No secrets from Uncle Sam
The U.S. Patriot Act tentacles extend far and wide. British Columbians might not even know if their privacy is invaded
By Jim Quail
Vancouver Sun
Monday, June 28, 2004
Picture this scenario. The U.S. Federal Bureau of Investigation receives a tip that a person of Arab descent, who might live in or near New Westminster, B.C., has been involved in plotting a terrorist attack on an American target. He might have been injured in a minor accident in a basement bomb-making lab.
It comes to their attention that the Fraser Health Authority has engaged MagnaTrans Inc. of Austin, Tex. (a fictitious company), to transcribe patient records for Royal Columbian Hospital. The contract between the Health Authority and MagnaTrans specifies that the contractor will not disclose any patient information that violates B.C.'s information and privacy laws.
The FBI gets a United States court order under the U.S. Patriot Act requiring MagnaTrans to produce all files, documents and computer hard drives containing Royal Columbian Hospital records that include any male patients with the common Arab surnames listed in the order, who were seen in the emergency ward during a six-month period.
The FBI serves a copy of the order on MagnaTrans' CEO at its Austin head office. The agent warns him that if the company tells anyone the reason for the visit, or fails to comply fully with the order, he and MagnaTrans will both face criminal prosecution.
One would prefer to live in a world where such a scenario is far-fetched. We are not so fortunate.
Governments collect vast amounts of information about each of us - information about our health, our personal finances and countless aspects of our lives. We assume this information will remain confidential, and won't be abused or handed over to anyone except the government agency that needs it in order to provide us with public services. But when governments get out of the business of looking after that information themselves, and start contracting it out to the private sector, a whole new set of problems arises.
In 2001, the B.C. information and privacy commissioner looked at the duty of public bodies to ensure the protection of privacy is not compromised by contracting out. Vancouver General Hospital had contracted out its information systems to Telus. The result of the arrangement was that the contractor had access to and custody of personal information regarding patients and employees of the hospital.
The core principle that was reaffirmed by the commissioner was that public bodies have a duty to ensure that contracting out does not compromise our privacy rights. They have a duty to obtain adequate contractual safeguards to maintain control over access to and use of personal information.
It is not good enough for the public body to retain legal ownership of the data. The issue is the protection of the information from unlawful disclosure, not merely its formal ownership.
VGH plugged privacy holes
In the 2001 case, the commissioner found that, while the contract was inadequate
to meet Vancouver General's privacy obligations, the hospital had put practices
in place that, so to speak, "plugged the holes" and reasserted its
control over the information. However, it was advised to employ better contractual
protections in the future. Those protections should include the clear specification
of privacy protection requirements, a right to terminate the contract if privacy
rules are violated, control over changes in data security arrangements, and
control over sub-contracting and third-party access.
These solutions are not available if the players fall within the umbra of the American "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 2001" (which rather tackily spells "U.S.A. P.A.T.R.I.O.T. Act"). Wherever outsourcing by a public body gives access to personal information to a contractor that is within the reach of the Patriot Act, it is beyond the capacity of any contractual safeguards to assure compliance with our privacy legislation.
Furthermore, it is beyond the capacity of any practice on the part of the public body to maintain compliance, if the contractor possesses, controls or even has simple access to personal information about British Columbians.
David Loukidelis, our information and privacy commissioner, is now studying the impact of the Patriot Act on the privacy rights of B.C. residents when public agencies contract out personal information management.
The act was hurriedly passed by the U.S. Congress in the wake of the Sept. 11, 2001, terrorist attacks on the World Trade Center and the Pentagon. It provides for secret court orders to give the FBI sweeping powers to force the production of "any tangible things." These are defined to include "books, records, papers, documents and other items" for investigations "to protect against international terrorism or clandestine intelligence activities." "Tangible things" also encompass such items as computer hard drives, tapes, CD-ROMs or discs.
People who are the subject matter of the records need not be engaged in any unlawful or nefarious activity themselves for the FBI to raid their privacy. All it takes is for the FBI to convince an American judge that the information is somehow useful in an anti-terrorism investigation.
But this is not the only part of the Patriot Act that opens personal information to disclosure. While personal information databanks that are physically kept or transported via hard copy or computer media are subject to production, those that are transported electronically are subject to covert interception.
The massive powers that the act gives to the American government to gain access to personal information to which the contractor might have access override any private contract or other protective arrangements.
First, the Patriot Act immunizes parties complying with orders to hand over personal information from any liability in the American courts.
Second, and most significantly, non-compliance with an order to produce a record carries serious penal sanctions against the contractor.
The reach of the Patriot Act includes all persons and entities subject to U.S. law. That includes not only American residents, and contractors incorporated in the U.S., but also companies based in other jurisdictions - including Canada - that have a corporate presence in the U.S. or its possessions.
That is, it could apply to any party who can be subject to American legal sanctions, and who is capable of complying with an order granted to the FBI under the legislation.
Therefore, the outcome indicated by the scenario at the outset of this column would not be materially changed if the contractor were a Canadian corporation with a branch office in Austin. It might possibly not even be materially changed if the patient records were physically stored on a hard drive in Toronto, but accessible from the Austin office, depending on the circumstances.
Furthermore, the Patriot Act erects statutory barriers to scrutiny that make it impossible even to know whether British Columbians' privacy rights have been compromised.
Risking prosecutionIn our scenario, if the FBI served the Austin manager of the Toronto transcription firm with an order, he would risk prosecution even if he advised his own head office of the disclosure - unless its involvement was necessary to produce the records.
So if Victoria enters into contracts that give custody, control or access to personal information about B.C. residents to contractors within the reach of American law, the information is subject to compulsory disclosure to American law enforcement officials, with no opportunity for our government or the affected people to have any say or input in the matter. And no one - not our government, not the people whose privacy has been violated, nor anyone else in Canada - would even know about it.
Our government and other agencies in the public sphere have an obligation to ensure our privacy rights are not swept away in the U.S. tide. American legislators have demonstrated a willingness to constrain commercial freedom of activity in order to meet statutory security objectives. We must be prepared to accept constraints on public contracting activity in order to meet our own statutory privacy objectives.
Jim Quail is a barrister and solicitor with the B.C. Public Interest Advocacy Centre in Vancouver.
http://www.canada.com/vancouver/vancouversun/news/story.html?id=2778a59b-d83c-4402-8a06-5d428da8eaff