Information Sharing Arrangements

Information Sharing Arrangements

An Information Sharing Arrangement (ISA) is a written record of understanding between the parties that will be sharing information. Information sharing may mean that one party is sharing information while the other party is collecting information. It can also refer to a situation where both parties are sharing and collecting information.

When you need one

Your initiative will need an ISA if it shares information with any third party, including other government institutions.

Benefits of an ISA include:

  • clarifying the rights, obligations and accountability of the parties
  • ensuring compliance with applicable privacy protection legislation and policies
  • establishing protocols for addressing problems and incidents (including privacy breaches)
  • ensuring transparency for affected individuals

What’s required

An ISA should be drafted with advice and guidance from stakeholders in the program area, privacy policy and information management advisors, legal counsel and functional specialists, such as information technology specialists and security experts.

It should include:

  • the purpose of the ISA
  • what personal information will be collected, created, used and shared between the parties
  • the legal authorities to collect, use and share the personal information
  • the associated Personal Information Bank(s)
  • which institution has custody and control over the personal information
  • any limitations on how personal information can be shared between all the parties
  • all the administrative, technical and physical safeguards needed to protect personal information
  • processes for addressing privacy and security breaches, including notification requirements

Privacy tip: Defining custody and control of personal information in an ISA is very important to make sure it is clear who will be in charge in case of a privacy breach.

General process

  • complete all the required sections of your ISA
  • send it to your privacy experts so they can make sure it aligns with privacy policy
  • socialize the ISA with all the parties and stakeholders involved
  • submit the ISA for approval
    • it’s up to your institution to decide the appropriate level of approval
    • this can also differ depending on the exact nature of the ISA and level of risk involved

All these steps need to be completed before the launch of the initiative.

When to update and review

When initially drafting an ISA, the parties should agree on when the arrangement comes into force, when and how to review it and when it terminates. The parties may also wish to indicate when and how to change the ISA if there are any changes to technical, legal or other aspects of the initiative.

Related link:

Page details

Date modified: