Securing business information

An in-depth look at Canada’s response to the privacy threat posed by the USA Patriot Act

In the spring of 2004, the British Columbia government announced it would consider outsourcing some data processing functions, including personal information held by the government. Various parties, including B.C. public-sector unions, objected to such outsourcing.

One of the grounds raised was that, as a result of the USA Patriot Act, the personal information of Canadians could be accessed by law enforcement agencies in the United States and contractors who possess sensitive personal information could be secretly required under the USA Patriot Act to disclose to the U.S. government any information deemed necessary by U.S. authorities.

As a result of the concerns raised, in late 2004 the B.C. government passed legislation preventing anyone obtaining personal information from the B.C. government or its agencies from storing that information outside of Canada or allowing access to anyone outside of Canada. In addition, B.C.’s information and privacy commissioner issued a report calling for Canada-wide examination of the issue. Alberta’s information and privacy commissioner is now examining this issue and the federal government has announced it is going to review its contracts with outside service providers to ensure the privacy of Canadians’ personal information is protected.

The issue is relevant to any Canadian government that uses service providers with U.S. connections and to any company hoping to provide to federal or provincial governments or their agencies, directly or indirectly, services involving personal information processing. Companies that provide such services to the federal and provincial governments will increasingly have to consider where they store personal information and how it gets accessed as governments seek to protect the privacy of Canadians.

B.C. court’s decision illustrates how secure information holdings can be key business assets

Maintaining a high level of public trust in how sensitive information is handled has always been a well regarded business practice.

Now, in the face of mounting concerns over privacy and legislation such as the USA Patriot Act, information security is becoming a major concern for firms who outsource data processing to the United States or to Canadian subsidiaries of American companies.

This was made clear in a March 23, 2005, decision of the British Columbia Supreme Court in a suit by the British Columbia Government and Service Employees’ Union (BCGEU) aimed at preventing the outsourcing by the B.C. government to a U.S.-linked service provider of the administration of the public health insurance program.

Enacted in October of 2001, the USA Patriot Act significantly expanded the power of U.S. authorities to obtain personal information records located in the U.S. or located elsewhere but under the “control” of an American entity.

Of particular concern are the provisions that prohibit entities from which information is sought from revealing the existence of an order requiring disclosure under the act.

With these and several other critical provisions set to expire on Dec. 31, 2005, U.S. President George W. Bush is pushing to have the act renewed. Meanwhile, the act has raised concerns in Canada where many have questioned the extraterritorial reach of orders requiring the disclosure by U.S. parent corporations of personal information records held by Canadian subsidiaries.

Patriot Act reaches into Canada

A report by David Loukadelis, B.C.’s information and privacy commissioner, found a general consensus that U.S. authorities could, in specific circumstances, use powers enacted by the act to make orders for access to personal information located inside Canada if this information was held by a U.S.-linked contractor.

This extraterritorial reach of the act is problematic in light of Canadian provincial and federal legislation. Laws such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), British Columbia’s Freedom of Information and Protection of Privacy Act (FOIPPA) and equivalent legislation in Quebec and Alberta effectively prevent outsourcing data processing to foreign-controlled corporations unless appropriate safeguards are put in place to protect the information from disclosure to a foreign government.

Specifically, PIPEDA provides that organizations transferring personal information to a less secure jurisdiction must use “contractual or other means” to ensure a company located abroad provides a level of protection to the personal information that is comparable to what it would receive in Canada. Because Canada’s biggest trading partner, the U.S., does not afford equivalent protection, specific safeguards are required when outsourcing data to American companies and their Canadian subsidiaries.

The BCGEU decision offers some guidance for public entities that wish to outsource data processing to American companies as well as for American businesses who wish to bid for these Canadian contracts. While the BCGEU’s petition was dismissed on grounds that are not relevant to the matter under discussion, the court concluded that a corporation controlled from a jurisdiction subject to the USA Patriot Act had to provide “more than reasonable security” for sensitive data concerning Canadian citizens and that this could be accomplished if the appropriate safeguards were put in place.

A breach of the charter?

One of the issues raised in this case was whether the contractual disclosure of information required to process payment of accounts of health-care professionals to the Canadian affiliate of an American service provider constituted a breach of s. 7 or s. 8 of the Canadian Charter of Rights and Freedoms, which guarantee rights that are associated with privacy. Justice Frederick Melvin noted that what is protected are “reasonable expectations of privacy.”

