Information Sharing and Contracts
There are often times when the University may be required to share or disclose limited personal information to a Third party, such as
- an external company/vendor (not under the FOIP Act) or
- to another public body/government agency (under the FOIP Act)
Information sharing: means the exchanging, collecting, using, or disclosing of personal information by one public body with another public body or other organization.
The Alberta FOIP Act 1(r) defines a “Third Party” as a person, group of persons, or an organization other than a public body.
Generally, the sharing personal information (or information that readily identifies individuals) should not occur without exploring less privacy invasive means of meeting a specific objective.
- When is a sharing agreement required
- Components of personal information sharing agreements
- Additional resources
- Additional resources - Cloud Computing
When is a sharing agreement required
Generally, having a sharing agreement between organizations sharing personal information is considered best practice. However, if the recipient of the personal information is a private organization, then the necessity for an agreement outlined below is significantly increased as they will not be under the provisions of the Alberta FOIP Act. An agreement outlines to the organization how they will follow the principles that stem from the Act. Secondly, if it is expected that personal information will be shared with either a public or private organization on a regular basis, then a sharing agreement is considered a necessary practice to protect all exchanged personal information.
In contrast, if the recipient of the personal information is another public body and the disclosure is not expected to be done on a continuous basis, then Service Alberta recommends that the department create a record of the disclosure in the event the individual has questions regarding the disclosure. Information on the disclosure should include, who (sender/recipient, when, what information, and the legal authority to disclose under section 40 of the Act.
It is also considered best practice to check the identity of the individual, especially if the individual makes contact by phone or by e-mail.
Notably, a public body may only disclose to a Third Party under one of the allowances specified under section 40(1)(a-ff) of the Act. For example, a public body may disclose limited personal information to a law enforcement agency under section 40(1)(q).
- Law enforcement disclosure form (Service Alberta)
Components of personal information sharing agreements
Below is a summary from the Service Alberta – Personal Information Sharing Agreements (2003)
- Names and address of the parties to the agreement
The public body and other organization(s) that are the source or recipient of the personal information being shared are the parties to the agreement. Always check to ensure that the party signing is the one accountable for protecting privacy.
- Preliminary recitals
The following information should be included in the preliminary recital clauses or preamble:
- The legal authority (statue, agreement, or treaty) for the duty or obligation which underlies the sharing or exchange of personal information. (Example: The Alberta FOIP Act)
- The legal authority for the collection of personal information for the agreement.
- Section 33(c) is commonly used by public bodies as the legal authority to collect. This section states that a public body (and the Third Party on behalf of the public body) may only collect personal information if it relates directly to and is necessary for an operating activity of the public body.
- Section 34(1,2) of the Act provides that a public body must collect personal information directly from the individual the information is about and notify the individual regarding the purpose of the collection, the legal authority for the collection 33(c), and the contact information in case the individual has questions about the collection. Note: Section 34(1) lists limited circumstances where indirect collection can be exercised, such as for law enforcement purposes.
- Whether the disclosure is a consistent use of the personal information originally collected (section 41) in that it has a direct connection to the original purpose and it is necessary for performing the duties of the public body that uses or discloses the information.
- The legal authority (under section 40) for the disclosure of personal information pursuant to the agreement.
- Purpose of the agreement
The purpose and reason for the information sharing agreement should be identified.
- Identifying the personal information to be shared
State and identify the data elements or description of the personal information to be shared. Example: Name, address, student id number.
- Use of personal information
The agreement should clearly identify how the personal information being shared is to be used. Secondary use should be should be limited and prohibited. The parties should be limited to the uses listed.
- Disclosure of personal information
The agreement should place restrictions on the disclosure of the personal information, but should not stand in the way of disclosure required for law enforcement purposes.
- Providing notification
Include a clause about how individuals will be notified about the use or disclosure of their personal information. Notification is typically given at the time the information is originally collected from the individual.
- Mechanism for the sharing/exchange of personal information
This clause should state the method and frequency of the sharing and how changes in technology will be dealt with. Example: secure electronic transmissions
- Accuracy and completeness of personal information
A clause should state that the parties will verify the personal information received from a third party independently before it is used to make administrative decisions about an individual.
- Requests for correction of personal information
If required a clause should be included that deals with requests for the correction of personal information (if the public body is not responsible to correct the information).
- Security of personal information
The agreement should state all the administrative, technical, physical, or other safeguards required to protect the confidentiality and security of the information being shared, especially in regards to use and disclosure.
- Retention and disposition of personal information
The agreement should specify how long the shared personal information is to be kept and whether the hared personal information is to be returned to the source or destroyed by the recipient and disposal standards expected.
- Responsibilities of the parties
The agreement should specify the responsibilities of each party for carrying out the agreement and that each party will be responsible for the actions of its employees, agents, and contractors with respect to the collection, use, disclosure, and disposition of the personal information being shared.
- Consequences of improper use or disclosure
The agreement should specify the consequences of using or disclosing the personal information improperly or without authority.
- Conducting audits
A clause may be included allowing for periodic audits of the sharing arrangements to be conducted to ensure compliance with the FOIP Act.
- Commencement and termination
The agreement should specify the time period during which the information sharing will take place. It should be limited to avoid the sharing of personal information when it is no longer needed. In addition, a time period allows for the opportunity to renew or revise the contract if necessary.
The agreement should contain a clause that allows for amendments in writing with mutual agreement of the parties.
- Other general provisions
The agreement may include other clauses dealing with any financial arrangements between the parties; and the need to give each other reasonable notice of changes in policy or legislation likely to impact the agreement.
- Signing authority and contact names
The agreement should contain contact names, titles, addresses, and phone numbers of appropriate officials of all parties. The contract should be signed by whomever has the authority to sign such an agreement such as the officials representing the public body.
Additional Resources - Cloud Computing
For more detailed information go to Electronic Records
Office of the Privacy Commissioner of Canada
Cloud Computing for Small and Medium-Sized Enterprises: Privacy Responsibilities and Considerations
Outsourcing of Canada.com e-mail services to US based firm raises question for subscribers
Office of the Information and Privacy Commissioner of Alberta
Cloud Computing for Small and Medium Sized Enterprises: Privacy Responsibilities and Considerations