Ch. 2:  Control Records
ITSS Legal Issues Working Group
11/8/96


                            2-7
                            Chapter 2
     Creating, Preserving and Controlling Electronic Records

A. Obligations to create records
1
B. Obligations to preserve records
3
C. Obligations to control records
5
D. Summary                                                  17


A. Obligations to create records
     There are no laws or government policies which specifically
state “government shall create records.” The Information
Commissioner recommended in his most recent Annual Report that
the National Archives Act be amended to make it a requirement to
create such records as are necessary to document, adequately and
properly, government’s functions, policies, decisions,
procedures, and transactions. The Commissioner notes that this
duty has been imposed on the U.S. federal government by their
Federal Records Act.1 Despite the lack of an explicit
requirement, there are a variety of statutes and policies which
can be interpreted as requiring the creation of records,
certainly if the spirit of those laws and policies are to be
fulfilled. (For example, s. 11 of the Federal Real Property
Regulations, made pursuant to the Federal Real Property Act,
require the Minister of Justice to establish and operate a
document depository that contains copies of various instruments.)
Once records are created, there are many requirements for their
preservation and governing how they may be disposed. Many of the
laws and policies concerned with the creation and preservation of
records make specific references to electronic information.

     The essential point is that government should create records
in order to allow its citizens to be informed of government
activities, to participate in policy development and evaluation,
to hold their governments accountable and to preserve an
historical record. In addition, government needs to create and
preserve records so that it can produce evidence of certain facts
and decisions and of its intentions, if the facts or decisions
are ever disputed. Even though there is no express “thou shall
create records” edict, in practice, and in the spirit of many
statutory provisions, the requirement exists.

     Treasury Board’s Management of Government Information
Holdings (MGIH) Policy (revised in 1994) says that “it is the
policy of the government to identify and conserve information
holdings that serve to reconstruct the evolution of policy and
program decisions or that have historical or archival importance
and to ensure that such information is organized in a manner to
be readily available for the study of decision-making in
government and other educational purposes...”2 The Access to
Information Act provides an enforceable right of access to
government information, in accordance with the principle “that
government information should be available to the public.”3 The
Treasury Board Access to Information Policy states:

  There is a compelling public interest in openness, to ensure
  that the government is fully accountable for its goals and
  that its performance can be measured against these goals.
  This renders the government more accountable to the
  electorate and facilitates informed public participation in
  the formulation of public policy. It ensures fairness in
  government decision-making and permits the airing and
  reconciliation of divergent views across the country.4

     Treasury Board’s Policy on Access to Information notes that
there is no legal requirement to create new records to fulfill
particular access requests, although subsection 4(3) of the
Access to Information Act does require the creation of records
that can be produced by using computer hardware and software and
expertise normally used by the government. However, section 3 of
the Access to Information Regulations provides that computer
generated records need not be produced if doing so would
unreasonably interfere with the operations of the institution.
The Policy says this relates to situations where a computer is in
constant use producing scheduled outputs and is not available for
other purposes. Where a computer can be operated in off hours,
this offer should be made to the requester. Concerning fees, the
Policy states that “under no circumstances should a requester be
charged a fee which is higher that the actual and direct costs of
producing the computer record(s) requested.”5

     The Privacy Act provides that persons have a right of access
to their personal information collected by the government. There
are detailed provisions for how the government is to provide that
access and how it is to protect the personal information.
Personal information used by a government institution for an
administrative purpose6 shall be retained by that government
institution for at least two years after the last use of the
information (unless the individual consents to earlier
destruction of the record). (Of course, the National Archives Act
applies whether or not two years has expired or the individual
consents to destruction of the record: records cannot be
destroyed without the permission of the National Archivist.)

     The National Libraries Act requires that the publisher of
any “book” published in Canada shall send to the National Library
at least one copy of the book, unless the book falls within a
class or kind of book which are not required to be sent to the
National Librarian unless specifically requested, as set out by
regulation. The Act defines “book” to mean “library matter of
every kind, nature and description and includes any document,
paper, record, tape or other thing published by a publisher, on
or in which information is written, recorded, stored or
reproduced.”

     The Government’s Security Policy (revised in 1994) provides
that “Personal information collected by departments requires
protection throughout its life cycle” and “Information technology
security is intended to ensure the confidentiality of information
stored, processed or transmitted electronically; the integrity of
the information and related processes; and the availability of
information, systems and services.”7

     The Government’s Policy on Electronic Authorization and
Authentication requires the creation of records relating to
financial transactions:

  A complete audit trail of the financial transactions,
  including electronic authorization and authentication, must
  be maintained. (p. 3)

     Many statutes specifically require writing and use other
terms such as ‘record,’ ‘document,’ ‘data,’ ‘book,’ and ‘machine
readable.’ Each of these words appears to presume the creation of
a record.

