Compliance agreement between the Privacy Commissioner of Canada and the World Anti-Doping Agency

WHEREAS the Privacy Commissioner of Canada (“the Commissioner”) is responsible for the administration and enforcement of Part 1 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (the “Act”), which governs the collection, use or disclosure of personal information by the World Anti-Doping Agency (WADA) in the course of its interprovincial or international activities;

AND WHEREAS WADA is a Swiss private law foundation headquartered in Montreal, Quebec with responsibility for overseeing and monitoring compliance with the World Anti-Doping Code;

AND WHEREAS WADA, as part of its mandate, oversees the Anti-Doping Administration and Management System (ADAMS), which operates as a clearing house for anti-doping information and which contains sensitive personal information of athletes;

AND WHEREAS on September 13, 2016, the Office of the Privacy Commissioner became aware that ADAMS had suffered a breach, resulting in the personal information of certain athletes being exfiltrated and published online;

AND WHEREAS on December 9, 2016, the Commissioner initiated a complaint against WADA regarding the matter pursuant to s. 11(2) of the Act, having reasonable grounds to believe that the matter warranted investigation;

AND WHEREAS the Commissioner, based on his investigation, found that WADA contravened Part 1 of PIPEDA by failing to adopt security safeguards appropriate to the sensitivity of the information contained in ADAMS and by failing to have sufficient policies, procedures and training in place for staff, contractors and stakeholders with regard to security management;

AND WHEREAS the Commissioner reported his findings to WADA (the “Report of Findings”) and made several recommendations to WADA to ensure WADA’s compliance with the Act;

AND WHEREAS WADA has reviewed the Commissioner’s Report of Findings and agrees to fully implement the Commissioner’s recommendations in order to bring itself into compliance with the Act;

AND WHEREAS the Parties agree that while entering into this Agreement is voluntary, once entered into, it binds the parties to the obligations herein and failure to comply can trigger the application of s. 17.2 of the Act;

NOW THEREFORE, pursuant to ss. 17.1 and 17.2 of the Act, the Commissioner and WADA hereby agree as follows:

I. Interpretation

1. For the purpose of this Agreement, the following definitions shall apply:
   1. “Act” means the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5;
   2. “ADAMS” means the Anti-Doping Administration and Management System managed by WADA;
   3. “Agreement” means this Compliance Agreement entered into by WADA and the Commissioner pursuant to s. 17.1 of the Act;
   4. “Commissioner” means the Privacy Commissioner of Canada appointed pursuant to s. 53(1) of the Privacy Act, R.S.C. 1985, c. P-21 and his authorized representatives;
   5. “Parties” means the Commissioner and WADA;
   6. “Report of Findings” means the report issued by the Commissioner to WADA pursuant to s. 13 of the Act in respect of the complaint initiated by the Commissioner on December 9, 2016; and
   7. “WADA” means the World Anti-Doping Agency.

