The key provisions related to privacy are set out in Appendix and and Section 3.2 of Appendix A sets out the requirements that government departments must impose on third party service providers:
3.2 That contract must, at a minimum, contain provisions meeting the requirements as set out below.
a. A definition of "personal information" as meaning information collected or generated in the performance of the contract about an individual, including the types of information specifically described in the Privacy Act and also including information that may be linked or is linkable to an individual such as the website visitor's IP address.
b. A requirement that the third party appoint an officer within the organization to act as representative for all matters related to personal information and that the name and contact information for this third-party contact be provided to the government institution within 10 days of the awarding of the contract.
c. A requirement that the third party provide all of its employees, contractors and subcontractors with information on their privacy obligations when dealing with personal information disclosed or transmitted in relation to the work being performed under the contract or subcontract (the "work").
d. A requirement that the third party depersonalize the IP address prior to its storage in order that the full IP address cannot be reconstituted. This must be done through irrevocable truncation of the last octet of the IP address or through some other methodology that offers comparable privacy protection and has been approved by the Chief Information Officer Branch of the Treasury Board of Canada Secretariat.
e. A requirement that the third party not link, or attempt to link, the IP address or some unique identifier associated with a digital marker with the identity of the individual computer user.
f. A requirement that the depersonalized IP address, along with other data disclosed to the third party for Web analytics, be used only in accordance with the work, and that no subsequent uses or reuses of such data for any other purpose be allowed without the institution's express prior written authorization.
g. A requirement that the third party not disclose or transfer the depersonalized IP address or any other data disclosed to it except in accordance with the work, with the express prior written authorization of the institution, or if required to do so by law.
h. A requirement that the third party use only first-party cookies.
i. A requirement that the third party be prohibited from using techniques such as, but not limited to, interlinking, cross-referencing, data mining or data matching from multiple sources on the personal information collected in relation to the work, unless expressly pre-authorized to do so, in writing, by the government institution.
j. A requirement that the third party have security in place for the personal and depersonalized information that is at least commensurate with the Policy on Government Security.
k. A requirement that the third party safeguard the depersonalized IP address and other information disclosed in relation to the work, and that this information be retained for a maximum period of 6 months, after which time that information, including any backup copies, must be destroyed.
l. An audit provision whereby the third party may be audited at least once annually, at a date to be determined by the Government of Canada, to ensure compliance with these requirements.