On October 29, 2004, the British Columbia Information and Privacy Commissioner released an advisory report on the privacy implications of the USA Patriot Act.
Background
Following the 9-11 terrorist attacks, the United States government enacted the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act(also known as the USA Patriot Act). The USA Patriot Act amended a number of US statues which governed law enforcement and intelligence gathering.
Of concern to foreign governments was section 215, which amended a number of US intelligence statutes. The effect of the amendments was to:
- lower the threshold for the FBI to obtain foreign intelligence information not concerning a US person; and
- expand the scope of orders to obtain “any tangible thing” (thereby removing the restriction on the kinds of organizations covered).
In the spring of 2004, the British Columbia government announced plans to contract management of the Medical Services Plan to a US based company.
In response to this proposal, the British Columbia Government and Service Employees’ Union (the “BCGEU”) commenced a lawsuit to block implementation of the contract. The basis of the lawsuit was that the USA Patriot Act allowed the US government to obtain personal information of British Columbians in violation of the British Columbia Freedom of Information and Protection of Privacy Act.
Due to intense media and public interest in the BCGEU lawsuit and the application of the USA Patriot Act generally, the British Columbia Information and Privacy Commissioner sought public submissions on the privacy issues surrounding the proposed contract. The Commissioner received over 500 submissions from businesses, organized labour and individual citizens. Submissions were also received from the FBI and the U.S. Department of Homeland Security.
The Report
On October 29, 2004, the Commissioner released his report. The report concludes that outsourcing of public services to the private sector is not prohibited by the British Columbia Freedom of Information and Protection of Privacy Act.
However, because there is a reasonable possibility of unauthorized disclosure of British Columbians’ personal information under the USA Patriot Act, it is the Commissioner’s view that rigorous measures must be put into place to mitigate against illegal and surreptitious access by the US government.
The report contains sixteen recommendations to ensure that the personal information of British Columbians is protected in light of the USA Patriot Act or similar legislation. The recommendations include:
- Legislation should be passed to make it an offence for a public body or a contractor to disclose personal information or send it outside Canada in response to a foreign court order, subpoena or warrant, with violation being punished by a fine of up to $1 million or a term of imprisonment, or both;
- Public bodies should be required to ensure that outsourcing contracts contain provisions designed to preclude control by a US company over records containing British Columbians’ personal information;
- The BC government should adopt a litigation policy under which it will initiate or participate in legal proceedings abroad, including the US, to resist demands for personal information of British Columbians made by a US or other foreign court or agency;
- The BC government and government of Canada should seek assurances from relevant US officials that they will not attempt, under the USA Patriot Act, to access personal information of British Columbians located in BC;
- There should be an immediate and comprehensive audit of interprovincial, national and transnational information sharing agreements affecting all public bodies in British Columbia;
- There should be an immediate and comprehensive audit of all operational and planned data mining activities by all public bodies in BC; and
- Legislated controls should be passed to deal with information sharing and data mining activities, in order to better protect privacy and ensure transparency around these activities.
Following the issuance of the report, the Provincial Government confirmed its belief that its proposed contract with the US based company for management of the Medical Services Plan contains sufficient safeguards to protect the personal information of British Columbians.
These safeguards include:
- data storage and access will be based solely in Canada, and can only be changed with the Province’s express consent;
- there will be no remote access to data from outside of Canada;
- special restrictions on data access and supervision requirements of U.S. employees working in Canada on transition and transformation activities;
- the Provincial Government can take over the operations of the contract in the event of a potential disclosure of personal information.
The lawsuit commenced by the BCGEU is ongoing.