Office of the Saskatchewan Information and Privacy Commissioner. Best Practices for Information Sharing Agreements. 23 March 2018. 5 • Appointment of an oversight body consisting of people in your department familiar with privacy and security issues who can offer guidance and support. • Ensuring that privacy and legal experts review and approve each ISA. • Using plain language to ensure all terms are fully explained. Your ISA should include these key components: • Identities, roles and responsibilities of the parties • What information is being disclosed and collected and the purpose(s) of each • The frequency and duration of information exchanged • The legal authority to disclose and collect information • The methods and security measures for transferring and storing the information • Procedures in the event there is a privacy or security breach • Limitations for collection, use, disclosure and retention • Provisions for accuracy of the information • Indemnification • Compliance monitoring Step Six: Monitor and Follow Up It is best practice to monitor the effectiveness of the agreement. This is done through audit trails, self-assessments, audits, verification systems, certificates of assurance and measurement techniques related to your government’s obligations in the agreement. These best practices are consistent with those recommended by the Treasury Board of Canada in its Guidelines for federal government organizations titled, Guidance on Preparing Information Sharing Agreements Involving Personal Information. In December 2008, the Access and Privacy Branch with the Ministry of Justice produced a resource titled, Personal Information Sharing Agreements (Government to Government) Best Practice Guidelines. The Guidelines present the same six best practice steps noted above. Other Information and Privacy Commissioner’s across Canada also recognize the need for best practices and recommend similar practices in their jurisdictions. For example, previous British Columbia Information and Privacy Commissioner, Paul Fraser, Q.C stated the following in his Investigation Report F10-02: [118] To be FIPPA compliant, public bodies must use information-sharing agreements to govern the disclosure of personal information from one entity to another. An information-sharing agreement sets out the terms and conditions for how the personal information will be collected, used, and disclosed by the entity receiving the data. Information-sharing agreements also enhance the transparency
RkJQdWJsaXNoZXIy MTgwMjYzOA==