Guide to FOIP-Chapter 6

Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 121 Before disclosing personal information to an information management service provider, a government institution must have a written agreement in place that includes the requirements outlined at subsection 24.2(2) of FOIP. An information sharing agreement is a written record of understanding between parties that outlines the terms and conditions under which personal information is shared between the parties. An adequate information sharing agreement should be in place between the parties to protect the personal information involved and to ensure compliance.362 Subsection 24.2(2) of FOIP sets out specific requirements that must be in an information sharing agreement between a government institution and an information management service provider. The agreement must address: • The access to, use, disclosure, storage, archiving, modification and destruction of personal information (s. 24.2(2)(a)) • The protection of personal information (s. 24.2(2)(b)) • The requirements of FOIP and The Freedom of Information and Protection of Privacy Regulations (FOIP Regulations). Specifically, section 13.1 of the FOIP Regulations which provides: 362 Government of Canada, Treasury Board of Canada Secretariat resource, Guidance on Preparing Information Sharing Agreements Involving Personal Information. Available at Updated July 2010. Accessed June 23, 2020. Agreement between government institution and information management service provider 13.1 For the purposes of clause 24.2(2)(c) of the Act, a written agreement that is entered into between a government institution and an information management service provider must include: (a) a description of the specific service the information management service provider will deliver; (b) provisions setting out the obligations of the information management service provider respecting the security and safeguarding of personal information; and (c) provisions for the destruction of the personal information, if applicable.