements
-
2.5 Fee-for-service contracts
-
2.6 Contracting for service delivery
-
2.7 Privatization
-
2.8 Public–private partnerships (P3s)
-
2.10 Joint service delivery agreements
-
2.11 Grant agreements
-
2.12 Agreements where the public body is the service provider
-
What operational records will the contractor have to collect, create, maintain, or store?
For further information see
-
6.2 Records management – Records collected, created, maintained, or stored
-
Will the contract involve records or information that are subject to the FOIP Act?
For further information see
-
1.2 Key concepts – What is subject to the Act; Exclusions
-
If the contract involves the collection of personal information for the public body, what is the authority to collect that information?
For further information see
-
6.3 Protection of privacy
-
If the contract involves collection of personal information for the public body from third parties, is indirect collection for the purpose of the contract authorized under the FOIP Act?
For further information see
-
2.10 Joint service delivery agreements
-
4.6 Use and retention of information about common clients
-
6.3 Protection of privacy – Indirect collection
-
If the contract involves sharing personal information with another public body or a private-sector organization, what is the authority to disclose that information, and what is the authority of the other entity to collect and use that information?
For further information see
-
2.9 Information-sharing agreements
-
2.10 Joint service delivery agreements
-
4.6 Use and retention of information about common clients
-
Is the contract likely to involve any recognized privacy issues?
For further information see
-
4.2 Processing or storage of personal information outside Alberta
-
4.3 IT outsourcing contracts
-
4.4 Contracts involving sensitive personal information
-
4.5 Contracting with a member of a professional regulatory organization
-
4.6 Use and retention of information about common clients
-
Does the contract involve any recognized access issues?
For further information see
-
4.7 Corporate restructuring, mergers and buy-outs
-
4.8 Costs of large-scale or complex FOIP requests
-
4.9 Confidential business information
-
Is the contract or agreement likely to involve a party or parties that are subject to other access to information or privacy legislation that may need to be considered?
For further information see
-
3.2 Other Alberta legislation
-
3.3 Federal legislation
-
3.4 United States legislation
-
Is the contract likely to involve a party operating in a jurisdiction that has no privacy legislation?
For further information see
-
3.6 Jurisdictions with no privacy legislation
|