One important way that the government makes sure its contractors and service providers meet the minimum standards required under FOIPPA is to make sure the contract has the right requirements. The requirements are contained in the Privacy Protection Schedule.

The Privacy Protection Schedule is a standard form of contractual requirements which must be included as part of each contract between any provincial government body and any contractor that it hires, if:

  1. the contract involves ‘personal information’ as defined in the Freedom of Information and Protection of Privacy Act, and
  2. that personal information will be in the custody or under the control of the government body.

The terms have been authorized and approved by the IM/IT Privacy and Legislation Branch of the Ministry of Labour and Citizens` Services, and in general, the terms cannot be changed or amended by a ministry without the authorization of the Information Policy and Privacy Branch, Ministry of Labour and Citizens’ Services.

The Guidelines for Data Services Contracts (OIPC Guideline 01-02) are for use by public bodies that contract out the processing, storage, operation or management of computerized systems containing personal information; or services involving the collection, use or disclosure of personal information.

The Guidelines remind public bodies that the responsibility for protecting personal information cannot be contracted out and that the public body remains legally responsible for the information and for ensuring the privacy obligations imposed by the Freedom of Information and Protection of Privacy Act are followed.

This means that the pubic body has a duty to ensure that each contract includes terms requiring the service provider to comply with FOIPPA, and that it monitor and audit the contractor’s performance to ensure that the contract is enforced.

CONCLUSION

Sometimes using a contract helps to protect privacy. FOIPPA requires contractors to use reasonable protections to protect personal information. So when governments contract with, say, IT systems providers, the contractor must make sure they follow the law that would apply to the information if the IT systems were managed inside the government department rather than by a third party contractor.

But when the Privacy Protection Schedule is used with third party contractors that are providing services directly to citizens, it may not always be such a good idea.  For example, a social services agency that has a contract with the Ministry of Children and Families to provide advocacy and educational assistance to single mothers is required by the contract to agree that the information is covered by FOIPPA. This means that the information is, potentially, more easily shared with other parts of government. When the agencies files are on paper or on a system which is not interoperable with other parts of the government, there is little chance of the information being used for new purposes. But when the social services agency is required to use a system that is part of, for example, the Integrated Access Layer or another new or proposed interoperable system of the government, FOIPPA allows the information to be more easily shared with other departments and ministries within the government.

As this section shows, the government of BC is intent upon making it easier to share all kinds of information about citizens among departments and agencies which have not had access to the information before. This is becoming a significant threat to the privacy of people in BC. The need for strong privacy laws, strict controls and citizen awareness and engagement has never been greater.