B. Obligations to preserve records
     Once a record is created, it cannot be destroyed or disposed
of without the consent of the National Archivist.8 During the
past couple of years, the National Archives has issued several
guides dealing with the management of electronic records in
office systems such as electronic mail (e-mail) and electronic
documents. More recently, the National Archives has begun to deal
with legislative and policy related record keeping issues in
large and small scale computer (application) systems.
(Considering that perhaps as much as 95% of government records
are ultimately destroyed, one of the most important roles of the
National Archives is to give advice on the destruction of
records, rather than attempting to preserve all records.)

     Subsection 6(1) of the Privacy Act provides that “personal
information that has been used by a government institution for an
administrative purpose shall be retained ... to ensure that the
individual to whom it relates has a reasonable opportunity to
obtain access to the information.” Paragraph 4(1)(a) of the
Privacy Regulations provides that institutions must retain
personal information for at least two years following the last
time the personal information was used for an administrative
purpose unless the individual consents to its disposal.” (It
should be noted that an increasingly important privacy principle
is that personal information be destroyed once it is no longer
needed. This principle is not stated in the Privacy Act.)

     Other general retention requirements include the
requirements to keep information secure in the Security Policy,
the requirements for managing information in the Management of
Government Information Holdings Policy, and the rights of
citizens to have access to government records in the Access to
Information Act. It should be noted that this Act restricts
access to certain kinds of information, such as advice and
recommendations to the government and Cabinet confidences, until
twenty years after their creation, but does not require that such
records be maintained for the twenty year period.

     Other considerations for determining how long to preserve
records include relevant statutes of limitations: it is generally
in the interest of government to retain commercial and
administrative records for at least the period of time during
which any lawsuits might be launched to challenge any transaction
or decision or to allege negligence. For some kinds of claims,
there is virtually no statute of limitations (e.g., Aboriginal
claims, serious criminal offences). For some kinds of government
programs, current administrative needs rely on very old records
(e.g., employment records for the purposes of calculating pension
benefits, immigration and citizenship records whose information
can later assist in criminal investigations and calculation of
eligibility for pension benefits). Thus, the creation and
preservation of records is a legal, policy and practical
requirement for many reasons.

     It is important to remember that the National Archives Act
does not forbid destruction of records, only that destruction be
done with the permission of the National Archivist. The Access to
Information Policy describes transitory records. If a record is
used to initiate or continue a departmental activity, provide
comments on an activity under way which requires administrative
action, or requests an opinion on an activity of interest to the
institution, it is not a transitory record. Draft documents that
show the evolution of a final document are not transitory
records, but drafts not shared with anyone beyond the employee
who created it are transitory records.

  Transitory records also exist in data processing
  environments where inputsource records, intermediate
  inputoutput records, valid transaction files, system audit
  records, test records, and print files may be deleted in
  accordance with system design specifications.
  
  However, some draft documents including previously ‘saved’
  versions of electronic documents need not be retained where
  they are working versions not communicated beyond the
  individual creating them or copies used for information or
  reference purposes only. Such documents may be treated as
  transitory records and routinely destroyed. ... Electronic
  mail is no different than any other piece of information
  created or obtained by an institution in the carrying out of
  its business. Much of the information created in this way
  will have direct impact on the management of the institution
  and the various activities it carries out. This will vary
  from the simple call for a meeting with rough agenda to
  direction to prepare a major policy paper, some initial
  thoughts on how to proceed, or comments on a completed
  draft. This type of information should be filed as a record
  of the institution.9 (emphasis added)
  
     In Chapter 9, dealing with electronic records and digital
signatures as evidence, we discuss various factors relating to
the replacement of paper records with electronic records and the
migration from one electronic technology or format to another in
an attempt to preserve electronic records.

C. Obligations to control records
     Related to the question of preserving records is the notion
of controlling records. The Access to Information Act, Privacy
Act and National Archives Act all speak about records “under the
control of” government institutions. In a paper world, physically
having a paper copy or original is easy to establish. Filing
systems and archival practices are well-established. There is no
issue as to whether the paper is being effectively controlled: it
will not disappear at the touch of a button. Generally, it cannot
be altered easily without anyone noticing. Therefore, in the
paper world, the control issues relate to who is controlling the
records, not how the control is being exercised.

Who controls the record?
     The issues relating to who controls records are relatively
minor and straightforward in a paper context. Establishing
physical possession of a record is easy. Thus, the questions
concern whether possession is equivalent to control. If an
institution did not create the record or has a copy but not an
original of the record, is it a record under the institution’s
control? If a record is provided to an institution with
conditions of confidentiality attached, does the institution
“control” the record? If the institution holds a record on behalf
of another party, does the institution control the record? If a
record is not in the physical possession of the institution but
the institution has a contractual right of access to the record,
is the record under the institution’s control? In all these
cases, the answer is yes. If the institution has the power to
produce the record, then it has control of the record (whether
the institution must disclose the record is determined by the
various exceptions and exemptions in the Access to Information
Act and Privacy Act).10

     In an electronic world, the issues of who “controls” the
records may also be fairly straightforward. Establishing which
Minister or which department is responsible for the operation of
the computer system would not be necessary for the citizen who is
seeking access and would likely not be necessary for
Parliamentarians tryi~g to hold the government accountable: if
the government is unable to tell Parliament who is responsible
for the computer system, that alone would serve the opposition’s
purposes.

