Supplemental Conditions, Personal Information (OCEO-SC-007)
Article 1 – Interpretation
In the Contract, unless the context otherwise requires:
"General Conditions" means the general conditions that form part of the Contract;
"Personal Information" means information about an individual, including the types of information specifically described in the Privacy Act, R.S. 1985, c. P-21;
"Record" means any hard copy document or any data in a machine-readable format containing Personal Information;
Words and expressions defined in the General Conditions and used in these supplemental general conditions have the meanings given to them in the General Conditions.
If there is any inconsistency between the General Conditions and these supplemental general conditions, the applicable provisions of these supplemental general conditions prevail.
Article 2 – Ownership of Personal Information and Records
To perform the Work, the Contractor will be provided with and/or will be collecting Personal Information from third parties. The Contractor acknowledges that it has no rights in the Personal Information or the Records and that Elections Canada owns the Records. On request, the Contractor must make all the Personal Information and Records available to Elections Canada immediately in a format acceptable to Elections Canada.
Article 3 – Use of Personal Information
The Contractor agrees to create, collect, receive, manage, access, use, retain, and dispose of the Personal Information and the Records only to perform the Work in accordance with the Contract.
Article 4 – Collection of Personal Information
If the Contractor must collect Personal Information from a third party to perform the Work, the Contractor must only collect Personal Information that is required to perform the Work. The Contractor must collect the Personal Information from the individual to whom it relates and the Contractor must inform that individual (at or before the time when it collects the Personal Information) of the following:
- that the Personal Information is being collected on behalf of, and will be provided to, Elections Canada;
- the ways the Personal Information will be used;
- that the disclosure of the Personal Information is voluntary or, if there is a legal requirement to disclose the Personal Information, the basis of that legal requirement;
- the consequences, if any, of refusing to provide the information;
- that the individual has a right to access and correct his or her own Personal Information; and
- that the Personal Information will form part of a specific personal information bank (within the meaning of the Privacy Act), and also provide the individual with information about which government institution controls that personal information bank, if the Contracting Authority has provided this information to the Contractor.
The Contractor, its subcontractors, and their respective employees must identify themselves to the individuals from whom they are collecting Personal Information and must provide those individuals with a way to verify that they are authorized to collect the Personal Information under a Contract with Elections Canada.
If requested by the Contracting Authority, the Contractor must develop a request for a consent form to be used when collecting Personal Information, or a script for collecting the Personal Information by telephone. The Contractor must not begin using a form or script unless the Contracting Authority first approves it in writing. The Contractor must also obtain the Contracting Authority's approval before making any changes to a form or script.
At the time it requests Personal Information from any individual, if the Contractor doubts that the individual has the capacity to provide consent to the disclosure and use of his or her Personal Information, the Contractor must ask the Contracting Authority for instructions.
Article 5 – Maintaining the Accuracy, Privacy and Integrity of Personal Information
The Contractor must ensure that the Personal Information is as accurate, complete, and up to date as possible. The Contractor must protect the privacy of the Personal Information. To do so, at a minimum, the Contractor must:
- not use any personal identifiers (e.g., social insurance number) to link multiple databases containing Personal Information;
- segregate all Records from the Contractor's own information and records;
- restrict access to the Personal Information and the Records to people who require access to perform the Work (for example, by using passwords or biometric access controls);
- provide training to anyone to whom the Contractor will provide access to the Personal Information regarding the obligation to keep it confidential and use it only to perform the Work. The Contractor must provide this training before giving an individual access to any Personal Information and the Contractor must keep a record of the training and make it available to the Contracting Authority if requested;
- if requested by the Contracting Authority, before providing anyone with access to the Personal Information, require anyone to whom the Contractor provides access to the Personal Information to acknowledge in writing (in a form approved by the Contracting Authority) their responsibilities to maintain the privacy of the Personal Information;
- keep a record of all requests made by an individual to review his or her Personal Information, and any requests to correct errors or omissions in the Personal Information (whether those requests are made directly by an individual or by Elections Canada on behalf of an individual);
- include a notation on any Record(s) that an individual has requested be corrected if the Contractor has decided not to make the correction for any reason. Whenever this occurs, the Contractor must immediately advise the Contracting Authority of the details of the requested correction and the reasons for the Contractor's decision not to make it. If directed by the Contracting Authority to make the correction, the Contractor must do so;
- keep a record of the date and source of the last update to each Record;
- maintain an audit log that electronically records all instances of and attempts to access Records stored electronically. The audit log must be in a format that can be reviewed by the Contractor and Elections Canada at any time; and
- secure and control access to any hard copy Records.
