Model service sharing agreement

Agreement on the Provision of Services Related to Access to Information and Privacy

between

[provider name] (the provider)

and

[client name] (the client), “the parties”

Document change control

The table below contains the revision number, the date of the revision, the author responsible for the changes, and a short description of the context or the scope of the changes involved.

Contents

• 1. Introduction
• 2. Objectives
• 3. Designated officials
• 4. Organizational contacts
• 5. Coming into force and duration
• 6. Termination
• 7. Annual review
• 8. Amendments
• 9. Resolution of issues
• 10. Information management
• 11. Roles and responsibilities for administering terms of agreement
• 12. Financial considerations
• 13. Audit
• Appendix A: Legal framework for the provision of services related to access to information and privacy
• Appendix B: Roles and responsibilities
• Appendix C: Service level and performance targets

1. Introduction

1.1 The Access to Information Act (ATIA) and the Privacy Act allow a government institution to provide services related to access to information and privacy (ATIP) to another government institution that is presided over by the same Minister or that is under the responsibility of the same Minister.^{Footnote 1} To enter into such an arrangement, the two institutions must have a written agreement.^{Footnote 2}

1.2 In light of the above, this is an agreement between the client and the provider. Both of them are presided over by or are under the responsibility of the Minister of [portfolio].

1.3 Under this agreement, the provider will provide services related to ATIP to the client until the client can provide these services itself. See Appendix A for the legal framework for the provision of services related to ATIP.

1.4 Both parties agree that the following principles will guide their relationship for the duration of this agreement:

1. The client continues to be subject to the ATIA and the Privacy Act when its [CEO or other title] delegates any of their powers, duties or functions under the ATIA or the Privacy Act to the provider’s employees for the purpose of enabling the provider to provide ATIP-related services to the client.
2. All information provided and handled under this agreement is subject to the applicable legislation, as well as to the Treasury Board Policy on Government Security and related directives and standards.
3. The parties use a collaborative approach to problem-solving that focuses on gaining insights to find a resolution.

2. Objectives

2.1 This agreement sets out the roles and responsibilities for the provision of services related to the ATIA and the Privacy Act by the provider to the client (see Appendix B).

2.2 This agreement also sets out the details of the provision of these services by the provider to the client, including service‑specific roles and responsibilities for the provider and the client, performance targets (see Appendix C), and reporting requirements.

3. Designated officials

The following designated officials are responsible for approving the content of this agreement and for signing this agreement:

1. For the client:
   • [for example, the head of the institution, the CEO or the corporate secretary]
2. For the provider:
   • [for example, the head of the institution, the CEO or the corporate secretary]

4. Organizational contacts

The following organizational contacts are responsible for administering and implementing this agreement:

1. For the client:
   • [for example, the senior director, Corporate Services]
2. For the provider:
   • [for example, the director, ATIP]
   • [for example, the director, Privacy Management Division]

5. Coming into force and duration

This agreement comes into force once both designated officials have signed it. It will remain in force unless it is terminated in accordance with clause 6.

6. Termination

6.1 Either of the designated officials may terminate this agreement.

6.2 If a party’s designated official wants to terminate this agreement, they must send the other party’s designated official a written request by email.

7. Annual review

7.1 To make sure this agreement remains effective and appropriate, and to identify required amendments, the parties’ organizational contacts will review it to assess the services rendered by the provider from the date the agreement comes into force up to and including the last day of every fiscal year, starting in [20XX–XX].

7.2 All annual reviews will proceed as follows:

1. The parties’ organizational contacts will meet to do the review. Other representatives of the parties may attend these meetings.
2. The meetings will include a discussion of:
   • the provider’s performance
   • the client’s performance
   • deviations from expected performance
   • services that need adjustment
   • amendments to the agreement
   • continuation of the agreement
3. The parties’ organizational contacts will track all proposed amendments to this agreement and will report them to both designated officials for decision.

8. Amendments

8.1 This agreement may be amended at any time with the consent of both designated officials.

8.2 Every amendment to this agreement must be made in writing and be signed by both designated officials.

8.3 Every amendment to this agreement that is proposed outside of the review process described in clause 7 must be presented to and discussed with the other party as soon as possible and according to the following procedure:

1. A party’s organizational contact will submit, in writing, every proposed amendment to the other party’s organizational contact, as the first level of review.
2. The parties’ organizational contacts will agree on a reasonable time period for considering and discussing the proposed amendments.

9. Resolution of issues

Any disagreement about this agreement, including a disagreement about fees, that the parties’ organizational contacts cannot resolve will be presented to the designated officials for resolution.

10. Information management

During the life of this agreement and after it has terminated, the parties agree to manage all information they create, collect, use, retain, dispose of and disclose for the purposes of implementing this agreement in accordance with applicable federal legislation and policies, and in keeping with the Privacy Act’s principles of confidentiality, accuracy and relevance.

