Government Outsourcing and Threats to Privacy
"Privacy is the claim of individuals, groups or
institutions to determine for themselves when, how, and to what extent
information about them is communicated to others." (Alan F. Westin,Privacy
and Freedom, New York: Atheneum Publishers, 1967.)
It is not often that a privacy issue becomes Page One news, but it has happened in British Columbia. Shortly after it became public, earlier this year, that the Liberal Government intended to contract out the storage and processing of its medical services plan to Themis Program Management and Consulting Limited, the Canadian subsidiary of the U.S. firm MAXIMUS, the B.C. Government and Services Employee Union (BGSEU) accused the government of ignoring the associated threats to individual privacy. Simply put, the union claimed that the U.S. Patriot Act passed in the wake of the terrorist attacks of September 11, 2001, among many other things, gave the FBI the legal authority to access information about possibly suspicious individuals, stored in any database under U.S. control. Thus, it is necessary to determine whether or not files maintained by the Canadian subsidiary of a U.S. company are subject to U.S. laws.
In response to the concerns raised by the BGSEU, the Right to Privacy Campaign was initiated, involving many activist groups in B.C. concerned about threats to their privacy and that of their fellow citizens. On May 28, the Information and Privacy Commissioner of B.C., David Loukidelis, invited submissions, "Assessing USA Patriot Act Implications for Privacy Compliance Under British Columbia's Freedom of Information and Protection of Privacy Act." The question to be addressed concerns potential challenges to the privacy rights guaranteed to all Canadians by law and the Charter, by the U.S. which provides no general privacy protection for its own citizens. Furthermore, in this case, the concern arises from the fact that medical records contain perhaps the deepest of our private information. Access to these records could have a devastating impact on our lives.
At the time of this writing, Mr. Loukidelis is reviewing the submissions. Submissions that have already been made are available at the Office of the Information and Privacy Commissioner: http://www.oipc.bc.ca/sector_public/usa_patriot_act/submissions.htm It should be clear in the analysis that follows that there are some interesting, and difficult, legal issues embedded in this situation and at this point it is only the opinions of the various players that are being considered. Given that the BGSEU first raised this issue, it is possible that self-interest might be seen as a motivating factor, in that the union obviously wants to maintain the jobs of those employees currently involved in managing health records. But clearly, the basic privacy issue is valid, and does raise important issues that require immediate attention. Outsourcing is a process which will be part of global commerce for some time to come. Two submissions will be briefly described, that of MAXIMUS, the U.S. parent company, and that of Michael Geist, Canada Research Chair in Internet and E-commerce Law, and professor in the Faculty of Law, University of Ottawa. A recent proposal of the B.C.Provincial Government, more specifically, the Ministry of the Attorney General, will be also be reviewed.
As self-described, MAXIMUS is a U.S. company with the mission of "Helping Government Serve the People." Furthermore, it concisely characterizes its operational mandate as, "Throughout the delivery of health and human service operations, MAXIMUS is contractually and ethically committed to the robust protection of privacy and security of information." So far so good, but then both Canadian and U.S. laws and treaties, namely, the U.S. Patriot Act and the Mutual Legal Assistance on Criminal Matters ("MLAT") come into play and intrude into the protections ostensibly guaranteed by Canadian federal and provincial laws. It should be noted that the privacy protection in Canadian laws, specifically the Personal Information Protection and Electronic Documents Act (PIPEDA) for the private sector, the B.C.Freedom of Information and Protection of Privacy Act for the public sector, and the B.C. Personal Information Protection Act (B.C.'s version of PIPEDA), is compromised by the legitimate needs of law enforcement officials.
The BGSEU's claim that the Patriot Act could be used by the FBI was not unreasonable, given that within the U.S., the FBI has the power to obtain access to computer records it deems suspicious, without having to first obtain a search warrant or subpoena. Thus within the U.S., libraries, for example, can have their patrons' borrowing records accessed and furthermore, librarians are not permitted to object, nor to publicize the event. The argument was that such a possibility could arise for the medical records of British Columbians, if they were managed by a subsidiary of a U.S. Company, and furthermore that the B.C. government seemed not to have been aware of this possibility. But a prior, more powerful, means for U.S authorities to access records of Canadians already existed, namely, MLAT, a treaty which facilitates the sharing of information across the border.
MAXIMUS recognizes this possibility, but argues that sufficient checks and balances exist that the possibility is remote. Nevertheless, Canadians must realize that there is no absolute privacy protection and that their records could be accessed by Canadian law enforcement officials, as well as their counterparts in the U.S, under some circumstances.
Apparently in response to these concerns, B.C.Attorney-General Geoff Plant announced that his government would be introducing "strong new privacy protections Š to limit the reach of the U.S. Patriot Act." (Lindsay Kines, "B.C. drafts privacy law to curb U.S. Patriot Act, The Vancouver Sun, July 24, 2004.) In more detail, the Attorney-General went on to say that, "the new rules will prohibit disclosure of government data, require companies to notify the government if they have been asked to disclose information, prohibit any sensitive personal information from being sent to the U.S., and penalize companies that break the rules." It is not at all obvious that anything the B.C. government does can protect the privacy of British Columbians.
Indeed, the report prepared for the B.C. Information and Privacy Commissioner by Professor Michael Geist is quite pessimistic.In brief, Geist acknowledges that, "U.S. law does indeed grant law enforcement authorities the power to compel disclosure of personal information without notifying the targeted individual that their information is being disclosed Š. Moreover, the application of these laws is not limited to U.S. companies but actually applies to any company with sufficient U.S. connections such that it could find itself subject to the jurisdiction of the U.S. courts.
This is true both for U.S. companies operating in foreign countries as well as for foreign companies with U.S. subsidiaries." There is much more, but let me conclude with the following four recommendations made by Geist that should be relevant in interpreting the B.C. government's new proposals: * considering a ban on governmental outsourcing of personal information, * establishing a formal or informal agreement with U.S. law enforcement agencies on requests involving Canadian data, * amending PIPEDA to meet the U.S. blocking statute standard, ("One of the only effective means of deterrence to disclosure of records to U.S. law enforcement is a blocking statute Š,") and * clarifying the jurisdictional reach of PIPEDA.
In conclusion, it is apparent that the most effective way to protect the privacy of British Columbians is to roll back the government's commitment to outsourcing as much information as it can. The traditional responsibility of government to manage the information it collects about its citizens in a responsible manner must prevail. The limited purported economic benefits of outsourcing do not compensate for the real threats to personal privacy.