Article 6 – Safeguarding Personal Information
The Contractor must safeguard the Personal Information at all times by taking all measures reasonably necessary to secure it and protect its integrity and confidentiality. To do so, at a minimum, the Contractor must:
- store the Personal Information electronically so that a password (or a similar access control mechanism, such as biometric access) is required to access the system or database in which the Personal Information is stored;
- ensure that passwords or other access controls are provided only to individuals who require access to the Personal Information to perform the Work;
- not outsource the electronic storage of Personal Information to a third party (including an affiliate) unless the Contracting Authority has first consented in writing;
- safeguard any database or computer system on which the Personal Information is stored from external access using methods that are generally used, from time to time, by prudent public and private sector organizations in Canada in order to protect highly secure or sensitive information;
- maintain a secure back-up copy of all Records, updated at least weekly;
- implement any reasonable security or protection measures requested by Elections Canada from time to time; and
- notify the Contracting Authority immediately of any security breaches; for example, any time an unauthorized individual accesses any Personal Information.
Article 7 – Appointment of Privacy Officer
The Contractor must appoint someone to be its privacy officer and to act as its representative for all matters related to the Personal Information and the Records. The Contractor must provide that person's name to the Contracting Authority within ten (10) days of from the Effective Date of the Contract.
Article 8 – Quarterly Reporting Obligations
Within thirty (30) calendar days of the end of each quarter (January-March; April-June; July- September; October-December), the Contractor must submit the following to the Contracting Authority:
- a description of any new measures taken by the Contractor to protect the Personal Information (for example, new software or access controls being used by the Contractor);
- a list of any corrections made to Personal Information at the request of an individual (including the name of the individual, the date of the request, and the correction made);
- details of any complaints received from individuals about the way in which their Personal Information is being collected or handled by the Contractor; and
- a complete copy (in an electronic format agreed to by the Contracting Authority and the Contractor) of all the Personal Information stored electronically by the Contractor.
Article 9 – Threat and Risk Assessment
Within ninety (90) calendar days from the Effective Date of the Contract and, if the Contract lasts longer than one year, within thirty (30) calendar days of each anniversary date of the Contract, the Contractor must submit to the Contracting Authority a threat and risk assessment, which must include:
- a copy of the current version of any request for consent form or script being used by the Contractor to collect Personal Information;
- a list of the types of Personal Information used by the Contractor in connection with the Work;
- a list of all locations where hard copies of Personal Information are stored;
- a list of all locations where Personal Information in machine-readable format is stored (for example, the location where any server housing a database including any Personal Information is located), including back-ups;
- a list of every person to whom the Contractor has granted access to the Personal Information or the Records;
- a list of all measures being taken by the Contractor to protect the Personal Information and the Records;
- a detailed explanation of any potential or actual threats to the Personal Information or any Record, together with an assessment of the risks created by these threats and the adequacy of existing safeguards to prevent these risks; and an explanation of any new measures the Contractor intends to implement to safeguard the Personal Information and the Records.
Article 10 – Audit
Elections Canada may audit the Contractor's compliance with these supplemental general conditions at any time. If requested by the Contracting Authority, the Contractor must provide Elections Canada (or Elections Canada's authorized representative) with access to its premises and to the Personal Information and Records at all reasonable times. If Elections Canada identifies any deficiencies during an audit, the Contractor must immediately correct the deficiencies at its own expense.
Article 11 – Statutory Obligations
The Contractor acknowledges that Elections Canada is required to handle the Personal Information and the Records in accordance with the provisions of federal Privacy Act, Access to Information Act, R.S. 1985, c. A-1, and Library and Archives of Canada Act, S.C. 2004, c. 11. The Contractor agrees to comply with any requirement established by the Contracting Authority that is reasonably required to ensure that Elections Canada meets its obligations under these acts and any other legislation in effect from time to time.
The Contractor acknowledges that its obligations under the Contract are in addition to any obligations it has under the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, or similar legislation in effect from time to time in any province or territory of Canada. If the Contractor believes that any obligations in the Contract prevent it from meeting its obligations under any of these laws, the Contractor must immediately notify the Contracting Authority of the specific provision of the Contract and the specific obligation under the law with which the Contractor believes it conflicts.
Article 12 – Disposing of Records and Returning Records to Elections Canada
The Contractor must not dispose of any Record, except as instructed by the Contracting Authority. On request by the Contracting Authority, or once the Work involving the Personal Information is complete, the Contract is complete, or the Contract is terminated, whichever of these comes first, the Contractor must return all Records (including all copies) to the Contracting Authority.
Article 13 – Legal Requirement to Disclose Personal Information
Before disclosing any of the Personal Information pursuant to any applicable legislation, regulation, or an order of any court, tribunal or administrative body with jurisdiction, the Contractor must immediately notify the Contracting Authority, in order to provide the Contracting Authority with an opportunity to participate in any relevant proceedings.
Article 14 – Complaints
Elections Canada and the Contractor each agree to notify the other immediately if a complaint is received under the Access to Information Act or the Privacy Act or other relevant legislation regarding the Personal Information. Each Party agrees to provide any necessary information to the other to assist in responding to the complaint and to inform the other immediately of the outcome of that complaint.
Article 15 – Exception
The obligations set out in these supplemental general conditions do not apply to any Personal Information that is already in the public domain, as long as it did not become part of the public domain as a result of any act or omission of the Contractor or any of its subcontractors, agents, or representatives, or any of their employees.