We are currently moving our web services and information to Canada.ca.

The Treasury Board of Canada Secretariat website will remain available until this move is complete.

Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows


Archived information

Archived information is provided for reference, research or recordkeeping purposes. It is not subject à to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

6. Follow-up Actions—The Way Ahead

Risk management is a continuous process. Consequently, the Government of Canada's work on the USA PATRIOT Act and the larger issue of transborder data flows will extend beyond the publication of this report.

Steps will be taken to ensure that federal institutions continue to monitor risks and that risk mitigation and avoidance strategies are in place.

The following is a list of measures that the government will undertake in the short- (zero to six months), medium- (six months to a year), and long-term (one to two years).

Federal institutions

Federal institutions have an ongoing responsibility to ensure that their risk mitigation strategies related to the USA PATRIOT Act are in place and that they have taken concrete steps to identify and minimize potential privacy risks when considering future contract needs.

1. The Secretariat

Ongoing and within six months

  • 1.1 Continue meeting with the seven federal institutions that identified some contracts that were rated in the “medium to high risk” category in order to assess if implementation plans are commensurate with the risks identified in the institution's comprehensive assessments;
  • 1.2 Provide general advice and support for all federal institutions on departmental risk implementation plans; and
  • 1.3 Disseminate guidance on the USA PATRIOT Act and other similar foreign legislation to government security experts as part of the recently revised standard under the Government Security Policy entitled Security and Contracting Management Standard.

Six months to one year

  • 1.4 Launch a government-wide assessment approximately one year following the distribution of this report, to determine
    • the level of success of implementation of the measures recommended in the guidance document; and
    • whether risk exposure for the USA PATRIOT Act and transborder data flows has decreased, remained static, or increased since the original assessment.
  • 1.5 Issue guidance to federal institutions on information-sharing agreements to address the broader issue of how Canadians' personal information is being shared with other jurisdictions within Canada and with other countries. The guidance will help to ensure that the personal information of Canadians is treated with at least the same standard of privacy measures mandated in federal legislation and policies for government-to-government information sharing within Canada and abroad.
  • 1.6 Provide best practices in building privacy into design through technological and architectural solutions, such as the use of encryption, the segregation of databases, and audit trails based on consultations with other jurisdictions and the private sector.
  • 1.7 Develop, in collaboration with the internal auditing community, an internal audit guide to assess privacy in contracting.

One to two years

  • 1.8 Design, develop, and communicate a privacy management framework that sets out the Government of Canada's privacy vision and strategy. The Framework will provide the foundation for a comprehensive privacy risk management and accountability infrastructure that will ensure that there is a balance between the privacy rights of individuals and the requirement to fulfill other public interest goals and program mandates. Ultimately, it will establish high standards of privacy protection. This work is to be carried out in partnership with the Office of the Privacy Commissioner of Canada.

2. Industry Canada

Within six months

  • 2.1 Work with the Office of the Privacy Commissioner of Canada to develop tools and identify opportunities for increasing awareness of transborder data flow issues among businesses and the general public.

One to two years

  • 2.2 Lead work on the recently announced Security and Prosperity Partnership of North America (SPP), a trilateral agreement between the governments of Canada, Mexico, and the U.S. The Framework of Common Principles for Electronic Commerce with Mexico and the United States, agreed to under the SPP in June 2005, includes a work element respecting privacy and transborder data flows. Potential issues for discussion include common approaches to the protection of personal information, the balance between privacy and security, and the need for transparency and oversight in the use of personal information for law enforcement and national security purposes.
  • 2.3 In 2006, PIPEDA is scheduled to be reviewed by a parliamentary committee. The review will provide the opportunity to discuss the effectiveness of PIPEDA to address a variety of privacy issues and concerns.

3. Department of Justice Canada

One to two years

  • 3.1 The Department of Justice Canada will continue its ongoing review and assessment of its privacy laws, including the Privacy Act. If the Government of Canada determines that the Privacy Act is to be renewed, the department will work with the Secretariat and other stakeholders to determine if the reformed Act should define the responsibilities and potential requirements of those who transfer personal information outside the public sector and outside Canada.
  • 3.2 The Department of Justice Canada will work in close collaboration with the Secretariat to ensure that the Secretariat develops and launches policy guidance on information-sharing agreements and contractual arrangements that reflect appropriate privacy protective measures to address the broader issue of how the personal information of Canadians is being shared with other jurisdictions within Canada and with other countries.

4. Public Works and Government Services Canada

Within six months

  • 4.1 Communicate and make available the sample clauses and contracting guidance or advice to all PWGSC procurement officers.
  • 4.2 Build awareness of the USA PATRIOT Act and the issue of transborder data flows by covering these topics in the current privacy training module of the Security in Contracting course designed for PWGSC procurement officers.

5. Canada School of Public Service

Six months to a year

  • 5.1 Develop and deliver courses and modules to build awareness about privacy, transborder data flows, and contracting for all levels of employees and for all communities of practice (including information technology specialists, privacy specialists, business program managers, and policy experts). A similar program has been undertaken for information management in government.


Date modified: