The Saskatchewan Office of the Privacy Commissioner recently raised concerns over how the province’s Public Service Commission outsourced a number of services to a U.S. contractor without paying enough attention to privacy.

Unlike other provinces, Saskatchewan’s privacy legislation does not explicitly require the public sector to safeguard personal information. In sharing information with a third party, another concern is that if a contracted company were to go bankrupt and their assets seized, it may not be possible to regain control of the personal information shared.

The Commissioner found that the Public Service Commission had no clue what was happening for instance with the data provided by government employees responding to a skills survey or applying for a job through the government’s website that involved a service provider collecting the information in the back end. How this data was protected, where it was stored and how long it was retained were not questions that the Public Service Commission had explored.

The Saskatchewan Commissioner issued eight recommendations including strengthening contract language to meet privacy best practices. This should include clear timelines for when and how information should be destroyed. The Commissioner also recommended that the government’s privacy policy make it transparent that personal information could be released to a third party if submitted to the Public Service Commission website.

The Commissioner also recommended that privacy impact assessments be initiated and applied to  contractors and subcontractors who work with the province to ensure that they are compliant with essential pieces of privacy legislation such as the Freedom of Information and
Protection of Privacy Act and the Health Information Protection Act.

The Saskatchewan Privacy Commissioner’s full report provides useful guidance for both the public and private sectors on privacy best practices when outsourcing key business functions.