     Establishing whether an institution has the power to produce
a record, could mean that any electronic record or database to
which an institution has authorized access is a record under the
control of that institution, even if there are many institutions
that have access to the same electronic records or databases, and
even if another institution collected the information in the
first place and maintains the information on its computer
systems.11 This would simply be a continuation of the same
principles already applied in the paper context.

     On the other hand, if access to a database means control of
the database, for the purposes of the Access to Information Act
and Privacy Act, then there could be inconsistent responses to
requests for access to information in the database, depending on
which Department is asked to provide the information. Further, it
strains the literal meaning of “control” to suggest that having
access to a database is equivalent to having control of it.
Another problem is that when an institution examines a database
without bringing the information onto its computer systems, the
intent of the Access to Information Act and Privacy Act can be
frustrated; the intent of both Acts being to ensure that citizens
have access to the information used by government, and another
intent of the Privacy Act is to ensure government only collects
information that is directly related to its programs.

     It is interesting to note that the Privacy Act uses three
different expressions that could affect the nature of the right
of access to personal information. Section 12 provides a
statutory right of access to one’s own personal information that
is “under the control of” an institution. Section 2 of the
Privacy Act states that the purpose of the Privacy Act is to
“extend the present laws of Canada that protect the privacy of
individuals with respect to personal information about themselves
held by a government institution and that provides individuals
with a right of access to that information.” Subsection 6(1)
provides that information “used by a government institution for
an administrative purpose” shall be retained by the institution
“in order to ensure that the individual to whom it relates has a
reasonable opportunity to obtain access to that information.”
There is a real possibility a court would find that there is a
right of access to personal information that has been used for an
administrative purpose, whether or not that information is “under
the control” of the institution, given the wording of subsection
6(1), and given the overall intent of the Act.

     Such an interpretation would avoid difficulties in trying to
determine where one should go to request access for personal
information held on a government computer somewhere. It would
give the government the flexibility to locate personal
information on the computers that make the most functional sense,
without fear of putting access to personal information rights at
risk and without being tied down by organizational lines. At the
same time, such an interpretation would create an obligation on
government institutions to ensure that it preserves records of
personal information that it has used for administrative
purposes. This could be challenging where the personal
information is on someone else’s computer system or where the
personal information is in a database that is constantly being
changed and updated.

     The U.S. Review Draft “Consensus Electronic Record
Principles” suggests, among other things, that information
maintained outside of government that is accessed electronically
by an agency but merely viewed by an employee should not be
deemed to come into the agency’s possession and control. However,
the draft suggests that there should be legal and policy rules
setting out when agency officials can view and not preserve such
information. The draft also suggests that when the information is
brought into an agency database or is printed out in paper form
by an employee that it would become subject to the Freedom of
Information Act. Canadian law and policy should also deal with
the questions of access to databases and their relationship to
the Access to Information Act and Privacy Act.

Obligations to exercise control over records
     Perhaps more important than who controls the electronic
records is whether or not the records are being effectively
controlled and preserved. Although the Access to Information Act,
Privacy Act and National Archives Act apply to records “under the
control” of government, it might be argued that these phrases
implicitly require governments to exercise effective control over
those records. The numerous statutory provisions limiting who may
have access to certain information and what that information may
be used for (for example, in statutes such as the Income Tax Act,
the Customs Act, the Statistics Act, etc.) may also create
obligations to control records. Thus, there may be an implicit
statutory obligation to safeguard records from unauthorized
electronic access, from inadvertent electronic alteration and
from inadvertent deletion (including the problem of
disintegrating disks and magnetic tapes and obsolete software).

     Another source of a possible obligation to control records
comes from government representations that it will control
records. These representations may be made in a variety of
contexts, not just the statutory provisions mentioned above. For
example, when government collected information from different
parties the forms used to collect the information frequently tell
the party that the information is protected or confidential.
Essentially, the government promises that information will be
kept confidential and disclosed only according to law. Also, the
government may make similar representations in agreements with
other governments who provide information on a confidential basis
and in contracts with various parties.

     The implicit legal obligation to control records effectively
can find support in government policy requirements, that
government employees without a legitimate need to know particular
information should not have access to that information (Security
Policy, Ch. 2-1, p. 37) and that “Government institutions, in
addition to the requirements of the Privacy Act, must ensure that
appropriate administrative controls are in place to ensure
against the disclosure of personal information to anyone who is
not permitted access to it under the Privacy Act.” (Privacy and
Data Protection Policy, Ch. 1-1, p. 4)

     The obligation to control financial records is made explicit
in the government’s Policy on Electronic Authorization and
Authentication (Ch. 2-2, p. 4):

  Departments must perform a risk assessment to evaluate the
  potential risks to the electronic authorization process and
  determine the level of control required to minimize the
  risks, commensurate with the costs.
  
