Canada Revenue Agency takes adequate measures to ensure personal information not moved to U.S.
Complaint under the Privacy Act (the Act)
- The complainant raised concerns about a contract (the “Contract”) between the Canada Revenue Agency (CRA) and Mobilshred Inc. for the outsourcing of the storage of Canadians’ personal taxpayer information. More specifically, the complainant is particularly concerned that Canadians’ personal taxpayer information could be vulnerable to disclosure to authorities in the United States (US) under the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act, since he believes that Mobilshred Inc. is a division of Recall, a company that is based in the US.
- Although the complainant did not allege a specific violation of any provision of the Act, our investigation centered on whether the CRA has, in the context of the Contract, properly safeguarded any and all of the personal information entrusted to Mobilshred Inc. from unauthorized disclosure under the Privacy Act.
Background to Complaint
- This Office has previously raised concerns about the privacy implications of the cross-border flow of personal information.Footnote 1 Once personal information about Canadians is transferred outside of Canada, whether by a Canadian government agency, a private organization, or by Canadians themselves, the laws of the country in which the information is held will apply. Those laws will determine when government agencies such as police, security, and tax authorities can obtain access to that personal information. In some cases, foreign laws may provide access to personal information about Canadians in situations that many Canadians might find objectionable or inappropriate.
- Under US domestic law, there are various legal mechanisms that could allow authorities to access records from foreign companies. While a determination of the law in the US relating to compelling information from an entity located in another jurisdiction falls outside our mandate, for background purposes and in general terms, records in the custody of a foreign organisation could be compelled by a US authority or Court if the organisation has some sort of physical presence in the US or has sufficient ties to the US, regardless of whether the foreign organisation is owned by US or domestic shareholders and regardless of where the records are physically stored.
- One example of such a mechanism is an order under section 215 of the USA PATRIOT Act, which permits the Director of the US Federal Bureau of Investigation (or a delegate) to apply to the Foreign Intelligence Surveillance Court for an order to produce “any tangible things” from any individual or organization that is relevant to an investigation of international terrorism or clandestine intelligence activities.Footnote 2 There are also other mechanisms that could be used, such as grand jury subpoenas or administrative subpoenas.
- There are also other means that US authorities could employ to obtain records from a foreign entity over which a US authority or Court does not have jurisdiction. Examples include Mutual Legal Assistance Treaties (“MLATs”), bilateral treaties regarding evidentiary assistance, and letters rogatory.Footnote 3
- However, the complainant’s specific concern is that US authorities could gain access to the personal information of Canadian taxpayers under the USA PATRIOT Act if it were held in theUS, which he believes is possible, since Mobilshred Inc.’s parent company, Recall, is a foreign-owned company with operations in theUS. In support of this position, the complainant made reference to the business listing for “Recall & Mobilshred Inc.” with Industry Canada:
Recall Canada Holdings Inc., is a Canadian company and is part of the Recall Global family which today is known as a global leader in lifecycle information management offering Document Management, Digital Solutions, Data Protection and Secure Destruction. Currently, Recall supports approximately 80,000 customers in more than 20 countries on five continents.Footnote 4
Summary of Investigation
- Information about the Contract has been publically disclosed on MERX, the online service that lists Canadian public tenders and contracts awarded.Footnote 5 The Merx award abstract indicates that “Mobilshred Inc., operating as Recall,” was awarded the Contract for $40,000,000 on May 2, 2013, “for the provision of records management services” to the CRA (i.e., storage and warehousing). The Contract end date is May 1, 2018.
- We asked theCRA to provide information regarding the Contract with Mobilshred Inc. with respect to the security of the personal taxpayer information at issue. In response, theCRA provided us with the following representations:
The Canada Revenue Agency’s (CRA) contract is with Mobilshred Inc., which is a Canadian company, using the Recall brand across Canada. Recall Canada Holdings Inc. is the parent of Mobilshred Inc. (Canada). Recall Canada Holdings Inc. and Mobilshred Inc. (Canada) are not subsidiaries of Recall Corporation Inc. (US)
The contract between the CRA and Mobilshred Inc. (operating under the name Recall), covers only the storage of physical hard copy (ie. paper documents) within Canada. The CRA has structured the technical and mandatory requirements of the Mobilshred contract to ensure that all the paper records which are the subject of the contract including those that contain taxpayer information must physically remain in Canada. Accordingly the governing jurisdiction is Canada. Canadian laws would apply, not American laws including the U.S. PATRIOT Act.
- We then asked theCRA for more specifics with respect to its mitigation of potential privacy risks to Canadian taxpayer information, to which it responded:
A great deal of consideration was given to whether or not the USA PATRIOT Act would pose risks to the personal information of Canadians. Safeguarding taxpayer information is paramount for the CRA. To make sure issues of privacy and security were effectively addressed in designing and implementing the new managed service model, CRA officials consulted the Access to Information and Privacy Directorate internally and the Office of the Privacy Commissioner and the Department of Justice externally. All parties confirmed that the contractual documents clearly identify and address privacy and security-related requirements, including implications of the USA PATRIOT Act. The contractual documents address these concerns through well-defined, detailed physical and technological security requirements, as well as privacy clauses for the provision of these services with a focus on keeping sensitive taxpayer information under the Canadian government’s control and within Canada’s borders.
In light of the above, the CRA does not intend to store its physical records in an alternative manner than that set out under the current managed services provider model through its contract with Mobilshred Inc. (operating as Recall).
- Under the Treasury Board Secretariat’s (TBS) Directive on Privacy Impact Assessment (the “Directive”), federal government departments must conduct a Privacy Impact Assessment (PIA) in a manner that is commensurate with the level of privacy risk identified, before establishing any new or substantially modified program or activity involving personal information.Footnote 6
- The CRA determined that a PIA was not required under the Directive, but nonetheless consulted with our Office in 2011 and 2012 regarding the inclusion of privacy-related clauses in its Request for Proposal (RFP) and Statement of Work (SOW) for the records management contract. During that consultation process, CRA advised that it had conducted internal consultations with its own Access to Information and Privacy Branch to ensure that it had adequately followed the TBS’ guidance outlined in the document, “Taking Privacy into Account before Making Contracting Decisions.”Footnote 7 This guidance document was developed to assist federal government institutions in the mitigation of privacy risks associated with the potential exposure of Canadians’ personal information to U.S. authorities under the USA PATRIOT Act whenever they consider contracting out activities in which personal information about Canadians is handled or accessed by private sector agencies under contract.
- Since CRA did not complete a formal PIA, our Office did not provide any recommendations with respect to the RFP or SOW. It should be noted that in any case, any recommendations made by this Office to CRA (or any other institution) during the PIA review and/or consultation process are not binding, and that our Office does not have any role in authorizing or approving initiatives. While we can and do provide guidance in the interests of improving the personal information handling processes of federal institutions, accountability for decisions on the appropriate level of mitigation for privacy risk, and acceptance of any residual risk, lies solely with the institutions.
- As part of its representations, theCRA also provided us with the specific safeguards that were incorporated into the outsource contract that was awarded to Mobilshred Inc. We have confirmed that the contract includes the following requirements:
- All data entry is to be input and processed domestically.
- All destruction is done within Canada.
- Transportation must be all done within Canada (records must not enter into another country).
- All activities related to the management of CRA records must be conducted and data retained in Canada.
- Mobilshred Inc. is prohibited from disclosing and/or transferring any personal information outside the boundaries of Canada, or allowing parties outside Canada to have access to it (without the prior written approval).
- Mobilshred Inc. must ensure that all information technology (including databases, data input, servers, processing, storage, accessing, and all electronic backups) will be processed and housed within Canadian Borders.
- Mobilshred Inc. must ensure that any item or shipment transported is not stored, transferred to another aircraft or vehicle, or repackaged outside of Canada.
- During the course of our investigation, we conducted a search to verify whether Mobilshred Inc. is in fact affiliated with any US-based company. We determined that “Recall Total Information Management” was registered in Ontario under the Business Names Act on March 20, 2014, with a mailing address in the US state of Georgia.
