Data Sharing Agreements

The Office of the Privacy Commissioner of Canada (CPC) and the Information and Privacy Commissioner of Ontario (IPCO) announced yesterday that they have just signed a memorandum of understanding to facilitate information-sharing between their Offices on matters of mutual interest (the “CPC-IPCO MOU” or just the “MOU”).

IPCO has long taken the position that any sharing of personal information by government institutions should be supported by a written Data Sharing Agreement (“DSA”). The purpose of such an agreement is to clarify the rights and obligations of all parties in a data sharing activity and help ensure compliance with legislation.

The recently announced MOU demonstrates IPCO’s compliance with its own guidance. By issuing this MOU, IPCO has put in place a DSA of its own to facilitate information sharing with another government entity.

IPCO has issued detailed instructions on what to include in a DSA in its annotated Model Data Sharing Agreement (the “MDSA”). However, because the MDSA was first published in 1995 under then-Commissioner Tom Wright, institutions may reasonably question whether some of its content is now out of date.

More recently, Acting Commissioner Brian Beamish (as he then was) addressed the topic in his 2019 presentation “Introduction to Data Sharing Rules”, where he noted a DSA should include provisions such as:

• defining the information to be disclosed and the purpose
• defining limited staff who are permitted to access and use data (on a “need-to-know” basis)
• confidentiality undertakings and privacy training for all staff, including external collaborators and subcontractors
• destruction of data after a specified retention period
• limiting disclosure of data with third parties except where there is prior approval
• privacy and security policies to be in place, monitored and enforced
• privacy breach protocol
• detailed logging and monitoring systems implemented
• encryption protocol used to electronically transmit data

Why the new MOU matters

The MOU announced by the CPC and IPCO yesterday represents an excellent precedent for government institutions preparing their own DSAs in order to facilitate the transfer of information between government entities. By following the example set out here, institutions can be reassured that they are emulating standards and requirements IPCO has itself adopted when preparing a DSA.

The MOU represents a great opportunity to see a modern DSA in concrete form, and can help answer practical questions that previous guidance hasn’t directly addressed, such as “what is a reasonable length for a DSA?” and “how much from the MDSA is necessary to include?” (Notably, the MOU is much shorter than the template outlined in the MDSA would seem to imply is required.)

Caveats

Of course, the 1995 MDSA template was intended to be used in a wide variety of circumstances, and therefore it likely included many helpful suggestions that it fully expected would not be included in every DSA, including many that may not be applicable to the MOU between the CPC and the IPCO. In other words, “your mileage may vary”, and institutions may still wish to consider whether to include various items from the 1995 MDSA that the CPC-IPCO MOU did not address.

Further, the CPC-IPCO MOU describes itself as “non-binding” and never explicitly calls itself a “Data Sharing Agreement”. This may be an argument in favour of distinguishing the current MOU from a “full and proper” DSA. (Perhaps a more detailed DSA is forthcoming!)

That said, it certainly seems that the MOU as it stands is intended to facilitate actual data sharing between the CPC and the IPCO from this point forward. As noted in the news release, “The memorandum allows the Commissioners to communicate and cooperate with each other, as well as to conduct joint investigations of matters that arise under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law, or under one or more of the statutes that govern privacy in Ontario.” There is no mention of waiting for a “full-fledged DSA” to be completed before information is to be shared. As such, it seems fair to interpret this MOU as a precedent for what is minimally required to be set out in writing as between government organizations sharing information.

Finally, although the information handled by the CPC and the IPCO is comparable to some of the most sensitive personal, health, and confidential data held by any government entity, the MOU does not make clear what specific types of information will be shared, how frequently, or in what volumes. Consequently, the level of detail provided in this MOU may not be sufficient for all information-sharing arrangements between government institutions. For example, hospitals that transfer large volumes of patient records, or municipalities that exchange personal and financial data relating to many residents, may require DSAs that set out more detailed provisions and address risks and responsibilities not expressly covered in the present MOU.

Analysis of the MOU

The MOU begins by listing the relevant parties, the CPC and the IPCO. This is followed by a preamble setting out each party’s legal authority for collecting and sharing the information covered by the MOU, described in detail in the numerous “recognizing” clauses.

Next, under “Objective”, the MOU states its purpose, namely, “to establish a framework to allow the Participants to assist, consult, cooperate, and share relevant information with one another with respect to matters arising under the Ontario Statutes and PIPEDA”. This is similar but not identical to the purpose of a DSA as set out earlier in this article, which put more emphasis on the “rights and obligations” of each party to the DSA.

In the next section, “Procedures Relating to Mutual Assistance”, the MOU sets out how information will be shared and the purposes and situations in which it will be used. Important points from this section include:

• each party agrees to designate a primary contact
• a brief description of “how and when” information will be shared (e.g., for purposes including joint investigations, joint decisions, recommendations and reports, and referring complaints, inquiries and audits to one another)
• a statement that the MOU will be made public by being posted on each party’s website
• a brief dispute resolution procedure

Next, the “Limitations on Assistance and Use” section lists limitations on what information will be shared. One very helpful aspect of this section is to list areas where the law specifically prohibits the sharing of information between the parties. This is important for preventing misunderstandings or inappropriate disclosure, especially when, as here, each party is subject to different legislation (in this case, federal vs. provincial privacy legislation) and each institution may therefore have its own different restrictions on what it is allowed to share.

The parties also note they will “only share personal information … to the extent that is necessary for fulfilling the purposes of [the MOU]” and that they will “not use any information obtained pursuant to [the MOU] for purposes other than those for which the information was originally shared unless permitted or required by law”.

The “Confidentiality” section of the MOU states the information received under the MOU will be treated as confidential, and goes further, stating that the parties agree to “oppose … any application by a third party for disclosure of information shared under this Memorandum, unless the Participant who provided the information gives express written consent to its release” and requires the party who receives such an application “[to] promptly notify the Participant who provided the information.” Unlike most government institutions, neither the CPC nor the IPCO are subject to general access-to-information request obligations under federal or provincial FOI legislation, so other institutions may need to put further consideration into addressing FOI requests and the third-party process in their own DSAs.

Conclusion

The new CPC–IPCO MOU provides a timely example of how two privacy regulators document their authority, purpose, procedures, limitations, and confidentiality when sharing information. While the document does not call itself a Data Sharing Agreement and is expressly non-binding, it covers many of the core elements IPCO has long advised institutions to include in a DSA. For institutions, the MOU is a helpful modern precedent. It shows that a concise instrument may be sufficient in some contexts, but in higher-risk or higher-volume scenarios, a more comprehensive and legally binding DSA may be the more appropriate tool.

References

News release: Privacy Commissioners of Canada and Ontario update memorandum of understanding for sharing information (September 11, 2025)

Memorandum of Understanding Between the Information and Privacy Commissioner of Ontario and the Privacy Commissioner of Canada on Mutual Assistance and Information Sharing in the Administration and Enforcement of Laws Protecting Personal Information (Executed September 3, 2025)

IPCO: Introduction to Data Sharing Rules (September 10, 2019)

IPCO: Model Data Sharing Agreement (December 1995)

The FOI Assist Software

If you find articles like this one helpful, you’ll appreciate the even greater support offered by the FOI Assist software. Developed by an experienced Ontario FOI lawyer, the software includes built-in checklists, templates, and compliance tools to help ensure your institution’s FOI process is consistent, well-organized, and fully documented—reducing the risk of appeals and putting your institution in the best position to succeed.

To learn more or to request a demonstration, contact FOI Assist today.