? GIS contracting issues

o What kind of contract do you need?
o Who owns system once created?
o Who owns data used
o Who owns results of GIS
o Who needs to be asked permission for collection, use, disclosure
o Outsourcing GIS

? Personal information protection

2. Some GIS Contract basics

? In writing

o For system – RFP the work and review the vendors standard agreement for insurance, liability limitations, indemnification.

o For data acquisition – you must require that the vendor of the data has the right to sell it to you.

o For data disclosure

? Insurance for custom GIS work

o Software errors and omissions examples:

? http://www.encon.ca/english/ps/tip/index.html
? http://www.insurenewmedia.com/

[These links are provided just as examples of the insurance available and as not recommendations of any kind]

? Data acquisition

o Sources

? Direct from your citizens
? Government sourced data – MPAC assessment records
? Purchased data: private data banks
? Free data: an improved www.Mapquest.com of the future
? Derived data: the results

o Consents:

? Do you have all the permissions you need?
? Have all consents been acquired by the vendor?
? Information can be tainted and continues to be tainted through subsequent transfers, uses, disclosures

? Data Disclosure

o Examples

? Income source
? Reciprocal arrangement with other government body

o Sale / licensing of data

? Presumption that a data bank is simply an asset?
? Does the data bank contain personal information?
? Does it contain information that can be combined with other data to create personal records?

o Outsourcing

? How far out does the chain of subcontractors go
? Will your outsourcer tell you how far the chain goes?
? Example: IBM outsources much e-commerce work to small firms now consultant not necessarily programmers – so where is the work being done?

3. Personal Information?

? What is personal information

o In the last few years a number of new laws have come into existence on the issue of the protection of personal information:

o MFIPPA since 1990
o PIPEDA 1 January 2004
 Inter-provincial and Federally regulated since 1 January 2001
 Health data since 1 January 2002

o PIPEDA applies to every organization in respect of personal information that:

(a) the organization collects, uses or discloses in the course of commercial activities; or

(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.

? Who owns personal information

o The person it is about
o The entity that collects it
o Another entity that buys it from the first entity

? precision of information

o information is only personal when it relates to an identifiable individual
o Statistical information is not personal
o Methods of collection becoming more and more sophisticated
o Pervasiveness of data mining – number crunching now on any desktop

? sensitivity of information

o other information can be more sensitive that others. Good guideline are protected list from human rights law.

? right to consent to collection, use, disclosure and the purpose for each touch on many legal documents:

o PIPEDA and MFIPPA provide regulation over information
o Copyright and other intellectual property laws provide rights
o Licenses and other agreements related to your agreement also provide rights

4. When do privacy interests conflict with GIS contracting?

? PIPEDA

o Requires that collection, use and disclosure be principled. Municipalities may fall under PIPEDA through the generality of a number of its key terms and phrases: “organization”, “personal information” and “commercial activities”. Under section 4(1), the combined presence of these terms is required for PIPEDA to apply:

This Part applies to every organization in respect of personal information that:

(a) the organization collects, uses or discloses in the course of commercial activities; or

(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.

o “Organization”

Section 1 of PIPEDA defines "organization" as including an association, a partnership, a person and a trade union. Section 35 of the Federal Interpretation Act, RSC 1985, c.I-21 states that the word "person," or any word or expression descriptive of a person, includes a corporation. Similar wording exists in section 29(1) of Interpretation Act, R.S.O. 1990, c.I.11. Under section 4 of the Municipal Act, 2001, S.O. 2001, c.25:

The inhabitants of every municipality are incorporated as a body corporate.