  Departments must establish policies and procedures that will
  ensure that an adequate level of control is maintained on
  all processes involving the electronic authorization and
  authentication of financial data.
  
  Departments must establish policies and procedures that will
  ensure that the distribution and communication of financial
  authorities and the delegation process itself, when in an
  electronic form, are protected by a key management process
  approved by CSE.
  
  A Signature Method Authentication Code must be used to
  authorize financial transactions electronically. While this
  can be done in various ways, the method used to generate the
  code must employ both special knowledge (e.g. password) and
  physical possession of an object (e.g. diskette, token,
  etc.).
  
  When required, the confidentiality of financial transactions
  will generally be ensured by encrypting part or all of the
  data.

     Obligations concerning electronic security would become at
least as important as the controls applied to paper records:
locking filing cabinets (only with specifically approved locks),
limiting access to physical premises where files are located, and
giving employees clearance to see certain categories of
information.

     It is useful to contrast the implicit statutory obligations
on the federal government with the explicit obligations on the
banking industry. The various requirements on federal government
institutions (and the lack of express statutory requirements) can
be compared with s. 244 of the Bank Act which requires

  A bank and its agents shall take reasonable precautions to
  
  (a) prevent loss or destruction of,
  
  (b) prevent falsification of entries in,
  
  (c) facilitate detection and correction of inaccuracies in,
  and
  
  (d) ensure that unauthorized persons do not have access to
  or use of information in
  the registers and records required or authorized by this Act
  to be prepared and maintained.

In addition, s. 245(1) of the Bank Act expressly requires banks
in Canada to:
  
  maintain and process in Canada any information or data
  relating to the preparation and maintenance of the records
  referred to in section 238 unless the Superintendent has, by
  order, and subject to such terms and conditions as the
  Superintendent considers appropriate, exempted the bank from
  the application of this section.
  
Subsection 245(2) permits banks to process outside of Canada
copies of the information mentioned in subsection (1), but
subsection (4) requires banks to
  
  inform the Superintendent and provide the Superintendent
  with a list of those copies maintained outside Canada and a
  description of the further processing of information or data
  relating to those copies outside Canada and such other
  information as the Superintendent may require from time to
  time.
  
     Subsection (5) permits the Superintendent to order banks to
maintain and process such information or copies in Canada if such
maintenance or processing outside of Canada is incompatible with
the fulfilment of the Superintendent’s duties or if the Minister
advises that it is not in the national interest for such
maintenance or processing to be done outside of Canada.

     Similar provisions can be found in the Cooperative Credit
Associations Act, s. 240; An Act respecting Canadian Business
Corporations, s. 10; Insurance Companies Act, s. 266; Trust and
Loan Companies Act, s. 248.

     The above are examples of express statutory requirements and
powers for controlling records, requirements which are not set
out for government records and powers which are not given to the
Information or Privacy Commissioners.

Obligations to control information provided to third parties
     One context where the government’s obligation to control
records is most evident arises when information is shared with
third parties. Generally, government policy and standard
contracts require government agencies to contemplate what kinds
of controls need to be placed on information being shared with
third parties, and set out a variety of precautions that should
become part of an information-sharing agreement or contract.

     One of the questions involving third party disclosures is
whether or not the Access to Information Act, Privacy Act,
National Archives Act, confidentiality provisions of other
statutes and the various Treasury Board policies in support of
these Acts will apply to the information disclosed to the third
parties. The short answer is no, so long as the third party is an
independent contractor (and not an agent of the government), then
the Acts and policies governing federal government information do
not apply.

     With respect to the application of the National Archives
Act, it should be remembered that no record under the control of
a government institution shall be destroyed or disposed of
without the consent of the National Archivist. Government
institutions that transfer control of original records outside
the federal government would require the consent of the National
Archivist. Copies of originals (which are kept under the
government’s control) which are made in the normal course of
business and covered by transfer agreements would be covered by
the generic disposition authorities applicable to all federal
institutions. (See Chapter 9 for a discussion of the issues
involved in defining an original or copy of an electronic
record.)

     The Privacy Commissioner has expressed his concern about
this potential erosion of the protection of personal information
collected by the federal government. However, privacy protections
can be built into any agreements with third parties and many
departments routinely include such protections in such
agreements, although there have been examples where federal
institutions entered into third party contracts without even
contemplating who would have control of the information produced
under the contract and without contemplating what privacy, access
and archival protections should be built into the contracts.

     It has long been the view of both Treasury Board and the
Department of Justice that, as a general rule, contracts should
provide that information produced under these contracts are to be
considered under the control of the government institution.

