Guide to LA FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to LA FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 131 • Consulting services356 Subsection 23.2(4) Information management service provider 23.2(4) An information management service provider shall comply with the terms and conditions of the agreement entered into pursuant to subsection (2). Subsection 23.2(4) of LA FOIP provides that an information management service provider shall comply with the terms of the agreement entered into with the local authority pursuant to subsection 23.2(2) of LA FOIP. It is best practice to monitor the effectiveness of any agreement. This is done through audit trails, self-assessments, audits, verification systems, certificates of assurance and measurement techniques related to the local authority’s obligations in the agreement.357 Recognizing that it is not enough to rely on contractors to self-report their breaches, a local authority that has entered into an outsourcing contract should create and implement a program of regular, thorough compliance audits. Such audits should be performed by a third party auditor, selected by the local authority, that has the necessary expertise to perform the audit and recommend any necessary changes and mitigation measures. Consideration should be given to providing that the contractor must pay for any audit that uncovers material noncompliance with the contract.358 356 The Local Authority Freedom of Information and Protection of Privacy Act, SS 1990-91, c L-27.1 at section 23.2(1). See also Government of Alberta, Health Information Act, Guidelines and Practices Manual, March 2011 at p. 164. Available at https://open.alberta.ca/dataset/50877846-0fba-4dbb-a99feeb651533bc4/resource/3e16d527-2618-48ae-80b8-93f69973878e/download/hia-guidelinespractices-manual.pdf. Accessed June 23, 2020. 357 SK OIPC resource, Best Practices for Information Sharing Agreements at p. 4. Originates from the Institute for Citizen-Centered Service resource, Guidelines for Best Practice. 358 SK OIPC Investigation Report F-2013-001 at [107]. Originates from BC IPC Privacy and the USA Patriot Act: Implications for British Columbia Public Sector Outsourcing, October 2004, at p. 20.

RkJQdWJsaXNoZXIy MTgwMjYzOA==