Privacy Protection Schedule
The privacy protection schedule ensures that the high privacy standards set by the Freedom of Information and Protection of Privacy Act (FOIPPA) are maintained for personal information held by service providers. Government ministries and other public sector organizations can attach a privacy protection schedule to any contracts that involve personal information.
You must complete and attach a privacy protection schedule for all contracts between government and a service provider that involve personal information owned or controlled by government.
Unless an alternative version has been authorized by the Privacy, Compliance and Training Branch, use the privacy protection schedule template (MS Word). The language in this template is legally binding. Only modify the three fillable fields at the top of the page.
A privacy protection schedule may not be required if a contract clearly states that the government will not own or control any personal information involved.
Alternative Privacy Protection Schedules
In some situations, the original wording of the privacy protection schedule template doesn’t capture the circumstances or context of the contract and an alternative must be created. Any alternative schedule must be approved by the Privacy, Compliance and Training Branch.
You can submit a request to have an alternative privacy protection schedule reviewed to the privacy and access helpline. You must submit both the alternative version of the privacy protection schedule and a detailed explanation of why an alternative is required. Only changes that are equivalent to or better than the requirements of the original privacy protection schedule template will be considered.
For more information, consult Chapter 6 of the Ministry of Finance Core Policy and Procedures Manual.
The privacy protection schedule template (MS Word) can be modified and completed to suit the policy needs of other public sector organizations. This privacy protection schedule may be attached to any contract between a public body and a contractor if the contractor will be collecting, creating, using, disclosing or storing personal information.