Ontario’s Ministry of Natural Resources (MNR) stores personal information related to hunting and fishing licences in a database located in the United States, under contract with a commercial vendor called Active Outdoors. Two members of the provincial legislature questioned this practice in light of the ability of US law enforcement agencies to compel the disclosure of personal data under the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (aka the PATRIOT Act, winner of the 2001 award for silly statute name).
In response to the MPPs’ complaint, the Privacy Commissioner has issued a report, in which she concludes that the PATRIOT Act ‘has invoked unprecedented levels of apprehension and consternation’, but ‘far more than ... is warranted.’ US law enforcement agencies have long been able to compel disclosure of personal information, so the PATRIOT Act doesn’t really change anything, and Canada’s own anti-terrorism laws replicate many aspects of the US disclosure requirements; this is all part of normal information-sharing between governments. In the commissioner’s view, it is fine for government agencies to outsource data-hosting services, provided they do not abdicate accountability for the personal information at stake. MNR’s contract with Active Outdoors contains ‘robust provisions that protect the personal information under [the ministry’s] control and restrict the use of that information’ by Active Outdoors, including a requirement to notify MNR promptly of any attempt by US authorities to compel disclosure, giving the ministry the opportunity to seek a protective order or other remedy to limit disclosure. MNR’s collection, use and disclosure of personal information comply with provincial privacy legislation and there are sufficient safeguards for information that is in the hands of the ministry’s US agent.
[Link available here].