In this case the contractual provisions, the specific corporate structure of the service provider and the provisions of the amended FOIPPA (which were implemented between the filing of the suit and the release of the court’s decision) provided “more than reasonable security” with respect to records held in British Columbia.

In particular, under the outsourcing contract, the shares of the B.C.-incorporated service provider were to be held in trust by a trust company operating in B.C. In the event of an actual or prospective breach by the service provider, the trust company was to deliver the shares to the B.C. government, which would assume ownership.

Other important safeguards noted by Justice Melvin included a $35 million penalty in case of a breach of confidentiality by the service provider, whistleblowing requirements and protection, training of employees in respect of their confidentiality duties, restrictions on the use of electronic devices by employees and ownership of all information by the B.C. government.

Because some of these precautions are impractical for many companies, the decision raises the question of whether less wide-ranging precautions would have been sufficient.

Incorporating rigorous privacy provisions

Less cumbersome security provisions could be modeled after the B.C. government’s contract to outsource revenue management to EDS Advanced Solutions, a subsidiary of EDS Canada, in turn a wholly-owned subsidiary of U.S.-based EDS Corporation.

In drafting this $572 million agreement the B.C. government sought independent advice to ensure the contract incorporated rigorous privacy, confidentiality and contractual security provisions.

This included provisions by which the province retained control and ownership of personal information, where all directors of the service provider had to be Canadian citizens and where the province had “step-in rights under a power of attorney which could be exercised in the event of an anticipated privacy breach.”

The B.C. government claims these provisions complement and exceed the current privacy regulations, although this question may ultimately fall to the court to be decided.

Avoiding a NASA incident

Another means of protecting data was used in Lockheed Martin Canada’s $43 million dollar agreement with Statistics Canada to supply technology for the 2006 census.

The U.S.-held company’s involvement with Statistics Canada raised concern in light of the fact five million records from the 1990 U.S. census were used by NASA in a study to test terrorist screening. This was done without the consent of U.S. citizens and despite assurances from the U.S. Census Bureau that the data would not be disclosed.

Unlike the B.C. government’s contractual safeguards, Statistics Canada chose to protect its data by creating a firewall between the data and the service provider. All locations where the data is handled will be Statistics Canada sites, manned by Statistics Canada employees who have signed confidentiality agreements and no information will be handed over to the service provider.

One Canadian information technology firm said businesses could use high-tech firewalls to comply with Canadian privacy laws even when the data is transferred for processing to the U.S. Encryption schemes where the keys are solely in possession of Canadian end users, combined with other precautions, could make service providers incapable of accessing and disclosing the information in their possession.

This would allow American service providers to maintain the servers, the technology associated with the data processing and to actually carry out the processing without having access to the data in their care. However, if such systems become widespread and render the USA Patriot Act and other national security legislation ineffective, the U.S. government could decide to impose mandatory backdoors for law enforcement officials to bypass the safeguards.

It is clear service providers will continue to seek increasingly sophisticated strategies to compensate for differences in national privacy standards.

With the North American Free Trade Agreement having granted “national treatment” to American companies who bid on Canadian contracts, and with businesses outsourcing more data processing in an effort to reduce overhead, privacy and data security could become significant issues in cross-border transactions.

In this business climate, corporations in Canada and abroad who develop efficient methods of securing their information holdings may find themselves with a valuable asset for competing in new markets.

For more information see:

B.C.G.E.U. v. British Columbia (Minister of Health Services), 2005 CarswellBC 672, 2005 BCSC 446 (B.C. S.C.)

A mouthful of an acronym

The USA Patriot Act is actually an acronym for the legislation. It stands for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.”

The bill was introduced on Oct. 2, 2001, in the wake of, and as a response to, the Sept. 11 terrorist attacks. It was quickly passed and signed into law by President George W. Bush on Oct. 26, 2001.

Christine A. Carron is a partner with Ogilvy Renault LLP specializing in privacy matters. She can be reached at (514) 847-4404 or [email protected]. Jakub Malczewski holds a degree in engineering and currently works as a student-at-law at Ogilvy Renault LLP in Montreal. He can be reached at (514) 847-4679 or [email protected].

To read the full story, login below.

Not a subscriber?

Start your subscription today!