Policy requirements to control information supplied to third
parties
     The Security Policy provides a number of provisions
regarding third party contracts and confidential information.
Section 4.8 of Chapter 2-1 deals with contracts to collect
personal information.
  
  When a statistical study or survey involves processing
  personal information, the code that correlates data to an
  individual respondent must be destroyed as soon as possible
  ...
  
  Contracts for the collection of personal information should
  include the following points:
  
  ·    An undertaking to protect the information, to refrain from
    disclosure to any other person or organization and to use the
    information only for the purpose specified in the agreement.
  
  ·    An undertaking to make the information available only to
    employees of the contractor who have undergone proper screening
    and have a need to know the information.
  
  ·    That each employee to whom the information is made available
    shall sign a statement showing that he or she undertakes, as a
    condition of employment, to respect the sensitive nature of the
    information and to observe the requirements of the Privacy Act
    and any other conditions specified by the department governing
    the use of this information.
  
  ·    That the department may terminate the contract if the
    contractor breaches confidentiality obligations.

Section 13 of Ch. 2-1 provides:
  
  Departments must ensure, through written agreements, the
  appropriate safeguarding of sensitive information shared
  with other governments and organizations. (emphasis in
  original) In most cases, it is expected there will be in
  place a general agreement between the federal government and
  the other government or organizations involved. The
  agreement should represent an undertaking to safeguard
  information appropriately, to limit use, to control release
  to third parties and to inform authorized users of their
  responsibilities under the agreement.
  
  Without such a general agreement, arrangements for sharing
  information should be stipulated in an agreement between the
  originating federal department and the provincial government
  or department concerned.
  
  Such agreements for sharing information should include the
  following elements:
  
  ·    A description of the types of information to be shared.
  
  ·    The purposes for which the information is being shared.
  
  ·    A stipulation that the information is to be distributed only
    on a need-to-know basis within a recipient department.
  
  ·    A description of all the administrative, technical and
    physical safeguards required to protect the information involved.
  
  ·    A requirement that the recipient maintain a list of all
    officials, by position, who have access to the information.
  
  ·    The conditions for disclosing information to third parties.
  
  ·    The name, title and signature of the appropriate officials
    in both the originating department and the receiving province and
    the period covered by the agreement.
  
  These elements should be considered for agreements according
  to the degree of injury that could result if the information
  were compromised.

Curiously, Ch. 3-5 of the Privacy and Data Protection Policy also
sets out a list of components for sharing information with
provinces, foreign states and international bodies. This list
states that such agreements must contain only some of the above
elements. The elements on which the Privacy and Data Protection
Policy is silent are:

  ·    A stipulation that the information is to be distributed only
    on a need-to-know basis within a recipient department.

  ·    A requirement that the recipient maintain a list of all
    officials, by position, who have access to the information.
    Instead, the requirement is for names, titles and signatures of
    “the appropriate officials” in both the supplying and receiving
    institutions.

  ·    The conditions for disclosing information to third parties.
    Instead, the requirement is for a statement that the sharing of
    the information shall cease if the recipient is discovered to be
    improperly disclosing the shared personal information.

The third place the Security Policy deals with third party
disclosures is at Ch. 2-5, Security and Contracting Management
Standard.
  
  Departments are responsible for protecting sensitive
  information and assets under their control according to the
  Security policy and its operational standards. This
  responsibility applies to all phases of the contracting
  process, including bidding, negotiating, awarding,
  performance and termination of contracts, as well as to
  internal government operations. (emphasis in the policy)
  
  Whether a contract is within or outside a department’s
  delegated contracting responsibilities, the department is
  responsible for identifying sensitive information and assets
  warranting safeguards. ... The department may itself ensure
  that the contractor meets the appropriate security
  requirements, or request that Public Works and Government
  Services Canada (PWGSC) perform this task. ...
  
  Public Works and Government Services Canada provides advice
  and guidance to departments, contractors and potential
  contractors on the security requirements of contracts that
  require access to sensitive information and assets. ...
  
  When a department is responsible for contracting security,
  it must check the status of the contractor with PWGSC when
  the department has determined that the contractor meets the
  appropriate security requirements. The decision that a
  contractor meets appropriate security requirements must be
  documented.
  
  There may be special circumstances, determined by a threat
  and risk assessment (TRA) for contracts involving access to
  designated information and assets, where the step of
  ensuring that a contractor complies with security
  requirements must be met within six months of the contract
  being awarded. For contracts of less than six months, the
  clause should stipulate that the security requirements must
  be met before half the contract period has elapsed. Access
  may not be granted until the securiy requirements are met.
  
  Departmental policies and procedures should specify the
  conditions for such exceptions, including approval of a TRA
  by the responsible manager and consultation with deparmental
  security officials.
  
  Departmental policies and procedures should also provide for
  scheduled and unscheduled work site inspections, and for the
  safeguarding of sensitive waste until it is destroyed by an
  approved method.

     It is important to note the use of the word ‘should’ in the
above policies. Wherever the word ‘should’ appears, the policy
says that the measures are suggested but not compulsory.
Nonetheless, these policy suggestions set out rigorous standards
to meet for protecting sensitive information disclosed under
contract (recall that personal information is included in the
concept of sensitive information).

Standard contract clauses
     The standard contract for consulting and professional
services recently distributed by Treasury Board’s Contracting
Group provides the following:

  GC18 Security and Protection of Work
  18.1      The Contractor shall keep confidential all
       information provided to the Contractor by or on behalf
       of Canada in connection with the work, and all
       information developed by the Contractor as part of the
       work, and shall not disclose any such information to
       any person without the written permission of the
       Minister, except that the Contractor may disclose to a
       subcontractor, authorized in accordance with this
       Contract, information necessary to the performance of
       the subcontract. This section does not apply to any
       information that:
  
       18.1.1    is publicly available from a source other
            than the Contractor; or
            
       18.1.2    is or becomes known to the Contractor from a
            source other than Canada, except any source that
            is known to the Contractor to be under an
            obligation to Canada not to disclose the
            information.
  
  18.2      When the Contract, the work, or any information
       referred to in subsection GC18.1 is identified as TOP
       SECRET, SECRET, CONFIDENTIAL or PROTECTED by Canada,
       the Contractor shall, at all times, take all measures
       reasonably necessary for the safeguarding of the
       material so identified, including those set out in the
       DSS Industrial Security Manual and its supplements and
       any other instructions issued by the Minister.
  
  18.3      Without limiting the generality of subsections
       GC18.1. and GC18.1.2, when the Contract, the work, or
       any information referred to in subsection GC18.1 is
       identified as TOP SECRET, SECRET, CONFIDENTIAL or
       PROTECTED by Canada, the Minister shall be entitled to
       inspect the Contractor’s premises and the premises of a
       subcontractor at any time for security purposes at any
       time during the term of the Contract, and the
       Contractor shall comply with, and ensure that any such
       subcontractor complies with, all written instructions
       issued by the Minister dealing with the material so
       identified, including any requirements that employees
       of the Contractor or of any such subcontractor execute
       and deliver declarations relating to reliability
       screenings, security clearances and other protections.
  
  SC1 Access to Information
  1.1  Subject to any Act of the Parliament of Canada relating
       to public access in the control of a government
       institution, the confidentiality of any information
       obtained by the Minister under this Agreement shall be
       respected to the extent indicated by the Contractor. A
       written request by the Contractor indicating the
       general categories of information for which
       confidentiality applies shall satisfy the requirements
       of the section.
  
  1.2  Any personal information within the meaning of the
       Privacy Act that is collected, processed or otherwise
       dealt with for the purposes of this contract and that
       is under the control of a government institution shall
       be dealt with in accordance with the Act and the
       Regulations thereunder and the Records Scheduling and
       Disposal Plan. Any material used to collect such
       personal information should bear a clause reading as
       follows:
  
       1.2.1     PROTECTED when completed. All personal
            information that you provide is protected under
            the Privacy Act and stored in the appropriate
            Personal Information Bank(s).

While these clauses clearly indicate a strong concern for
security, they fall short of the specific requirements in the
Security Policy and Privacy and Data Protection Policy. Moreover,
Supplementary Condition 1.2 provides that any personal
information that “is collected, processed or otherwise dealt with
for the purposes of this contract and that is under the control
of the government institution” shall be dealt with in accordance
with the Privacy Act. This begs the question of whether the
contract considers the information in question to be under the
control of the government institution, and therefore, whether the
Privacy Act will apply to that information.

     There have been cases where Departments have specifically
sought to ensure that certain information disclosed to third
parties was not under the control of the government, such as
surveys of employees about the performance of their managers.
There are contracts where personal information is disclosed
without adequate protections being built into the contract and
without departments undertaking scheduled and unscheduled work
site inspections or completing formal threat risk assessments
before using lesser security procedures for designated
information, as recommended by the Security Policy. It is
anyone’s guess how the government would fare if its practices
with respect to protecting personal information in third party
contracts were audited.

Contracting for information technology services and the ‘need to
know’ principle
     Part of the new way of doing government business is to enter
into partnerships with business (“outsourcing”), where it makes
sense to do so. Outsourcing is particularly common where special
expertise is required that is not readily available within
government. Conventional wisdom and practice is that government
is not good at developing software, or even managing its
technology. These functions are frequently provided by private
enterprise.

     The nature of electronic information and new technologies is
such that the software, hardware and network experts must have
access to our information holdings as part of what is involved in
installing, testing and securing our technology. Such persons do
not actually need to “know” the content of the electronic
information, but they must be able to have access to it as part
of having access to the various functions of the computer system,
and as part of being able to do the necessary computer systems
work while allowing everyone else to have uninterrupted access to
the information they need for their daily jobs. This reality
presents a situation which is not perfectly consistent with the
“need to know” principle:

  A fundamental requirement of the Security policy is to limit
  access to sensitive information to those whose duties
  require such access; that is, to those who need to know the
  information. ... Personnel are not entitled to access merely
  because it would be convenient for them to know or because
  of status, rank, office or level of clearance.

