On June 27th, the Information and Privacy Commissioner/Ontario issued a significant report on the Ministry of Natural Resources’ use of an American company to maintain the primary database for its hunting and fishing licensing system.
The Commissioner has made public statements downplaying the significance of the USA PATRIOT Act to data security outsourcing risks, but this is the first time she has expressed these views formally. She says:
There may be no greater area of confusion and misunderstanding than fear of the PATRIOT Act. The PATRIOT Act has invoked unprecedented levels of apprehension and consternation – far more than I believe is warranted. For the reasons outlined on pages 5 and 6, the feared powers were available to law enforcement long before the passage of the PATRIOT Act, through a variety of other legal instruments. In my view, these fears are largely overblown, and focusing on them unduly constitutes a pointless exercise. I believe it is far more productive to compel organizations to be fully responsible and accountable for the services they provide or outsource. As noted earlier, my position on this remains that you can outsource services, but you cannot outsource accountability. Flowing from that, one critical question prevails: Have reasonable steps been taken to ensure privacy and security, regardless of where the data resides? The measures taken by MNR, as described in this report, represent a good example of such accountability.
This is of help to Ontario public sector institutions who have needed to account for significant perceived risks related to the PATRIOT Act in approaching hosted service projects, many likely associated with lower risks than the MNR project. One might wonder how many useful, cost-saving initiatives have been parked because of a requirement that all personal information be stored in Canada by a Canadian company. The Commissioner’s report should be liberalizing, though outsourcing in and outside of Canada will always be associated with special data security risks that institutions need to carefully manage.
Fortunately, the Commissioner also uses this report to give some good guidance on outsourcing in the Ontario public sector, largely approving of the manner by which the MNR went about its outsourcing. Her focus is on the commercial contract between the MNR and its vendor, which she held contained nine “necessary provisions” to achieve the “reasonable measures” data protection standard under FIPPA. Ontario public sector institutions should pay heed to these provisions and, more generally, the design and development process described towards the front of the Commissioner’s report.
Hat tip to David Fraser, who gets a nice nod in this report from the Commissioner for his work on the PATRIOT Act.