Information and Privacy Commissioner Releases Report Into Security Risks Associated with Outsourcing

February 24, 2006

Alberta’s Information and Privacy Commissioner has released a report into Public Sector Outsourcing and security concerns associated with the practice, and has developed recommendations for public bodies to follow. In his report, the Commissioner makes it clear it is the responsibility of the Public Body to ensure due diligence in awarding outsourcing contracts.

The report and survey of outsourcing practices was done in partnership with the Ministry of Government Services.

Frank Work wants to ensure that proper security measures are in place to protect information handled by companies in charge of outsourcing agreements. In recent years outsourcing of information and communications technology (ICT) has become common practice for many public bodies, and includes payroll administration, health care insurance and other information technology based services.

Work says Public Bodies in Alberta are doing a reasonably good job of protecting information, but a networked and security conscious world presents a number of issues and challenges.

Work says the report was prompted by concerns raised in other jurisdictions. “The Patriot Act in the United States raised many concerns about the information held by outsource providers and the protection of that information, and I wanted to make sure that outsourcing agreements in Alberta provide protection to individuals. Issues around the Patriot Act are just one type of risk that needs to be addressed in outsourcing agreements”.

One of the key recommendations in the report includes ensuring that a public body has a template or check list in place to ensure that an outsource provider has proper contractual and administrative mechanisms in place for the protection of information.

The report also recommends that Public Bodies should consider a provider’s physical location as a factor. “We should keep as much information as possible in Alberta. If there is no provider in Alberta the next logical step is to keep the information in Canada. If we keep personal information within our borders, it is easier to ensure it doesn’t fall into the wrong hands”, concluded the Commissioner

Background Information – Outsourcing Report Office of the Information and Privacy Commissioner

The Office of the Information and Privacy Commissioner has issued a report on Public Sector Outsourcing and the security risks involved in outsourcing. In this report, the Commissioner has developed recommendations to protect information held by outsource providers:

It is important that the Government make a strong and unequivocal assertion of the value it places on the privacy and security of the personal information of Albertans.  This does not need to extend to a complete ban on foreign disclosures.

1. Amend applicable legislation (i.e. Freedom of Information and Protection of Privacy Act) to clearly define responsibility for outsourcing personal information.  The onus for due diligence in outsourcing should be clearly placed on the outsourcing organization (i.e. the public body).

2. Amend section 40(1)(g) of the Freedom of Information and Protection of Privacy Act and section 35(1)(i) of the Health Information Act to make it clear that personal information can only be disclosed pursuant to an order of a Canadian court having jurisdiction.

3. Increase the penalties for breach of the FOIP Act and the HIA.

4. Ensure that the offence provisions of the FOIP Act and the HIA can be reasonably sustained, that is, the standard is not so high as to preclude a reasonable chance of conviction.  The current standard is “willful”.

5. Consider the advisability of making similar amendments to the Health Information Act.

Contractual

First, there should be a checklist or template of matters to be considered in making the decision to outsource.  This could be done via a privacy impact assessment. Secondly, develop a model outsourcing contract and a checklist of contractual provisions to be considered in outsourcing arrangements.

Such contract or checklist should address at least the matters referred to in sections 2.3 and 4.1 and should include provisions dealing with:

6. A prohibition on assignment or subcontracting of the outsourcing contract without written consent.

7. A requirement for notification by the outsourcer in the event of notice of creditor’s remedies or Court applications for bankruptcy or protection from creditors.

8. A requirement of notice on any demand for access to or disclosure of personal information received by the outsourcer.

9. A requirement of notice of any loss of or unauthorized access to personal information by the outsourcer or its employees.

10. Right to audit, not only for compliance with the contract but compliance with any legislation stipulated to be applicable to the contract.

11. In addition to the right to audit, the outsourcer may be required to have in place a system which monitors or audits the outsourcers’ use and disclosure of the personal information. The outsourcing entity may require access to those logs on certain conditions.

12. Stipulate consequences for breach.  In addition to right of termination and damages, provision should be made for: return of personal information and any copies of it; assistance in recovering lost or otherwise disclosed personal information.

Policy/Operational

13. Retain, as a first principle, that personal information only be outsourced within Alberta first, Canada second, and anywhere else third, depending on the specific circumstances.  This policy may only be deviated from where the requirements of program delivery, such as cost, service, security, cannot reasonably be met within Alberta or Canada.  The outsourcing organization should bear responsibility for making this decision and for the consequences of having made it.  Whether to make such policy into law poses a dilemma, as discussed.  As stated, the decision to outsource is based on a large number of factors.  The decision to outsource outside of Canada requires reconsideration of these factors in light of the fact that the public body is that much more removed from the outsourcer:

  • Different laws;
  • Different customs (are laws pertaining to fraud, theft of information and so on regarded or enforced differently?)
  • Different workforces (are the outsourcer’s employees more transient, less reliable, more difficult to hold accountable, etc.?)

The gains realized from outsourcing have to be weighed against the risks presented by the nature (sensitivity, value) and the volume of the information outsourced.

14. Require preparation of a privacy impact assessment (which would include issues of security) for all outsourcing arrangements involving “significant” amounts of personal information.  We debated recommending that this be put into law.  Legislated provisions can be inflexible.  For example, it would not make sense to prepare a privacy impact assessment every time a single sample of genetic material is sent to another country for analysis.

15. Require outsourcing organizations to keep a master list (inventory) of outsourcing agreements.  This could be accomplished by requiring privacy impact assessments. This list should be accessible to the Chief information/Chief Privacy Officer for the public body.  The purpose of the list is to: know what personal information is outsourced where and to who; enable timely action in the event that the outsourcee becomes insolvent; and to enable agreements to be updated when they end to include state of the art privacy and security provisions.

16. Someone in the public body must be specifically responsible for each outsourcing agreement.  This person should know the outsourcer and the contract.  There should be regular contact, check ups, and queries. Scheduled or spot audits may be advisable.

17. With respect to foreign outsourcers, consider having a trusted agent in the jurisdiction to monitor social/legal developments respecting the outsourcer.