- We also visited Recall’s Canadian website (since Mobilshred Inc. does not have its own website), which provides the following information about its corporate locations:
Headquartered in Atlanta, Georgia, in the United States, Recall is the leading global provider of information management services with corporate offices in São Paulo, Brazil; London, England; Kuala Lumpur, Malaysia; and Sydney, Australia.Footnote 8
- Given this information, the CRA was asked to provide additional representations as to whether or not there is any potential exposure of Canadian taxpayer information, in either paper format or electronic format, to US authorities as a result of the contract awarded to Mobilshred Inc.
- The CRA clarified that Recall Canada Holdings and Recall Corporation are separate subsidiaries ultimately owned by the same parent, Recall Holdings Limited (RHL), which is traded on the Australian securities exchange. Recall Corporation is a completely separate company from Recall Canada Holdings, each with distinct organizational structures and financial reporting. RHL global headquarters are listed as being in Atlanta, Georgia, because the Chief Financial Officer and General Counsel are physically located there and, as these two roles are responsible for receiving notices of anything related to the company’s corporate registrations in Canada, the mail is sent directly to this office so as to not cause delay in any necessary action or responses.
- Given that US law looks to whether there are sufficient ties between a foreign organization and the US for the purposes of determining whether US authorities have the power to compel information in the hands of a foreign organization, we also asked Recall for further information about its corporate structure in Canada and the US.
- In response to our request, we received the following information from Recall’s Vice-President & General Counsel (Americas):
- Mobilshred Inc., “doing business as Recall” is the corporate entity that has contracted with the CRA. Mobilshred Inc. is a Canadian entity. Mobilshred Inc. operates only in Canada; It has no operations in the United States.
- Mobilshred Inc. is 100% owned by Recall Canada Holdings, a Canadian entity.
- Recall Canada Holdings is a holding company in Canada that is 100% owned by Recall’s parent company, Recall Holdings Limited.
- Recall Holdings Limited is an Australian based entity.
- Mobilshred Inc. does not have any facilities located in the US. Recall Canada Holdings is a holding company only and does not have any facilities.
- For the purposes of the CRA contract, all employees that are working with CRA information are Canadian employees and residents.
- Although the complainant did not specifically allege that the CRA was in violation of the Act, we viewed his concerns as relating to whether the CRA has ensured that the personal information transferred to Mobilshed Inc. in connection with the Contract remains protected from unauthorized disclosure. Accordingly, we focused our analysis on whether the CRA employed appropriate means for protecting personal information from unauthorized disclosure under section 8 of the Act.
- With respect to whether the CRA instituted the proper means to protect personal information transferred to Mobilshred Inc. under the Contract, we are of the view that the CRA did implement the appropriate means to protect taxpayer information from being unknowingly disclosed to a foreign authority. We are also of the view that the CRA followed TBS guidance on addressing privacy concerns in making contracting decisions when drafting its RFP.
- From our review of the representations received during the course of our investigation and the safeguards written into the Contract, we find that the CRA took appropriate steps to mitigate risk around the potential disclosure of Canadians’ tax information to US authorities by requiring that all information transferred under the Contract – which was in paper format – remain in Canada at all times. Furthermore, based on the information provided by Recall regarding the corporate structure of Mobilshred Inc., we are satisfied that Mobilshred Inc. is a wholly Canadian entity and that Canadians’ personal taxpayer information transferred under the Contract will not, at any time, be transported through or held in the US.
- We therefore believe that the CRA has made reasonable efforts to ensure that Canadians’ personal taxpayer information transferred to Mobilshred Inc. under the Contract will not be vulnerable to disclosure to US authorities under the USA PATRIOT Act.
- However, whether a US authority takes the position that it has the authority to compel production of such information under other US laws, or whether a US authority can ultimately access such information through the use of a specific mechanism such as MLATs, bilateral treaties or letters rotatory, for example, is outside of the CRA’s control.
- Ultimately, our investigation revealed that Mobilshred Inc. is in fact a Canadian company and that no personal information related to Canadian taxpayers provided to Mobilshred Inc. under the Contract will be physically stored in, or transported through, the US.
- Based on the foregoing, we find this complaint to be not well-founded.
- Date modified: