This guide is intended for all institutions subject to the Data Protection Act. It is used for the observation and development of ASAs that contain personal data shared with other governments in Canada and across international borders. The document is not a binding policy instrument, but defines common principles for the exchange or exchange of personal data with other governments. It aims to help institutions design data protection compliant ISAs. However, institutions should recognize that all ISAs are unique and tailor advice to each situation, including the context and needs of the organizations involved. However, Canadian data protection laws do not apply to personal data as soon as it has been transmitted to a foreign government organization (known as cross-border data flows). It is assumed that this will involve negotiations, but it is essential that written agreements with international partners take into account the protection of personal data. The risks associated with the disclosure of personal data abroad are generally considered to be higher risks than when transferring personal data to a Canadian party. Such risks are particularly important when the foreign organisation is not bound by data protection legislation or by a binding scheme, substantially similar to the Federal Data Protection Act. The programme area, which controls the personal data to be shared, can check, together with the Department`s Council of Data Protection Experts and Legal Experts, whether disclosure is appropriate. When transmitting personal data, the parties should endeavour to put in place administrative, technical and physical security measures to protect the privacy of individuals and the confidentiality of their personal data.

The implementation of an TRA is a recognized process used by federal authorities to identify potential threats or dangers that could compromise the confidentiality, security, or integrity of the personal data to be shared. TRAs can be short and simple or much more detailed and rigorous, depending on the sensitivity, criticism and complexity of the program, system or service to be evaluated. If justified, the other parties to the information exchange project could also be required to conduct a similar risk assessment process in order to assess threats and potential risks to information as a precondition for exchange. . . .