F/P/T Privacy Commissioners/Ombudsmen Privacy Checklist for Data Sharing Arrangements

1. Identify in as much detail as practicable all personal information that will be subject to the agreement. List the personal information data elements that will be matched/linked/shared.
   
   
2. Address why personal identifiers are needed in the first place and describe how the depersonalization of personal information has been explored and why it has been rejected.
   
   
3. Identify when, how and by whom personal identifiers will be stripped away, if applicable.
   
   
4. Estimate the approximate number of individuals who will be affected by the exercise.
   
   
5. Clearly specify each purpose for which the personal information is being collected, used or disclosed describing in detail the use that would be made of the information.
   
   
6. For data matches, describe what the anticipated results will be, and what will be done with the results. Clearly and in as much detail as practicable identify the public benefit that will result from the data-matching activity or the significant cost savings or efficiencies gained.
   
   
7. Name the parties involved and describe in as much detail as practicable the relevant statutory or other authority and mandate of each party.
   
   
8. Describe the role each party is to play under the agreement.
   
   
9. Give contact information for each of the parties.
   
   
10. Document the planned information flows and describe the methods or procedures that will be used to share the personal information (e.g., hard copy or electronic sharing).
    
    
11. Provide a flow diagram showing all the personal information flows; include a matrix showing who (by job category/role) will have access to any personal information.
    
    
12. Describe when computer matching/linking/sharing will take place, how often and for how long (i.e., is this a one-time exercise or is it a periodic or ongoing activity).
    
    
13. Define each jurisdiction's legal authority:
    
    
    1. for collecting (including any indirect collection), using and disclosing personal information; and,
       
       
    2. for entering into data-matching/data-sharing agreements to collect, use and disclose personal information, where required.
    
    
14. Address how any notice of collection requirements will be fulfilled.
    
    
15. If any party is not subject to privacy legislation, ensure the party agrees to comply with access and/or privacy legislation that applies to the other party.
    
    
16. The agreement must provide that the primary data and output data will not be used or disclosed for any purpose other than as expressly provided in the agreement unless such a use or disclosure is authorized under law.
    
    
17. Provide that the agreement does not diminish an individual's access rights under the provisions of the applicable access/privacy legislation.
    
    
18. Describe what steps will be taken to verify the accuracy and the completeness of primary personal information before it is used.
    
    
19. Identify the steps that will be taken to ensure that personal information is up to date.
    
    
20. Where appropriate, describe the procedures for verifying the accuracy of any personal information the data matching produces. If verification will not be conducted, explain why, citing any necessary authorization, where required.
    
    
21. Provide that if the output data will be used to make an operational decision about an individual, notification of any inaccuracies in the primary data must be made to the other party promptly after their discovery.
    
    
22. Were data subjects informed at the time of collection (or any time prior to the use of the data) that their personal information would be matched or shared in the proposed manner?
    
    
23. Where required, was the consent of the data subject obtained? If not, explain why not citing necessary authorization or law.
    
    
24. Where required, outline how notices to or consultations with any parties directly affected by the results of the data sharing or data matching will be undertaken. If there will be no notification, explain why not, citing any necessary authorization.
    
    
25. Identify the categories of parties to be notified or consulted.
    
    
26. Outline the justification/need for the use of third party providers
    
    
27. Outline the procedures for dealing with information to be [processed/matched/linked/ shared] by any third party (including private sector) for or on behalf of any party to the main agreement, including the following:
    
    
    1. confidentiality agreement from the third party,
       
       
    2. extension of the agreement provisions to apply to the third party,
       
       
    3. a stipulation that all personal information involved remains under the control of the public body,
       
       
    4. provision that the third party must comply with all applicable access/privacy legislation, and
       
       
    5. requirement that third party providers must return all data, including all copies, to the government authority, where required.
    
    
28. Outline the remedies and/or penalties if third party providers fail to comply with the privacy provisions of the agreement.
    
    
29. Identify how security against unauthorized access, disclosure, use or destruction of personal information will be accomplished, including through:
    
    
    1. password protection,
       
       
    2. confidentiality agreements, and
       
       
    3. cryptography.
    
    
30. Identify the measures that will be used to ensure that the personal information shared through the agreement is protected against loss and/or any unauthorized access, use or disclosure during and after transfer.
    
    
31. Describe the physical security of records whether paper or electronic in nature.
    
    
32. Outline the administrative safeguards for limiting access to individuals who have the necessary authorization.
    
    
33. Outline the consequences for breach of agreement and the mitigating steps to be taken in response thereto.
    
    
34. Ensure effective investigations will be undertaken to identify and address any unauthorized access and/or use of the data.
    
    
35. Require that a copy of any investigation report will be sent to the other party and the respective Information and Privacy Commissioners.
    
    
36. Address the succession for custody, control and responsibility for personal information when public bodies change due to government reorganization and other causes.
    
    
37. Address the conditions for the recall or the disposal of personal information by the originating body and the cessation of information transfer in the following circumstances:
    
    
    1. expiration of data-sharing/data-matching agreement,
       
       
    2. dissolution of agency(ies) party to the agreement,
       
       
    3. breach of terms of agreement, or
       
       
    4. cancellation of the agreement.
    
    
38. Include an indemnification clause addressing liability, and indemnity, for breaches of relevant privacy laws.
    
    
39. Provide for ongoing compliance auditing, including by specifying:
    
    
    1. the frequency of audits,
       
       
    2. who will conduct audits,
       
       
    3. the procedure for conducting audits,
       
       
    4. the content of audit reports, including who will be responsible for sending it to both parties and the respective Information and Privacy Commissioners,
       
       
    5. when audits are required, or
       
       
    6. any other elements that should be considered.
    
    
40. Outline the process that will be followed in order to resolve any disagreements relating to the terms of the agreement.
    
    
41. Some jurisdictions such as British Columbia and Ontario have specific legislative requirements with respect to the maintenance of personal information banks. If such requirements apply, provide the following:
    
    
    1. The disclosing party must attach or link to its personal information bank the new use of personal information stemming from the data sharing/matching arrangements under the agreement.
       
       
    2. The collecting party must create a personal information bank in its directory of records.
       
       
    3. A statement of whether any required index of personal information banks will be amended to reflect any new uses or disclosures of personal information as a result of the data sharing or data matching activity under the agreement.
    
    
42. Specify the term of the agreement.
    
    
43. Specify the procedures for the renewal of, the amendment to or cancellation of the agreement.
    
    
44. Specify the process for the disposition of the personal information and the time frame for any stipulated return of the personal information to the originating party. Regarding disposition, require proof that data was disposed of as agreed.
    
    
45. Stipulate the time frame for revisiting the project to ensure that all approved privacy and security measures are still relevant, current and effective and provide for revisions thereof as reasonably necessary.
    
    
46. If statutory/legal approval is required in any participating jurisdiction, require confirmation that the party in that jurisdiction has satisfied this requirement before personal information is shared or matched.
    
    
47. Seek and confirm any required approval by any independent oversight agency (such as an Information and Privacy Commissioner) for:
    
    
    1. each new agreement,
       
       
    2. revisions to existing agreements or processes, and
       
       
    3. privacy impact or data matching assessments (where applicable).
    
    
48. Provide that parties to the agreement must notify the other parties of changes to relevant policy or legislation which may impact/necessitate revisiting the agreement.
    
    
49. Provide that all parties to the agreement are to be notified of any requests by another party to amend or cancel the agreement.