Privacy And Access Considerations When Contracting With Third Parties: The IPC Provides New Guidance To Public Sector Entities

The IPC has published a new guidance document specifically for public sector entities in Ontario that are subject to the Freedom of Information and Protection of Privacy Act (FIPPA) or the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), collectively "the Acts". The guidance sets out recommended best practices for institutions to address privacy and access obligations under the Acts when they enter into agreements with service providers.

Importantly, the guidance confirms at the outset that, "Regardless of who processes data on their behalf, Ontario's public institutions remain accountable for protecting privacy and providing a right of access to records and personal information under their control". With this premise in mind, the IPC provides a detailed checklist, divided into 5 parts, to provide institutions with the necessary support they need to negotiate and develop agreement terms that comply with Ontario's access and privacy laws.

Highlights or key takeaways from each of the 5 parts include:

• Procurement planning – It is important to properly scope the project or initiative by defining what types of records may be impacted and the requirements of potential service providers. It is also important to identify the privacy and security risks associated with the project, which should be done via a privacy impact assessment (PIA) and, where appropriate, a threat risk assessment (TRA).
• Tendering – When institutions engage a service provider, they should define appropriate access, privacy and security responsibilities and prohibitions in their tendering documents and eventual agreements. This includes setting out compliance requirements related to limiting the use and access of personal information to only the purposes in the agreement and specifying whether the service provider is permitted to use subcontractors. If the latter is permitted, they should be identified with a requirement that they meet the same or equivalent standards as the service provider.
• Vendor selection – It is the institution's responsibility to select a service provider that has the capacity to comply with the terms and conditions of the agreement. To accomplish this, the institution should ensure someone with sufficient knowledge of the access, privacy and security obligations is involved in the process and that all appropriate documentation is submitted by potential service providers before selection.
• Agreement - It is essential that an agreement is provided for notice, cooperation and standards on the part of the service provider, such that the institution will be able to meet all of its access and privacy protection obligations under FIPPA or MFIPPA. A detailed and useful checklist is provided under "Part 2: Tendering", for addressing access requests, collection, use, disclosure and retention of personal information, and safeguarding obligations, as well as obligations in the event of a privacy breach.

Under "Part 4", the guidance addresses specific provisions of an agreement that may be necessary and relevant for ensuring that all reasonable steps are taken to protect the privacy and security of personal information under the institutions control.

• Agreement management and termination – Once compete, institutions should keep in mind that agreements with third parties are generally covered by the access to information provisions of the Acts, subject to applicable exemptions. Service provider performance should be monitored for compliance and steps to enforce the terms of the agreement should be taken when necessary.

In addition to the above, it is important to note the general principles set out by the IPC that all institutions should keep in mind as they draft, develop and negotiate agreements with third party service providers, some of which include:

• The Acts do not prohibit outsourcing the processing of records or personal information, nor do they prohibit the storage of this information outside of Ontario or Canada;
• Institutions are expected to maintain effective control over records and personal information, even when in the custody of service providers;
• Service providers may not process personal information beyond what the institution is authorized to do. As such, use of personal information for secondary purposes, such as marketing requires the independent consent of users;
• Legal contracts are critical for ensuring that service providers comply with an institution's privacy and access obligations under the Acts and such obligations cannot be avoided by the institution by failing to make appropriate agreements; and
• Institutions must have sufficient oversight in place to ensure third party service providers comply with obligations set out under their agreements.

As public institutions increasingly rely on third party service providers to help carry out their legal mandates, and as public awareness and concern for transparency and privacy protection also continues to grow, the new guidance from the IPC is sure to be a valuable resource. The privacy law team at Lerners LLP has the expertise to assist both public institutions and private entities contracting with them in understanding applicable legal obligations and implementing best practices.