top of page

Navigating Privacy and Access in Public Sector Contracts

a woman scrolling on her smartphone

Written by Samara Starkman, Partner |  David Goodis, Partner |  Basia Walczak, Associate

In an era where data is a crucial asset, public sector institutions frequently rely on third-party service providers to manage data in a variety of ways. While outsourcing offers many benefits, it can also blur accountability for personal information.

Public sector institutions engaging private-sector businesses must navigate these challenges while adhering to legislation, such as the Freedom of Information and Protection of Privacy Act (“FIPPA”) or the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”).¹

In May 2024, the Office of the Information and Privacy Commissioner of Ontario (“IPC”) issued guidance to help public sector institutions and their third-party vendors navigate these challenges. Following this guidance will help equip public sector institutions with the knowledge and strategies necessary to navigate privacy and access considerations effectively in public sector contracts. It is also helpful for businesses who enter into contracts with these public sector institutions.

We have set out below what we believe are the most important takeaways from this document.

Understanding Applicable Legislation

FIPPA and MFIPPA serve as the legislative backbone governing access to, and protection of, personal information held by public institutions in Ontario. These laws mandate that public sector institutions uphold strict standards regarding the collection, use, disclosure, and safeguarding of personal data.

To fulfill their safeguarding responsibilities under FIPPA or MFIPPA, public sector institutions must ensure that service providers processing records and personal information adhere to equivalent standards, including through sufficient oversight measures.  

Here are 5 key considerations for public sector institutions when contracting:

  1. Procurement Planning: Engage experts to confirm lawful data processing authority and ensure compliance with FIPPA or MFIPPA. Outline best practices for defining records, integrate privacy and security considerations from the outset of the procurement process to mitigate risks, and establish clear requirements for service providers.

  2. Tendering: Clearly state privacy, access, and security requirements in tender documents so service providers understand their obligations and how their compliance will be assessed.

  3. Vendor Selection: Assess potential service providers for their ability to meet defined access and privacy requirements. Involve knowledgeable personnel in evaluations, assign appropriate weighting to access, privacy, and security components, and conduct thorough risk assessments to identify vulnerabilities and implement mitigation measures.

  4. Agreement: Clearly define responsibilities for managing, retaining, and securing records and personal information. Outline breach response protocols and establish strong oversight mechanisms to monitor compliance. Emphasize provisions on data ownership, confidentiality, use and disclosure restrictions, compelled disclosure notice, subcontracting limits, security measures, retention policies, and audits. Consult experts, including legal counsel, to ensure the agreement fully protects records and personal information.

  5. Agreement Management and Termination: Be prepared to enforce contractual terms and take action if breaches occur. Conduct regular assessments, address risks promptly, delegate responsibilities, outline post-contractual actions like close-out procedures, and document lessons learned. Enforce terms rigorously and be prepared to take remedial action or terminate contracts if service providers fail to meet privacy and access requirements.


Navigating privacy and access considerations in public sector contracts requires diligent planning, proactive management, and strict adherence to relevant legislation. By adopting the best practices outlined in this guide, public sector institutions can mitigate risks, ensure compliance with privacy laws, and foster trust in outsourcing arrangements. Prioritizing privacy and access in public sector contracting not only safeguards sensitive information but also strengthens accountability and transparency, enhancing overall organizational integrity and reputation.


INQ’s portfolio of AI services is customized to fit your specific needs and get you AI-ready. To learn more, visit our website at or contact us at To keep up with the latest in AI news, subscribe to the Think INQ newsletter.


¹Institutions may also be subject to directives, trade agreements, policies, standards, and guidelines that define additional requirements relating to the transparency of institutional records and the protection of personal information.

31 views0 comments


bottom of page