Friday, September 21, 2012

Ontario Information Privacy Commissioner blesses cross-border outsourcing of province's hunting and fishing license system

This decision from the Information and Privacy Commissioner of Ontario snuck under my radar this summer while I was on vacation.

This investigation is the result of a complaint brought by a Member of the Provincial Parliament about the Ontario Government's decision to outsource the processing and management of fishing and hunting licenses to a US-based business. The Commissioner did a thorough investigation and I am told they were pleasantly surprised by what they found. With regard to the USA Patriot Act, the Commissioner wrote:

The PATRIOT Act


The complainant has expressed concerns that the personal information of Ontarians will be subject to and accessible under American laws, including the PATRIOT Act. It is important to remember that, in Ontario, there is no legislative prohibition against the storing of personal information outside of the province or Canada. In other words, Ontario law, including the Act, does not speak to this issue. However, the Act and its regulations do require provincial institutions to ensure that reasonable measures are in place to protect the privacy and security of their records containing personal information. This applies regardless of where the records are located. Further, Ontario provincial institutions remain accountable for the actions of their agents or service providers, whether located in Ontario or in other jurisdictions.


I understand the complainant’s concern that the PATRIOT Act may be used by U.S. law enforcement agencies to access Ontarians’ personal information. However, the risk that law enforcement agencies may access personal information is not restricted to information held in the U.S. In fact, Canadian law enforcement agencies have similarly robust legal powers to obtain personal information held in Canada, and similar powers exist throughout most countries in the world. Further, law enforcement agencies in Canada, the U.S. and other countries have the ability to reach across borders to access personal information under various laws and agreements.


In this regard, the federal Privacy Commissioner of Canada has found that the privacy risks posed by the PATRIOT Act are similar to those found in Canada and, therefore, the privacy protection afforded by a U.S. service provider is comparable to that of a Canadian-based provider. In particular, the federal Privacy Commissioner has stated:


The risk of personal information being disclosed to government authorities is not a risk unique to U.S. organizations. In the national security and anti-terrorism context, Canadian organizations are subject to similar types of orders to disclose personal information held in Canada to Canadian authorities.

The federal Privacy Commissioner has also found that prior to the passing of the PATRIOT Act, U.S. authorities were able to access records held by U.S.-based firms relating to foreign intelligence gathering in a number of ways, including through formal bilateral agreements.3


Canadian legal scholars and practitioners have also carefully examined and commented on the privacy implications of the PATRIOT Act. Professor Michael Geist, Canada Research Chair in Internet and E-commerce Law, has written:


Claims that the enactment of the USA Patriot Act has dramatically altered the legal landscape are simply false. The U.S. law enforcement toolkit, which allows for the compelled, secret disclosure of personal information, pre-dates the USA Patriot Act by decades. Suggestions that the problem can be solved by keeping personal information from flowing outside the country are not realistic from a real-world, commercial perspective, where data is transferred and stored instantly on computer servers in other jurisdictions without regard for location.

David T.S. Fraser, a prominent Canadian privacy lawyer, has also been very clear in writing:


Most people are surprised to learn that some of the most “problematic” provisions of the USA Patriot Act are replicated in Canadian law in the Anti-Terrorism Act. We just don’t hear about it as much. People are also surprised to learn of huge amount of information sharing that takes place between agencies in Canada and their counterparts in the US.

The Act does not prohibit provincial institutions from outsourcing services on the basis that foreign law, including the PATRIOT Act, may apply. Similarly, there is no prohibition on the storage of personal information by government institutions outside the province. In fact, as noted by Professor Geist, outsourcing of technology services is a reality, whether by government agencies or private sector companies. Personal information may be subject to disclosure to law enforcement authorities, whether stored in the province or elsewhere. The critical question for institutions which have outsourced their operations across provincial or international borders is whether they have taken reasonable steps to protect the privacy and security of the records in their custody and control. I have always taken the position that you can outsource services, but you cannot outsource accountability. With this in mind, I now turn to consider what measures the Ministry has put into place in the circumstances of this complaint.



The decision is worth reading in its entirety: IPC - Office of the Information and Privacy Commissioner/Ontario | Reviewing the Licensing Automation System of the Ministry of Natural Resources: A Special Investigation Report [PC12-39].