Report from B.C.'s information and privacy commissioner
A “reasonable possibility” exists that authorities in the United States gain access to Canadian personal information with the use of the USA Patriot Act, said British Columbia privacy commissioner David Loukidelis.
Rigorous measures should be put in place to “mitigate against illegal and surreptitious access” to personal data, he said, following a review of some 500 submissions on the question of potential privacy breaches when the processing of personal data is outsourced to U.S.-linked firms.
Noting that the USA Patriot Act, enacted shortly after Sept. 11, 2001, terrorism attacks, has been used “in ordinary criminal investigations and have expedited surveillance in a myriad of circumstances,” the privacy commissioner said once personal information crosses borders, “regulating its use is its best difficult and at its worst impossible.”
He recommended that the B.C. government pass a law making it an offence for a public body or a service provider to send information outside of Canada either for processing or storage, or as a response to to a foreign court order, subpoena or warrant. The offence should carry a penalty of $1 milion in fines or a prison term or both.
Further, the province should adopt a “litigation policy under which it will initiate or participate in legal proceedings abroad, including the U.S., to resist demands for personal information of British Columbians made by a U.S. or other foreign court or agency.” Both the B.C. and the federal governments should seek assurances from U.S. officials that they will not attempt to use the Patriot Act to access personal information of British Columbians located in B.C., he added.
Loukidelis undertook the study this spring after B.C. Government and Service Employees’ Union launched a lawsuit challenging the contracting out of health information processing to a firm headquartered in the United States. The union claimed that putting data in the hands of a U.S.-headquartered firm, the government would render the data vulnerable to court-ordered secret searches by U.S. authorities under Section 215 of the USA Patriot Act.
This risk extends to records held in Canada but in the hands of U.S.-located organizations. “U.S. courts have, in fact, been willing over the years to order disclosure, for the purpose of U.S. proceedings, of records held outside the U.S., as long as a person or corporation subject to the U.S. court’s jurisdiction has legal or practical ability to access those records,” stated Loukidelis.
He issued the 16 recommendations below:
Amendments to FOIPPA
Recommendation 1
Th e government of British Columbia should amend the Freedom of Information and Protection of Privacy Act (FOIPPA) to:
(a) pending nation-to-nation agreement, as contemplated by Recommendation 16, prohibit personal information in the custody or under the control of a public body from being temporarily or permanently sent outside Canada for management, storage or safekeeping and from being accessed outside Canada;
(b) expressly provide that a public body may only disclose personal information in response to a subpoena, warrant, order, demand or request by a court or other authority if it is a Canadian court, or other Canadian authority, that has jurisdiction to compel the disclosure;
(c) impose direct responsibility on a contractor to a public body to ensure that personal information provided to the contractor by the public body, or collected or generated by the contractor on behalf of the public body, is used and disclosed only in accordance with FOIPPA;
(d) require a contractor to a public body to notify the public body of any subpoena, warrant, order, demand or request made by a foreign court orother foreign authority for the disclosure of personal information to which FOIPPA applies;
(e) require a contractor to a public body to notify the public body of any unauthorized disclosure of personal information under FOIPPA;
(f) ensure that the Information and Privacy Commissioner has the powers necessary to fully and eff ectively investigate contractors’ compliance with FOIPPA and to require compliance with FOIPPA by contractors to public bodies, including powers to enter contractor premises, obtain and copy records, and order compliance; and
(g) make it an offence under FOIPPA for a public body or a contractor to a public body to use or disclose personal information, or send it outside Canada, in contravention of FOIPPA, punishable by a fine of up to $1 million or a significant term of imprisonment, or both.
Provincial litigation policy
Recommendation 2
The government of British Columbia should create a published litigation policy under which it would, as necessary, participate in or commence legal proceedings in Canada or abroad to resist a subpoena, warrant, order, demand or request made by a foreign court or other foreign authority for disclosure of personal information in British Columbia that is in the custody or under the control of a public body.
Further protection of personal information in BC from FISA orders
Recommendation 3
The government of British Columbia, in conjunction with the government of Canada as appropriate and necessary, should seek assurances from relevant U.S. government authorities that they will not seek a FISA order or issue a national security letter for access to personal information records in British Columbia.
Outsourcing contract privacy protection measures
Recommendation 4
All public bodies should ensure that they commit, for the duration of all relevant contracts, the financial and other resources necessary to actively and diligently monitor contract performance, punish any breaches, and detect and defend against actual or potential disclosure of personal information to a foreign court or other foreign authority.
Recommendation 5
Recognizing that it is not enough to rely on contractors to self-report their breaches, a public body that has entered into an outsourcing contract should create and implement a program of regular, thorough compliance audits. Such audits should be performed by a third party auditor, selected by the public body, that has the necessary expertise to perform the audit and recommend any necessary changes and mitigation measures. Consideration should be given to providing that the contractor must pay for any audit that uncovers material noncompliance with the contract.
Recommendation 6
Treasury Board should direct all ministries, agencies and organizations covered by the Budget Transparency and Accountability Act to include the activities in Recommendations 4 and 5 in their annual service plans and to ensure that service plans include all fi nancial resources necessary to perform these functions. Th e government of British Columbia should consider also requiring all public bodies to plan and budget for such fi nancial resources.
Federal protection of personal information from foreign orders
Recommendation 7
Th e government of Canada should consider whether federal legislation protects adequately the personal information of Canadians that is in the custody or under the control of the government of Canada or its agencies (directly or through contractors) from disclosure in response to a subpoena, warrant, order demand or request made by a foreign court or other foreign authority. This should include a thorough review of the federal Privacy Act, as earlier urged by the Privacy Commissioner of Canada, with particular attention to the fact that the federal statute contains no equivalent to the reasonable security requirement in section 30 of FOIPPA.
Recommendation 8
Th e government of Canada should review British Columbia’s Freedom of Information and Protection of Privacy Amendment Act, 2004 (Bill 73) and consider enacting provisions to protect personal information in Canada from disclosure in response to a subpoena, warrant, order, demand or request made by a foreign court or other foreign authority.
Audits of information sharing agreements and data mining activities
Recommendation 9
The government of British Columbia should:
(a) undertake a comprehensive and independent audit of interprovincial, national and transnational information sharing agreements affecting all public bodies in British Columbia;
(b) use the audit to identify and describe operational and planned information sharing activities, including in each case: the kinds of personal information involved, the purposes for which it is shared, the authority for sharing it, the public bodies or private sector organizations involved, and the conditions in place to control the use and security of the information shared;
(c) publicly release the audit report (including timely posting on a readily accessible government of British Columbia website);
(d) act on deficiencies or other problems indicated by the audit;
(e) conduct and publish periodic follow-up audits and reports to ensure ongoing transparency and accountability in this area; and
(f) require information sharing agreements entered into by all public bodies to be generally available to the public (including timely consolidated posting on a readily accessible government of British Columbia website).
Recommendation 10
The government of British Columbia should:
(a) undertake a comprehensive and independent audit of data mining efforts by all public bodies;
(b) use the audit to identify and describe operational and planned data mining activities, including in each case: the kinds of personal information involved, the purposes of the data mining, and the authority and conditions for doing so;
(c) ensure that the audit report also proposes an effective legislated mechanism to regulate data mining activities by public bodies and effective guidelines for the application of fair information practices to data mining by public bodies; and
(d) publicly release the audit report (including timely posting on a readily accessible government of British Columbia website).
Recommendation 11
The government of Canada should implement Recommendations 9 and 10 at the federal level.
Section 69 of FOIPPA
Recommendation 12
The government of British Columbia should:
(a) ensure that, within 60 days after the date of release of this report, all ministries are fully compliant with the reporting requirements of section 69 of FOIPPA;
(b) make the section 69 reporting requirements regarding information sharing agreements applicable to all public bodies (this can be done under section 69(7) by the minister responsible for FOIPPA); and
(c) in conjunction with Recommendations 9 and 10, review the utility of section 69 in its present form, noting our view that section 69 needs to be amended to require more complete, transparent, ongoing and effective reporting about the information sharing agreements and data mining activities of all public bodies.
Private sector issues
Recommendation 13
Th e government of British Columbia and the government of Canada should consider and address the implications of the USA Patriot Act for the security of personal information that is entrusted to private sector custody or control in British Columbia or elsewhere in Canada.
Trends in personal information collection and access for state purposes
Recommendation 14
The Parliamentary review of the Anti-terrorism Act provides an important opportunity for the government of Canada to renew its commitment to ensure that human rights and freedoms are not unnecessarily infringed by national security and law enforcement measures. As part of this renewed commitment, we recommend that the public be permitted to participate in the review in a meaningful way.
International trade and investment agreements
Recommendation 15
Th e government of Canada should, in consultation with the provincial and territorial governments, negotiate with foreign trade partners (including members of the World Trade Organization) to ensure that trade agreements and other treaties do not impair the ability of Canadian provinces, territories and the federal government to maintain and enhance personal information protections in accordance with Canadian values.
Other international agreements
Recommendation 16
In moving towards a North American trade, energy, immigration and security zone, the government of Canada should, in consultation with the provincial and territorial governments, advocate to the U.S. and Mexico for comprehensive transnational data protection standards and for multilateral agreements respecting continental control and oversight of transnational information sharing for government purposes, including national security and public safety purposes.
