The Privacy Act governs how federal government institutions handle personal information. The Privacy Commissioner of Canada has highlighted limitations within the Act regarding outsourcing, specifically:

Lack of Explicit Accountability: While the Privacy Act implies the government institution remains responsible for the personal information, the Commissioner argues that the law needs a clearer, more explicit statement to ensure full accountability when it's outsourced.

Outsourcing & Privacy Risks: Outsourcing government functions to third parties can add complexity and risk to the protection of personal information.

References:

You can find discussions of the Privacy Commissioner's position on outsourcing in reports and resources on the Office of the Privacy Commissioner of Canada (OPC) website: https://priv.gc.ca/en/

Why Other Options Are Less Relevant

A. Preventing subcontracting: While controlling further subcontracting might be important, it's not the primary concern identified by the Commissioner.

B. Commissioner's order power: While the Commissioner advocates for greater powers, this is not the specific gap in the Privacy Act related to outsourcing.

C. Privacy Impact Assessments (PIAs): PIAs are crucial, but the Commissioner's argument highlights that even with PIAs, the Act lacks clear accountability language when the information leaves the government institution.

Key Points

The Privacy Commissioner plays an advocacy role, identifying areas where privacy legislation could be strengthened.

Accountability is crucial in all privacy contexts, especially when third parties handle sensitive data.