II. Remedial measures

2. In order to address the Commissioner’s recommendations contained in the Report of Findings, WADA shall:
   1. Develop a comprehensive Information Security framework which incorporates written policies and procedures to ensure that possible risks have been addressed. At a minimum this will include:
      1. the identification, analysis and documentation of internal and external risks that can impact personal information across all systems (including mobile) and processes that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and the assessment of the sufficiency of any safeguards in place to control these risks within 6 months of the date of the Report of Findings;
      2. the design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing within 9 months of the date of the Report of Findings;
      3. the evaluation and adjustment of the information security program in light of the results of the testing and monitoring noted above within 12 months of the date of the Report of Findings;
      4. the development of a training program to be provided to employees, contractors and stakeholders about information security management policies and procedures noted above within 12 months of the date of the Report of Findings.
      5. The Parties acknowledge that WADA has engaged third-party service providers with respect to the foregoing recommendations. In the event that the recommendations and safeguards proposed by the third-party service providers cannot be implemented within the timeframes indicated above, WADA may request, without delay, an extension to the timeframe(s). Upon considering WADA’s request, the Commissioner may grant an extension if he is satisfied that one is warranted in the circumstances.
   2. Implement the following safeguards related to access controls:
      1. Implement mandatory password changes for new accounts and expiry periods for temporary passwords no later than March 31, 2018. WADA acknowledges and confirms that no new independent observer ADAMS accounts will be created prior to this change being implemented. WADA will also send a notification to Anti-Doping Organizations reminding them that they must require a mandatory password change when creating new ADAMS accounts, no later than February 8, 2018;
      2. Implement mandatory two-factor authentication, in a form acceptable to the Commissioner, for all users, other than athletes, within 6 months of the date of the Report of Findings;
      3. Provide the option for all athletes to use two-factor authentication, in a form acceptable to the Commissioner, within 6 months of the date of the Report of Findings, and actively and continuously recommend that they use it, including by providing them clear information as to how and why they should avail themselves of this method of authentication. WADA will also provide a notification to athletes reminding them to be vigilant regarding the security of their ADAMS account no later than February 8, 2018;
      4. Update its contractual arrangements to allow WADA to audit and/or inspect organizations with access to ADAMS to ensure compliance with security and privacy policies within 12 months of the date of the Report of Findings being issued;
      5. Assume sole control of administrator accounts provided to third parties by removing the latter’s ability to create further administrator accounts within 3 months of the date of the Report of Findings;
      6. Provide notifications to users when key actions are taken, or atypical activity detected, on their accounts within 9 months of the date of the Report of Findings.
   3. Employ encryption at rest for ADAMS data in WADA’s custody within 6 months of the date of the Report of Findings.
   4. Ensure that application security and intrusion detection is properly configured and that systems and logs are adequately and actively monitored within 6 months of the date of the Report of Findings.
   5. Provide the OPC with a report from a qualified and independent third party documenting the measures it has taken to come into compliance with the above recommendations within 15 months of the date of the Report of Findings.

III. Compliance reporting, monitoring and enforcement

3. The Commissioner may, at his discretion and from time to time, request information and documents from WADA for the purpose of verifying its compliance with this Agreement.
4. The Commissioner may also visit WADA’s principal place of business for the purpose of verifying compliance with this Agreement at any time, subject to providing 10 days’ notice to WADA.
5. WADA acknowledges that if the Commissioner is of the opinion that WADA is not complying with the terms of this Agreement, the Commissioner may, after providing written notice to that effect to WADA, apply to the Federal Court for an order requiring WADA to comply with the Agreement or such other relief as may be available in law, in accordance with s. 17.2(2) of the Act.

IV. General

6. WADA will pay the costs of its compliance with this Agreement.
7. Notices, reports and other communications required or permitted pursuant to any of the terms of this Agreement shall be in writing and shall be considered to be given if delivered, either by hard copy or electronic copy, to the following addresses:
   1. The Commissioner
      
      Office of the Privacy Commissioner of Canada
      30 Victoria Street – 1st Floor
      Gatineau, Quebec K1A 1H3
   2. WADA
      
      World Anti-Doping Agency
      800 rue du Square-Victoria
      Suite 1700
      Montreal, QC H4Z 1B7
8. Nothing in this Agreement shall prevent or otherwise limit the Commissioner from exercising or performing any of his powers and duties under the Act, including his duty to investigate complaints under s. 12(1), his power to initiate a complaint under s. 11(2), or his power to audit personal information management practices under s. 18(1) of the Act.
9. Nothing in this Agreement derogates from the rights and remedies available under Part 1 of the Act to any other person arising from the conduct described in this Agreement and in the Report of Findings or arising from future conduct.
10. WADA acknowledges that it has had the opportunity to be represented by counsel and to obtain legal advice with respect to this Agreement.
11. This Agreement comes into effect when it has been signed by both Parties.

DATED at Montreal, in the Province of Quebec, this day of 2018.

DATED at Gatineau, in the Province of Quebec, this day of 2018.