Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 183 Increasingly, government institutions outsource processes to third parties. In many cases, this involves the transfer of personal information. A contractor works “on behalf of” the government institution like what would be done by an employee of the government institution. Therefore, since the contractor is working on behalf of the government institution, the transfer of records to the contractor is a “use,” not a “disclosure.” Through a contract, the contractor uses the information to fulfill the government institution’s purpose for collecting the personal information in the first place.540 Government institutions are responsible for the actions of its contractors and agents when it comes to the protection of personal information it shares with its contractors and agents. Therefore, a strong written contract or agreement should be in place that spells out the privacy obligations the contractor or agent must abide by (which are the same obligations on the government institution). Subcontracting by Outsourcers Subcontracting by outsourcers is a concern that government institutions should take into consideration. A government institution having a contract with an outsource partner has a direct, legal relationship with that partner. It is aware of the contractual rights and remedies and can exercise them directly vis-à-vis its contracted partner. Furthermore, a government institution can choose who to contract with, exercising whatever due diligence it deems necessary in making the selection. This is not necessarily the case with sub-contracted outsourcers. The principle contracted outsourcer may choose its subcontractors based on entirely different criteria than would the government institution. A breach of the subcontract may only be actionable by the contractor; the government institution may have no ability to deal with the subcontractor except through the principal contractor.541 540 SK OIPC Investigation Report F-2013-001 at [76] to [78]. 541 SK OIPC Investigation Report F-2013-001 at [114]. Originates from AB IPC resource, Public-sector Outsourcing and Risks to Privacy, February 2006 at p. 28.