Office of the Saskatchewan Information and Privacy Commissioner. Best Practices for Information Sharing Agreements. 23 March 2018. 4 • Justifying the ISA by explaining exactly why personal information must be shared and specifying what information is to be included. Best practices include: • Obtaining consent and providing notice. • Restricting the amount of personal information collected to a minimum. • Carrying out the collection, use and disclosure of personal information on a need to know basis. • Ensuring that the information is “pushed” (given to the other party) and not pulled (taken by the other party). • Conducting a preliminary assessment of risks. Step Two: Explore Alternative Strategies Sharing personal information is a last resort because of the inherent privacy risks. Be sure to explore whether objectives of the program or service can be accomplished without the disclosure of personal information. Alternatives include: • A summary of information rather than specific identities. • De-identified information (removing all personal identifiers). • Aggregated data such as a range of ages instead of specific ages. Step Three: Conduct Risk Assessment Take a detailed look at the privacy risks using recommended tools that include: • A Privacy Impact Assessment (PIA) that measures compliance not just against established legal standards but universal privacy principles. • Communications planning that includes public reporting. • Consultation with your departmental privacy, security and legal experts and the privacy official for your jurisdiction (such as a Privacy Commissioner or Ombudsman). Steps four through six contain best practices after deciding to proceed with an ISA: Step Four: Document It is best practice to document your decision to proceed, justifying the decision and outlining a plan to mitigate risk. Documentation should include, but not be limited to a justification, cost benefit analysis and a Privacy Impact Assessment and a risk mitigation plan to address all risks. It is important that you also ensure that the ISA is supported by sound information management practices. Step Five: Create an ISA Best practices in creating an ISA include:
RkJQdWJsaXNoZXIy MTgwMjYzOA==