Rigorous measures should be put in place to “mitigate against illegal and surreptitious access” to personal data, he said, following a review of some 500 submissions on the question of potential privacy breaches when the processing of personal data is outsourced to U.S.-linked firms.
Noting that the USA Patriot Act, enacted shortly after Sept. 11, 2001, terrorism attacks, has been used “in ordinary criminal investigations and have expedited surveillance in a myriad of circumstances,” the privacy commissioner said once personal information crosses borders, “regulating its use is its best difficult and at its worst impossible.”
He recommended that the B.C. government pass a law making it an offence for a public body or a service provider to send information outside of Canada either for processing or storage, or as a response to to a foreign court order, subpoena or warrant. The offence should carry a penalty of $1 milion in fines or a prison term or both.
Further, the province should adopt a “litigation policy under which it will initiate or participate in legal proceedings abroad, including the U.S., to resist demands for personal information of British Columbians made by a U.S. or other foreign court or agency.” Both the B.C. and the federal governments should seek assurances from U.S. officials that they will not attempt to use the Patriot Act to access personal information of British Columbians located in B.C., he added.
Loukidelis undertook the study this spring after B.C. Government and Service Employees’ Union launched a lawsuit challenging the contracting out of health information processing to a firm headquartered in the United States. The union claimed that putting data in the hands of a U.S.-headquartered firm, the government would render the data vulnerable to court-ordered secret searches by U.S. authorities under Section 215 of the USA Patriot Act.
This risk extends to records held in Canada but in the hands of U.S.-located organizations. “U.S. courts have, in fact, been willing over the years to order disclosure, for the purpose of U.S. proceedings, of records held outside the U.S., as long as a person or corporation subject to the U.S. court’s jurisdiction has legal or practical ability to access those records,” stated Loukidelis.
He issued the 16 recommendations below:
Amendments to FOIPPA
Recommendation 1
Th e government of British Columbia should amend the Freedom of Information and Protection of Privacy Act (FOIPPA) to:
(a) pending nation-to-nation agreement, as contemplated by Recommendation 16, prohibit personal information in the custody or under the control of a public body from being temporarily or permanently sent outside Canada for management, storage or safekeeping and from being accessed outside Canada;
(b) expressly provide that a public body may only disclose personal information in response to a subpoena, warrant, order, demand or request by a court or other authority if it is a Canadian court, or other Canadian authority, that has jurisdiction to compel the disclosure;
(c) impose direct responsibility on a contractor to a public body to ensure that personal information provided to the contractor by the public body, or collected or generated by the contractor on behalf of the public body, is used and disclosed only in accordance with FOIPPA;
(d) require a contractor to a public body to notify the public body of any subpoena, warrant, order, demand or request made by a foreign court orother foreign authority for the disclosure of personal information to which FOIPPA applies;
(e) require a contractor to a public body to notify the public body of any unauthorized disclosure of personal information under FOIPPA;
(f) ensure that the Information and Privacy Commissioner has the powers necessary to fully and eff ectively investigate contractors’ compliance with FOIPPA and to require compliance with FOIPPA by contractors to public bodies, including powers to enter contractor premises, obtain and copy records, and order compliance; and
(g) make it an offence under FOIPPA for a public body or a contractor to a public body to use or disclose personal information, or send it outside Canada, in contravention of FOIPPA, punishable by a fine of up to $1 million or a significant term of imprisonment, or both.
Provincial litigation policy
Recommendation 2
The government of British Columbia should create a published litigation policy under which it would, as necessary, participate in or commence legal proceedings in Canada or abroad to resist a subpoena, warrant, order, demand or request made by a foreign court or other foreign authority for disclosure of personal information in British Columbia that is in the custody or under the control of a public body.
Further protection of personal information in BC from FISA orders
Recommendation 3
The government of British Columbia, in conjunction with the government of Canada as appropriate and necessary, should seek assurances from relevant U.S. government authorities that they will not seek a FISA order or issue a national security letter for access to personal information records in British Columbia.
Outsourcing contract privacy protection measures
Recommendation 4
All public bodies should ensure that they commit, for the duration of all relevant contracts, the financial and other resources necessary to actively and diligently monitor contract performance, punish any breaches, and detect and defend against actual or potential disclosure of personal information to a foreign court or other foreign authority.
Recommendation 5
Recognizing that it is not enough to rely on contractors to self-report their breaches, a public body that has entered into an outsourcing contract should create and implement a program of regular, thorough compliance audits. Such audits should be performed by a third party auditor, selected by the public body, that has the necessary expertise to perform the audit and recommend any necessary changes and mitigation measures. Consideration should be given to providing that the contractor must pay for any audit that uncovers material noncompliance with the contract.
Recommendation 6
Treasury Board should direct all ministries, agencies and organizations covered by the Budget Transparency and Accountability Act to include the activities in Recommendations 4 and 5 in their annual service plans and to ensure that service plans include all fi nancial resources necessary to perform these functions. Th e government of British Columbia should consider also requiring all public bodies to plan and budget for such fi nancial resources.
Federal protection of personal information from foreign orders
Recommendation 7
Th e government of Canada should consider whether federal legislation protects adequately the personal information of Canadians that is in the custody or under the control of the government of Canada or its agencies (directly or through contractors) from disclosure in response to a subpoena, warrant, order demand or request made by a foreign court or other foreign authority. This should include a thorough review of the federal Privacy Act, as earlier urged by the Privacy Commissioner of Canada, with particular attention to the fact that the federal statute contains no equivalent to the reasonable security requirement in section 30 of FOIPPA.
Recommendation 8
Th e government of Canada should review British Columbia’s Freedom of Information and Protection of Privacy Amendment Act, 2004 (Bill 73) and consider enacting provisions to protect personal information in Canada from disclosure in response to a subpoena, warrant, order, demand or request made by a foreign court or other foreign authority.
Audits of information sharing agreements and data mining activities
Recommendation 9
The government of British Columbia should:
(a) undertake a comprehensive and independent audit of interprovincial, national and transnational information sharing agreements affecting all public bodies in British Columbia;
(b) use the audit to identify and describe operational and planned information sharing activities, including in each case: the kinds of personal information involved, the purposes for which it is shared, the authority for sharing it, the public bodies or private sector organizations involved, and the conditions in place to control the use and security of the information shared;
(c) publicly release the audit report (including timely posting on a readily accessible government of British Columbia website);
(d) act on deficiencies or other problems indicated by the audit;
(e) conduct and publish periodic follow-up audits and reports to ensure ongoing transparency and accountability in this area; and
(f) require information sharing agreements entered into by all public bodies to be generally available to the public (including timely consolidated posting on a readily accessible government of British Columbia website).
Recommendation 10
The government of British Columbia should:
(a) undertake a comprehensive and independent audit of data mining efforts by all public bodies;
(b) use the audit to identify and describe operational and planned data mining activities, including in each case: the kinds of personal information involved, the purposes of the data mining, and the authority and conditions for doing so;
(c) ensure that the audit report also proposes an effective legislated mechanism to regulate data mining activities by public bodies and effective guidelines for the application of fair information practices to data mining by public bodies; and
(d) publicly release the audit report (including timely posting on a readily accessible government of British Columbia website).
Recommendation 11
The government of Canada should implement Recommendations 9 and 10 at the federal level.
Section 69 of FOIPPA
Recommendation 12
The government of British Columbia should:
(a) ensure that, within 60 days after the date of release of this report, all ministries are fully compliant with the reporting requirements of section 69 of FOIPPA;
(b) make the section 69 reporting requirements regarding information sharing agreements applicable to all public bodies (this can be done under section 69(7) by the minister responsible for FOIPPA); and
(c) in conjunction with Recommendations 9 and 10, review the utility of section 69 in its present form, noting our view that section 69 needs to be amended to require more complete, transparent, ongoing and effective reporting about the information sharing agreements and data mining activities of all public bodies.
Private sector issues
Recommendation 13
Th e government of British Columbia and the government of Canada should consider and address the implications of the USA Patriot Act for the security of personal information that is entrusted to private sector custody or control in British Columbia or elsewhere in Canada.
Trends in personal information collection and access for state purposes
Recommendation 14
The Parliamentary review of the Anti-terrorism Act provides an important opportunity for the government of Canada to renew its commitment to ensure that human rights and freedoms are not unnecessarily infringed by national security and law enforcement measures. As part of this renewed commitment, we recommend that the public be permitted to participate in the review in a meaningful way.
International trade and investment agreements
Recommendation 15
Th e government of Canada should, in consultation with the provincial and territorial governments, negotiate with foreign trade partners (including members of the World Trade Organization) to ensure that trade agreements and other treaties do not impair the ability of Canadian provinces, territories and the federal government to maintain and enhance personal information protections in accordance with Canadian values.
Other international agreements
Recommendation 16
In moving towards a North American trade, energy, immigration and security zone, the government of Canada should, in consultation with the provincial and territorial governments, advocate to the U.S. and Mexico for comprehensive transnational data protection standards and for multilateral agreements respecting continental control and oversight of transnational information sharing for government purposes, including national security and public safety purposes.