11. Roles and responsibilities for administering terms of agreement

11.1 The parties are accountable to the portfolio minister, Parliament and Canadians for achieving the objectives of this agreement. The parties recognize that this accountability requires an effective working relationship. They will do their best to fulfill their responsibilities and maintain the level of service specified in this agreement.

11.2 The provider and the client are jointly responsible for:

• approving the terms and conditions of this agreement
• outlining the type and level of service expected
• making sure service performance meets business requirements
• cooperating on implementing and monitoring the provisions of this agreement effectively and efficiently
• managing working groups consisting of representatives of both parties that discuss business requirements, consider business impacts and risk assessments, and identify and resolve operational and other issues
• assigning individuals with appropriate skills, experience and authority to serve on the working groups

11.3 The provider will:

• provide the systems and services specified in Appendix B, including the related systems of internal controls
• monitor performance

  The client will:

• align its internal business requirements pertinent to this agreement with those of the provider
• fulfill the responsibilities specified in Appendix B
• manage data integrity and accuracy
• manage relationships with end-users
• interpret end-users’ issues, requirements and constraints

12. Financial considerations

12.1 The provider will provide to the client the ATIP services described in this agreement for $XX,XXX a year. This amount is an estimate based on the salary rates set out in the [for example, Program Management (PM) collective agreement] that was in effect when this agreement was signed.

12.2 The fee the provider charges for the services provided under this agreement must not exceed the cost of providing these services.

12.3 The estimated fee will be amended if the projected costs of providing the services covered by this agreement are higher or lower than anticipated.

12.4 Every quarter, the provider will share with the client detailed financial information on the nature and extent of the activities performed to fulfill the agreement, including expenses incurred for specific significant services.

12.5 The client will pay the provider all fees related to this agreement by interdepartmental settlement.

12.6 The provider will initiate the interdepartmental settlement process, which will generate a transaction that will be sent to the client for payment.

12.7 The client will provide the following information to the provider so that payment can be made by interdepartmental settlement:

• department number
• IS organization number
• IS reference number

12.8 Costs incurred by the provider for services provided under this agreement will be charged to an operating account. If the provider requires information from the client to support the allocation of costs for these services, the client will provide it.

13. Audit

If the provider conducts an internal audit and review of the operation of the services covered by this agreement, the provider will share any findings with the client.

[signature]_______________________________________
Signed on behalf of [provider] by [title of designated official identified in section 3] in [location] on [month] [day], [year]

[signature]________________________________________
Signed on behalf of [client] by [title of designated official identified in section 3] in [location] on [month] [day], [year]

Appendix A: Legal framework for the provision of services related to access to information and privacy

The following is the legal framework that applies to this agreement:

1. A government institution may provide services related to any power, duty or function conferred or imposed on the head of a government institution under the Access to Information Act (ATIA) or the Privacy Act to another government institution that is presided over by the same minister or that is under the responsibility of the same minister and may receive such services from any other such government institution.^{Footnote 3}
2. A government institution may provide services related to any power, duty or function conferred or imposed on the head of a government institution under the ATIA or the Privacy Act to another government institution only if it enters into an agreement in writing with the other government institution in respect of these services before it provides them.^{Footnote 4}
3. The head of a government institution that receives services related to access to information must provide a copy of the agreement to the Information Commissioner of Canada and the President of the Treasury Board as soon as possible after the agreement is entered into. The head of the institution must also notify the Information Commissioner of Canada and the President of the Treasury Board of any material change to that agreement.^{Footnote 5}
4. The head of a government institution that receives services related to privacy must provide a copy of the agreement to the Privacy Commissioner of Canada and to the President of the Treasury Board as soon as possible after the agreement is entered into. The head of the institution must also notify the Privacy Commissioner of Canada and the President of the Treasury Board of any material change to that agreement.^{Footnote 6}
5. The head of a government institution may, for the purpose of providing services related to access to information or privacy, by order, delegate any of their powers, duties or functions under the ATIA and the Privacy Act to one or more officers or employees of another government institution.^{Footnote 7}
6. The head of a government institution that provides these services may charge a fee for them. The fee must not exceed the cost of providing the service.^{Footnote 8}
7. The records that the head of a government institution provides to the head of another government institution so that the other institution can provide services related to access to information are not under the control of that other institution.^{Footnote 9}
8. The personal information that the head of a government institution provides to the head of another government institution so that the other institution can provide services related to privacy is not under the control of that other institution.^{Footnote 10}

Appendix B: Roles and responsibilities

[The roles and responsibilities in the following chart assume that the head of the client institution has delegated all authorities under the Access to Information Act (ATIA) and the Privacy Act to the provider.]

Appendix C: Service levels and performance targets for formal requests

The following table lists tasks and timelines relating to service levels and performance targets, and to the parties’ regular operations.

Pursuant to the Access to Information Act (ATIA) and the Privacy Act, government institutions shall respond to ATIA and Privacy Act requests within 30 calendar days after the request is received. If the 30‑day time limit is extended pursuant to the ATIA or the Privacy Act, the timelines in the table can be adjusted if the provider and the client agree.