New technologies make the “need to know” principle somewhat
inaccurate; a “need to access” principle would better reflect
information management realities.

     The above comment is also true in the paper context where
file clerks routinely have access to information they do not need
to “know”. However, the security of information provided to file
clerks (and virtually all federal employees) is protected through
oaths of secrecy and security clearances. Moreover, in the paper
context, copying information or searching for information is much
more difficult. In an electronic context, in addition to file
clerks with access to information, there are informatics
personnel with significant network privileges, often from
external consulting firms, who also have such access. The oaths
of secrecy, security clearances and incentives to comply with
federal government policy (or even to become informed about the
various policies) are lower than with employees), and the ease
with which electronic information can be copied, altered or
destroyed increases the security risks attendant with a “need to
access” principle.

     Providing access to or disclosing personal information to
information managers is probably authorized as necessary to
fulfill the purpose of the Privacy Act, the Access to Information
Act and the National Archives Act by taking steps to control the
information appropriately in order to protect it from
unauthorized disclosure and to provide the concerned individuals
with access to the information. If a section 8 authorization is
necessary, one could argue that disclosing the information to
records managers is consistent with the original purpose for
collecting the information.

Inter-governmental and inter-departmental agreements
     The general information-sharing agreements between the
federal government and the provincial governments are almost
threadbare in their security requirements. Basically the only
requirements set out in the agreements are that there be a
request, in writing “wherever practicable,” setting out the
personal information desired and the purpose for which the
information is being requested. The agreements also provide that
the disclosed information “shall only be used or disclosed for
the purpose of administering or enforcing any law or carrying out
a subsequent investigation or for a subsequent use which is
consistent therewith.” Such federal-provincial agreements exist
whether or not the province has legislation governing the
protection of personal information held by the provincial
government (Prince Edward Island does not, Manitoba, New
Brunswick, Newfoundland, Northwest Territories and the Yukon
offer limited privacy protection).

     Despite the existence of such broad agreements, Departments
also use specific agreements and some do contain privacy
protections. One example is a standard clause used in specific
agreements between the Department of Citizenship and Immigration
and various provinces and municipalities:

  Subject to sections ...., the information supplied by each
  party to the other shall be maintained, destroyed or
  disposed of in accordance with the Government of Canada
  Security Policy and supporting operating directives and
  guidelines, covering the administrative, technical and
  physical safeguarding of the personal information or in
  accordance with Provincial retention of records policies,
  whichever shall apply. The Department shall send a letter to
  ... confirming that the information supplied by ... has been
  disposed of in accordance with these policies.

Despite this example, it is impossible to know how many other
specific agreements contain similar clauses because there is no
registry of information sharing agreements. Moreover, it is open
to question how many provincial governments and municipalities
have the Security Policy or receive updates as they occur from
time to time.

     Once we understand what is required for disclosing personal
information to a third party, one should ask whether these same
rules apply to sharing information between federal government
departments. There is very little guidance on this point.

     The Security Policy only seems to distinguish between one
government institution and another when dealing in the general
area of assessment of security risks and in the marking of
information. The Security Policy states that classified
information must be marked or otherwise identified at the time it
is created or collected. Further, "designated information must be
marked if it is to be disclosed beyond the organizational unit
that created or collected it."

     In dealing with risk assessment, the Security Policy
recognizes that Departments may have implemented different
marking schemes to designate information. The Policy goes on to
state:

  Therefore, an assessment of security risks should be made
  when sharing particularly sensitive information on a regular
  basis i.e., Protected B information. The department that
  collected or created the information is responsible for
  identifying the safeguards to be applied by the receiving
  department. If warranted, a written agreement should be
  developed with the DSO of the receiving department and
  should apply to third-party recipients of the information as
  well.
  
  Furthermore, very few departments hold designated
  information that if compromised may cause extremely serious
  injury such as loss of life or significant financial loss
  i.e., Protected C information. Such information and assets
  could well be threatened by highly motivated and skilled
  individuals or organizations and, therefore, additional
  safeguards may be in order. ... It cannot be assumed that
  the application of safeguards from one department to the
  next will be the same. The originating or collecting
  department should identify necessary safeguards and these
  should be agreed upon in writing. The written agreement
  should extend to third-party sharing of information. (Ch. 2-
  1, pp. 21-22)

These passages suggest that written agreements between federal
departments that share information with each other are not
required, although they “should” be in place for exchanges of
extremely sensitive information. Moreover, the specific
requirements that the policy sets out for exchanges with “other
governments and organizations” do not appear to apply to
agreements between federal departments, although no doubt they
would act as useful guides.

     Other than in the marking of information and risk
assessment, the standard test to be applied in determining
whether another public servant should be given certain
information (other than personal information) appears to be the
"need to know" principle, regardless of whether that public
servant is employed by one or another department.

     It can be argued that the Privacy Act has a disclosure
provision similar to the "need to know" priniciple. Paragraph
8(2)(a) of the Act allows for the disclosure of personal
information for the "purpose for which the information was
obtained or compiled by the institution or for a use consistent
with that purpose." However, one should be sure to check the
Infosource to ensure that the disclosure to the other government
institution is listed as either a use or a consistent use in the
relevant personal information bank. If the disclosure is not a
use or consistent use, then the personal information cannot be
disclosed to the other government institution unless the
individual either consents to the disclosure, the disclosure is
in accordance with another paragraph of section 8 of the Act, or
the government institution takes the necessary steps to notify
the Privacy Commissioner and add the new consistent use to
InfoSource.

     The fact is that it is more difficult to share information
between federal departments (due to Privacy Act provisions and
Treasury Board policies) than it is to share information between
the federal government and other governments under general
agreements (which are specifically authorized by the Privacy Act
between the federal and other governments but not between federal
government institutions themselves). As the prospects grow of
providing both federal and provincial services electronically
through single window kiosks or other data systems, and
exchanging personal information to reduce overpayments and fraud
in social programs, the question of controls over those
disclosures will become more important.

D. Summary
     Federal laws do not create many express statutory
obligations on the federal government to create, preserve or
exercise effective control over records, although there are many
implicit obligations and explicit government policy requirements
that do so (in contrast to the explicit requirements on financial
institutions).

     The responsibility of government institutions to control and
produce records to which they have access via electronic means
and to produce records in electronic formats is unclear. When
government officials search for electronic information, whether
for program purposes or electronic security purposes, it is
unclear whether they must or should make a notation of the
records, databases or activities that were searched. Obligations
to provide access to or to preserve records in databases whose
values are constantly changing are not addressed in law or
policy.

     The reality of information management means that there are a
group of persons who have a need to have “access” to information
but who do not have a need to “know” that information. This is a
nuance that is not well-addressed in the Security Policy or in
government documents explaining its information holdings (such as
InfoSource).

     The laws and policies describing what security undertakings
may be required for a federal government institution to disclose
information to other federal government institutions, to other
governments and to third parties is not clearly set down. There
are a variety of sources authorizing such disclosures, with a
variety of somewhat different security undertakings contemplated.
The lack of clarity, consistency and comprehensiveness should be
addressed. Generally, the lack of an automatic application of
Privacy Act principles to information disclosed to third parties
(the application is achieved through contract provisions), is a
matter of continuing concern for the Privacy Commissioner and may
need reconsideration by the government.

     To date, the courts have not had to interpret “control”
issues in an electronic context and certainly the law could be
clearer on this important issue. Nonetheless, institutions should
proceed on the assumption that the spirit of the law requires
them to maintain effective control over their records (certainly
the Security Policy requires this), and that they can be required
to produce electronic records from any database to which they
have authorized access, subject to the exceptions in the Access
to Information Act and the Privacy Act. Such a requirement flows
from the combination of legal requirements to create, preserve
and control records (including Security Policy requirements),
together with the legislated intent of ensuring citizens have
access to government information over a very long period of time
and subject only to specific and limited exceptions.

                                
                            ENDNOTES

_______________________________
1 Information Commissioner Annual Report 1994, p. 9
2 Information Management Policy, Policy on the Management of
  Government Information Holdings, Ch. 3-1, p. 1
3 Subsection 2(1), Access to Information Act
4 Access to Information Policy, Ch. 2-0, pp. 1-2
5 Access to Information Policy, Ch. 2-5, p. 4
6 “Administrative purpose” is defined in the Act as: “in
  relation to the use of personal information about an
  individual, means the use of that information in a decision
  making process that directly affects that individual.”
7 Security Policy, Ch. 2-1, p. 17, Ch. 2-3, p. 2
8 Subsection 5(1), National Archives Act
9 Access to Information Policy, Ch. 2-4, pp. 10-11
10 Leading cases interpreting the meaning of “under the control
  of” include: Montana Band of Indians v. Minister of Indian and
  Northern Affairs et al., 1989 1 F.C. 143 (F.C.T.D.) and Ottawa
  Football Club et al. v. Minister of Fitness and Amateur Sports
  et al., 1989 2 F.C. 480 (F.C.T.D.). Note also Canada Post v.
  Minister of Public Works (1993), 64 F.T.R. 62, under appeal at
  the time of writing.
11 This would be consistent with recent legal interpretations
  given to contracts between federal departments and independent
  contractors: if the contract gives the department access to
  the contractors’ documents, then those documents are under the
  control of the department for the purposes of the Access to
  Information Act and Privacy Act.