Anything but Ordinary - Critical Reasons why your Government Customer isn’t Typical when it comes to their Data and Information

CBR Original ContentCyber Insurance/LawEnterprise SecurityPrivacyCyber Innovations
Written By Admin

5-Jul | Written by Marcia Mills • Fasken • Montreal, PQ

Technology is advancing rapidly; so rapidly, in fact, that by the time one figures out how to use “the greatest” new advancement, the next great thing has arrived.  End users know they need to adapt and adopt, but the steep learning curve can be daunting. Technology innovators find themselves engaged in “education by negotiation”  -  explaining how the technology works in the midst of negotiating the very contract under which such technology will be delivered to a first-time user.

Government customers are no different; however, their data and information requirements are. 

The layering of government policy on top of applicable law adds to the complexity of government data and information management – all of which is then downloaded to the government supplier via their contract. 

As a current or potential supplier to a government customer, it is crucial to understand in advance of receipt, the very real (and often, non-negotiable) requirements and constraints that apply to any government information or data that you may receive, transmit, access, store and manage (including archiving and destruction).

Governments need to know “who” they are dealing with

The amount of information about your business you must disclose to your government customer as part of their contracting process may remind you of a due diligence exercise for a merger or acquisition. Corporate disclosure obligations required for bidding on government contracts will usually become on-going contractual obligations. In addition, contract assignments frequently require the government customer’s pre-approval. All of this disclosure is not by happenstance, but very much by necessity and design.

Governments, as publicly-funded institutions, are directly answerable to the public; particularly when spending those funds. Expenditures must be appropriate. Part of this “appropriateness” is ensuring that the government customer knows “who” their supplier is. This is not just whether the supplier is financially viable and capable of fulfilling the contract, but also, who controls or is the directing mind of the supplier.

Governments obligations are more than just policies – they’re law

Personal information in the possession of the government:

Legislative protection of  personal information in Canada has existed for decades and varies on a jurisdiction-by-jurisdiction basis, as well as between private sector and public sector entities. In addition to the legislative requirements, governments are under additional obligations to protect the personal information of their citizens as a general matter of public safety, national security and sovereignty.  Governments cannot simply invoke “terms of use” when collecting data and information from their citizens but instead must make a rational connection between collection, use and disclosure.

Because government is in possession of broad and highly sensitive personal information (think: medical and health information, tax-related information and social insurance numbers), the release of such information can cause extremely serious  damage to individuals, organizations or the government.  

For example, when disclosing information, government is required to consider the potential that a foreign power may have access to the personal information of citizens, or its own information or data, if such information is permitted to be transferred to a supplier located in a foreign jurisdiction (even on a transitory basis) or who may be owned or under the control of a foreign government.  Some jurisdictions, such as British Columbia and Nova Scotia, prohibit the transfer of personal information outside of Canada under applicable law. Federally, a privacy impact assessment must be conducted before awarding contracts and may also trigger additional obligations for suppliers, such as registration in the federal Contract Security Program.

Non-personal information in the possession of the government:

Data and information protection is not simply “confidential” information of the government; it is frequently tied to considerations of security, public safety and government-to-government relationships. Information in the possession of your government customer that you may access or receive may also contain data and information from other government suppliers or  governments (from within out outside of Canada) carrying with it additional restrictions and obligations.

Because government information originates from multiple sources and can be co-mingled, this often necessitates a broad approach and application of general rules for information  management.

Governments are subject to concurrent obligations of disclosure and non-disclosure

This seems a contradiction but a government can be concurrently obligated to disclose information to and protect information from the same source.

Obligations of disclosure

Within Canada, citizens have a right to access information held by their governments to ensure accountability and transparency of government institutions and to ensure an open and  democratic society.  However, this is not an absolute open access principle. Governments are also under obligations not to disclose certain types of information received from individuals or businesses unless an exception applies.  

Government information that is held by a supplier remains subject to these obligations - a government cannot avoid its obligations by transferring information to a 3rd party. As such, suppliers are often required to have a system in place that enables the separation (sometimes even physical separation) of government information from other information held by the supplier, or allows a supplier to readily gather government information together for delivery to the government customer.  This may be identified as a specific contractual requirement or as part of a confidentiality provision. Even if only expressed as a general contractual obligation to return government information when requested, suppliers should be aware that there is a concurrent statutory obligation to cooperate with the government and to turn over the information if the government is required to respond to a privacy or freedom of information access request. Failure to respond to such an information request may, in some jurisdictions, constitute a statutory offense. 

Suppliers must be aware that the information they supply to the government can also be the subject of an information access request.

Obligations of non-disclosure

In addition to those obligations to protect personal information under privacy legislation, governments are subject to a positive legal duty to maintain certain commercially sensitive information supplied to them by a third party as confidential. The information access legislation varies by jurisdiction; however, some common principles applied to third party information include information that is a trade secret, that the third party itself treats consistently as confidential information, and that could cause adverse commercial impact or loss of competitive advantage.

These non-disclosure obligations will not automatically apply to all information supplied to a government customer and, ultimately, it is the government (not the supplier) who holds the statutory obligation to determine what will be released.  Relying on confidentiality clauses of the contract to prevent information disclosure is not sufficient – knowing how the legislation applies before disclosure, and what to do if faced with an access to information request (including any available rights to dispute or challenge the disclosure) is paramount.

Conclusion

While historically governments sought out “government-specific” information management systems, these became problematic over the long term – devolving in to “orphan technology”  requiring expensive and on-going customized support and upgrades and leaving data and information stranded within a customized information management system.  As governments seek to streamline information management, reduce costs, and ensure information management systems are interoperable, suppliers are met with the very real issue that, although the government customer seeks a “commercially available” solution, its requirements are not.

Part of this conundrum arises from the fact that governments cannot “contract out” of their statutory obligations to both protect and disclose information, and must “flow down” these obligations of information protection or information disclosure to any supplier who receives government information.  This is typically done within the context of the supplier contract. 

Understanding how each government customer interprets its privacy and information access legislation is important;  even if the language is similar or the same between jurisdictions, it may be interpreted in each jurisdiction differently.  

It remains for the supplier to obtain the appropriate advice and take the necessary steps to ensure it is not only in compliance with the contract, but also in compliance with the applicable legislation, and that it understands how to best protect the information it supplies to the government.

Admin
Previous

Is Your Enterprise Prepared for Bill C-11, Bill 64 and the others?
Next

From Personal Information to Trade Secrets: Welcome to the Accelerated Digital Age!