Departments accountable for information collected under contract
Despite past reminders, some departments still neglect to ensure that personal information collected under the contracts they negotiate with outside contractors is managed in accordance with the fair information principles of the Privacy Act.
Those principles require Government institutions that are subject to the Act to include provisions in contracts that:
- Define ownership of the information - that is, all information collected as part of the contract belongs to the contracting department or agency and should be turned over to it at contract end;
- Recognize individuals' rights of access to their personal information collected during the contract;
- Restrict further uses of the personal data;
- Protect the information against unauthorized disclosure;
- Establish retention and disposal criteria; and
- Ensure the department's ability to audit compliance of the contractor's management of the information collected.
In one case investigated this past year, an employee of Human Resources Development Canada (HRDC) complained that she did not receive all of her personal information gathered by an independent contractor hired by the department to conduct a workplace assessment. The employee was particularly interested in obtaining access to any mention of her by other staff in the contractor's interview notes and questionnaires.
When interviewed, the contractor admitted to destroying all the information except the report she produced for HRDC. She did this in part because she had promised confidentiality to the individuals she interviewed, indicating that their statements would not be released, and the contract signed with HRDC did not specify otherwise.
Although HRDC's policies and procedures on contracting out to third parties specify that all the provisions of the Privacy Act are to be respected, the contractor in this case was not aware of HRDC's obligations under the Act to retain the information or grant individuals access to their own information. Contractors (as well as employees conducting similar administrative investigations) must be informed that they cannot promise confidentiality and, prior to taking statements about an individual, they must inform witnesses that their statements constitute the other individual's personal information for which rights of access are provided by the Privacy Act. The witness then has a choice as to whether or not to provide a statement that would include information about another individual.
I concluded that the complaint was well-founded and HRDC was accountable for the work done under the contract. The contractor's failure to retain the information in essence resulted in the complainant being denied an opportunity to obtain access to her own information.
In a case against the Department of National Defence, a military officer sought my assistance in getting access to his medical records, including the notes of an independent medical specialist the department hired to provide an opinion based on his review of the complainant's medical file. When the officer submitted his access request, the department released the medical records in its file, but did not release the specialist's notes from the independent review.
When I investigated the matter, I learned that no effort had been made to get the information from the specialist. I interviewed the specialist and reviewed his notes, which clearly contained personal information about the complainant. The specialist claimed that he had not been told that the information he gathered as part of his review belonged to the department and that he should also supply a copy of all the information from his file to the department for inclusion in its records. Nevertheless, the specialist willingly provided a copy to the department so that it could in turn release it to the complainant. The complainant was pleased to receive the information and did not request that we pursue the matter further.
These two cases serve to remind federal departments and agencies that any contracts they enter into that require the collection of personal information must also include appropriate clauses to satisfy the provisions of the Privacy Act. Individuals should be able to access their own information whenever it is requested.
- Date modified: