Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 124 • Consulting services366 Subsection 24.2(4) Information management service provider 24.2(4) An information management service provider shall comply with the terms and conditions of the agreement entered into pursuant to subsection (2). Subsection 24.2(4) of FOIP provides that an information management service provider shall comply with the terms of the agreement entered into with the government institution pursuant to subsection 24.2(2) of FOIP. It is best practice to monitor the effectiveness of any agreement. This is done through audit trails, self-assessments, audits, verification systems, certificates of assurance and measurement techniques related to the government institution’s obligations in the agreement.367 Recognizing that it is not enough to rely on contractors to self-report their breaches, a government institution that has entered into an outsourcing contract should create and implement a program of regular, thorough compliance audits. Such audits should be performed by a third party auditor, selected by the government institution, that has the necessary expertise to perform the audit and recommend any necessary changes and mitigation measures. Consideration should be given to providing that the contractor must pay for any audit that uncovers material noncompliance with the contract.368 366 The Freedom of Information and Protection of Privacy Act, SS 1990-91, c F-22.01 at section 24.2(1). See also Government of Alberta, Health Information Act, Guidelines and Practices Manual, March 2011 at p. 164. Available at https://open.alberta.ca/dataset/50877846-0fba-4dbb-a99feeb651533bc4/resource/3e16d527-2618-48ae-80b8-93f69973878e/download/hia-guidelinespractices-manual.pdf. Accessed June 23, 2020. 367 SK OIPC resource, Best Practices for Information Sharing Agreements at p. 4. Originates from the Institute for Citizen-Centered Service resource, Guidelines for Best Practice. 368 SK OIPC Investigation Report F-2013-001 at [107]. Originates from BC IPC Privacy and the USA Patriot Act: Implications for British Columbia Public Sector Outsourcing, October 2004, at p. 20.

RkJQdWJsaXNoZXIy MTgwMjYzOA==