Administrative Practices

AP I3 - Information Sharing Agreements

Legislative References:	Freedom of Information and Protection of Privacy Act (FOIPPA) section 69
Policy Reference:	None
Collective Agreement References:	None
Date:	April 25, 2023

This administrative practice describes processes around Information Sharing Agreements (ISAs) to ensure compliance with BC’s Freedom of Information and Protection of Privacy Act (FOIPPA).

Processes

Ensure legal authority to share information in accordance with section 33 of FOIPPA.

Prepare a formal ISA when information sharing is occurring on a recurring basis.

An ISA will generally include the following:

3.1.	A statement of the purpose for the disclosure.
3.2.	The legal authority to disclose the data for that purpose and the legal authority for the collection by the public body or organization to which the data is being disclosed.
3.3.	A description of the data that will be disclosed that is as specific and comprehensive as possible (i.e.: the nature and type of data elements, as well as the quantity of data).
3.4.	A description of how the data will be disclosed (such as direct access to a database or a specific data flow versus indirect access via email from the originating party, and in response to a request or at regular intervals).
3.5.	Where possible, a description of who within a public body or organization will have access to the data and any other disclosure restrictions. This could enable the disclosing public body or organization to limit further disclosure of the shared data.
3.6.	A description of the authorized use of the data and limits on further use of the data.
3.7.	A clear statement about who has custody and control of the data. This may be needed because parties to the agreement will likely have custody of the shared data, while one party could maintain control over managing that information.
3.8.	An undertaking to protect the data in a certain manner (i.e.: particular administrative, technical, and physical safeguards to protect the data adequately given its sensitivity).
3.9.	A description of any restrictions on the storage and access of personal information outside of Canada (FOIPPA includes a requirement to keep personal data in Canada).
3.10.	A description of the process to ensure accuracy of the data, including the process to update and correct personal information if needed.
3.11.	A specific retention period and directions on secure destruction when the retention period expires.
3.12.	A description of the process for managing privacy breaches, complaints, and incidents.
3.13.	Methods for monitoring compliance with the ISA and consequences for non- compliance.
3.14.	Term of the ISA and process for amendment and renewal.

Appended to the Administrative Practice:

Information Sharing Agreement Template