New outsourcing rules in the province of British Columbia have included provisions that could reach deep into information technology operating procedures. These rules are embodied in amendments to the Freedom of Information and Protection of Privacy Act of B.C. (FOIPPA). They were designed primarily
to protect outsourced medical information from being accessed by U.S. authorities through the USA Patriot Act. The amendments were implemented in record-setting time by the B.C. government to facilitate the outsourcing of the management of the B.C. Medical Services Plan (MSP) and the Pharmacare program to U.S.-based Maximus Inc.
Amendments contained in Bill 73, given final adoption in October 2004, contain a number of provisions that will affect the terms of outsourcing agreements implemented by any government or public authority in B.C., including local governments. The amendments include provisions requiring that personal information in databases must be stored and accessed only in Canada. It also requires any public body that receives an order or subpoena demanding disclosure of information controlled by FOIPPA to issue a notice to the Minister of Management Services. Provisions acknowledging that the employees of an outsourcing service provider are equivalent to the employees of a public body will help clarify the obligations of outsourcing contractors to act as public bodies would when handling government information.
While the bulk of the provisions are clearly targeted at outsourcing, there are a number of circumstances where they can affect the routine operations of IT departments. It’s not uncommon, for example, to transmit a copy of a file to a U.S.-based technical support provider in order to facilitate the diagnosis of problems or to have damage repaired. In situations where the file contains information that is controlled by FOIPPA, there is now no longer any uncertainty as to the legality of this practice.
Seemingly unrelated to outsourcing, one of the amendments to FOIPPA included a new provision that stipulates that “”a public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.”” This provision makes it clear that such precautions as a firewall and an enforced security policy will no longer be optional. Further, it should be noted that the “”reasonableness”” standard could be interpreted to be quite high in consideration of the high water mark set by the most technically astute provincial government departments.
To ensure that readers don’t glaze over or nod off while reading Bill 73, its authors gave it some attention-getters in the form of two very sharp teeth: a new $500,000 fine for offences committed by corporations, and a $25,000 fine for offences committed by individuals who are service providers to government. Finally, the act was given a set of keen eyes in the form of a first-time-ever-in-B.C. “”whistle-blower”” provision, which provides protection for individuals who inform on persons or corporations who commit offences.
These new provisions arrived in the midst of a media storm in reaction to the MSP and Pharmacare outsourcing contracts that the amendments facilitated. The result was that the peripheral effects of this legislation have been largely missed by both those working in government and the media alike. Bill 73 is an important development that materially changes how public bodies handle information and how outsourcing contracts can be structured. It helps to think of Bill 73 as a powerful “”Tim the Toolman”” type power tool that can make things happen and be adapted to a broad variety of uses. In this same vein it is a tool that can bite back when the power it grants is abused or misused. Private corporations doing business with government in ignorance can picture themselves in the financial equivalent to medical traction.
B.C.’s organized labour organizations have largely focused on denouncing the government for its outsourcing initiatives while missing the fact that this legislation will ensure that outsourcing contractors will not be able to make profits by cutting corners on information management practices.