Municipal corporations, therefore, are “persons” under law and therefore “organizations” for purposes of PIPEDA.

o “Personal Information”

The second broad term used in PIPEDA is “personal information”. Section 5(1) of the PIPEDA states, subject to sections 6 to 9, every organization shall comply with the obligations set out in Schedule 1. Schedule 1 sets out a number of broad principles which must be followed in the handling of “personal information.” Personal information is defined under section 2(1) of PIPEDA as follows:

"personal information" means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

What is not required for data to fall into this definition is that the data be a comprehensive set of data about a person or that the data itself identifies the person. Partial data which can identify a person when combined with other data is also personal information. All it needs to do is “relate” to the person.

o “Commercial Activities”

The third term is “commercial activities.” An organization falls under PIPEDA if it collects, uses or discloses personal information in the course of “commercial activities.” Commercial activities are defined in section 2(1) of PIPEDA:

"commercial activity" means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

A review of the meanings contained in “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character” confirmed that this. Any procurement would qualify as a transaction. From the vending side of commerce the definition “any regular course of conduct that is of a commercial character” should include any service that places the City in the marketplace. Examples would be nursing homes, arena or other facility rentals and gas or electric utilities.

? Cases:

PIPEDA is not the only source in law confirming municipalities take part in commercial activities. The Courts have found that municipalities participate in commercial activities in other contexts. Shell Canada Products Ltd. v. Vancouver (City), [1994] 1 S.C.R. 231:

?"there are many considerations applicable to public bodies and not to private which may justify different treatment of the two, even when engaged in similar activity". The most important difference is the fact that municipalities undertake their commercial and contractual activities with the use of public funds? (at para. 11)

While they are not identical to private organizations, the activities of municipalities in the marketplace can be characterized as a commercial activity. In the case, Reference re: Goods and Services Tax (Can.), [1991] A.J. No. 866, the Alberta Court of Appeal noted:

“Public sector bodies" which include federal and provincial governments, charities, non-profit organizations, municipalities, universities, public colleges, school authorities and hospital authorities, must collect and remit the tax to the extent that they engage in commercial activities. Certain activities of governments and municipalities are "deemed" to be commercial activities for the purpose of the GST Act. While provincial governments themselves are not liable to pay tax on their purchases, various entities created by provincial governments such as municipalities, universities, public colleges, public hospitals, schools and school authorities (the "MUSH sector") are liable to pay tax. (at para 6)

Again, in J.P. Towing Service and Storage Ltd. v. Toronto (Metropolitan Police Services Board) [1999] O.J. No. 3959:

Call them mere commercial transactions, but they are nonetheless within the ambit of a power granted to the municipal governments, and what is important is the fact that municipalities undertake their commercial and contractual activities with the use of public funds.

As a result, it is fair to say it is not the profit motive but the transactional and revenue/expenditure activity which triggers the application of PIPEDA. Personal data received through the non-commercial transactions in the nature of taxes, penalties, fees and charges are not included in the Act where those occur in the non-commercial, non-market context. These would including licensing, parking fines, rates, planning charges as the municipality is an effective non-commercial monopoly in relation to these matters.

? Exceptions

There are exceptions in PIPEDA. There are important exceptions to PIPEDA set out in the Act or regulations. Personal information does not include:

o Employment: the name, title or business address or telephone number of an employee of an organization: PIPEDA, s. 2(1).

It is important to note that all other information in relation to an employee is personal information – email address, employment records, health information and performance memos under PIPEDA. The issue is whether employment records are commercial activity. If we consider just hiring records, and especially competition records of those not hired, we can see that there may be aspects of employment records that could be considered commercial.

o Telephone Directories: personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory: Regulations Specifying Publicly Available Information, P.C. 2000-1777 13 December, 2000, sec. 1(a);

o Business Directories: personal information including the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the directory, listing or notice: Reg. 2000-1777, sec. 1(b);

o Public Registries: personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the registry: Reg. 2000-1777, sec. 1(c).

The MPAC assessment rolls would be an example of such a registry but only when used for purposes under the Act.

Q: if derived data is then sold in digital form for use in a GIS application has the purpose changed and is barred under PIPEDA?;

o Court or Tribunal Records: personal information that appears in a record or document of a judicial or quasi-judicial body, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the record or document: Reg. 2000-1777, sec. 1(d); and

o Public Press: personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information: Reg. 2000-1777, sec. 1(e).