07 Oct Sharing Of Information Agreement
It is recommended that, to the extent possible and in an enforceable manner, all elements of personal data that may be disclosed be identified at the time the institution intends to enter into an ISA. The institution can then determine whether or not each element constitutes “personal data” within the meaning of Section 3 of the Data Protection Act (note: certain information is excluded from the definition for the purposes of use and publicity, for example.B information about the position or functions of an official). For more details on this subject, see definition of “personal data” (section 6.2) As far as possible, personal data transmitted by one governmental organization to another party should be reported rather than drawn. This means that instead of giving access to the database containing personal data, the institution would transmit the information or data to the other jurisdiction in the manner provided for in the agreement and at the times and data provided for in the agreement. In the event of a breach of privacy or security, the agreement may allow the disclosed party, after receiving notification of accidental or unauthorized access, disclosure, use, modification and deletion, to immediately terminate the contract as it sees fit and demand the return of already disclosed personal data. The agreement should include a plan for notifying persons whose information has been disclosed. Note: In some cases, the power to collect personal data is clearly defined by law. The Income Tax Act is a good example of this. However, in most cases, the institution`s enabling law concerns only an operational programme or activity. In still other cases, the institution`s enabling law may not contain a specific reference to a specific programme or activity, but a strong argument can be put forward that the programme to be examined or the activity to be examined is compatible with and promotes the legal mission of the institution. In some cases, other laws may prevail over data protection law (e.g.
B enabling legislation) thus authorizing uses or disclosures within or outside the institution. For example, the Income Tax Act, the Statistics Act and the Ministry of Personnel and Skills Development Act confer specific powers for the use or disclosure of personal data, thus eliminating the application of the provisions on use and disclosure (sections 7 and 8) of the Data Protection Act. Under the TBS Directive on Data Protection Impact Assessment, institutions are required to carry out a data protection impact assessment where a new programme or service involves the collection, use or disclosure of personal data or where significant changes are made to an existing programme or service. This would involve the exchange of personal data between jurisdictions. A data protection impact assessment will help to ensure that the information sharing activity complies with data protection law and that measures are taken to reduce potential data protection risks. Under the Access to Information Act and the Data Protection Act, information provided confidentially by other governments is subject to a mandatory exception that makes public the information by the government whose information was received. . . .