|
|
Privacy
Guidelines for
British Columbia Public Libraries
11. Outside Service
Providers
a) Services provided on behalf of the library
|
When an outside organization is used to provide library
services on behalf of a library, it is as though the library was providing the service
itself. In other words, the library is responsible for how the service
provider deals with personal information in the course of providing
services for the library (Act, s. 3(1)). It is important to know exactly
how the personal information will be treated in every aspect of the
service.
A Privacy Protection Schedule
(PPS) should form part of any contract involving personal
information. A pre-written PPS is available
on-line.
Box 11.1
|
|
Examples
of 2 Extremes:
-
Mail
house à Where a library uses a mail house for mass mailings, it should clearly
set out that the personal information is in its control while at the
mail house and specify how the mail house must comply with FOIPPA.
A Privacy Protection Schedule (PPS) should form part of the contract
for services (see above).
-
Software service providers à This is a far more
complex area. The flow of personal information can be complex and pose
problems for securing the information. Also, the organizations often
store patron personal information on their own servers and in
providing technical services, their employees may access the personal
information. If the company is not Canadian, the situation is even
more complex because it is illegal to store or access personal
information outside Canada, except in certain circumstances (Act, s.
30.1). When considering having an outside organization provide this
type of service, libraries should conduct a Privacy Impact Assessment
(PIA) .
|
b) Referrals to services or organizations
outside the library
i) On-line services
ii) Collection agencies
|
Libraries may want to use a collection agency to collect a debt. Personal information may be disclosed to a collection
agency without consent from the individual to whom it belongs for this
purpose (Act, s. 33.1(1)(i)). Only personal information reasonably needed
by the collection agency should be disclosed. Also, the personal
information must not be disclosed outside Canada unless it is reasonable
to believe that the person who owes the debt lives or has assets in that
country (Act, s. 33.1(1)(i)).
Contracts with collection agencies should have a Privacy
Protection Schedule (PPS) attached to form part of the contract. The PPS
specifies how the collection agency must treat the personal information.
The Information Policy & Privacy Branch offers a PPS available
on-line.
For more information, see "Collection
agencies" (above), as well as under "Registration" and
"Disclosure of personal information".
|
c) Janitorial or other services
| Whether janitorial or other services
are provided by employees or outside service providers,
it is unlikely that there is any reason why they should need access
to personal information in the custody of the library. Security and
training measures should be taken to ensure that persons without
authorization do not access personal information. |
|
