When institutions first consider a data exchange initiative, they should ensure that it is legal. This means that once an organization has defined what, how, why, and with whom it wants to share personal data, it should conduct an analysis of all applicable federal laws, including rules, to ensure that it has the legal authority to do so. The recipient should also ensure that it has its own legal authority for the implementation of the proposed data exchange activity. Any inquiries or concerns regarding this directive or the manner in which the CSDP handles personal data should be directed to the ATIP Manager, by email at firstname.lastname@example.org, by telephone at 613-957-7631 or by fax at 613-948-2524. In addition, the following guidelines propose a decision-making process that will help institutions decide whether personal data should be transmitted. If necessary, the reader can use the “bookmark links” to check for further explanations in section 6 of the document. Other laws, such as the Canada Pension Plan Act, the Security of Ancient Ages Act and the DNA Identification Act, to name a few, also contain restrictions or prohibitions on the disclosure of personal data. While section 5 of the Data Protection Act requires that personal data be collected directly by an individual and that the individual be informed of the purpose of the collection, it also contains an exception. In accordance with subsection 5, paragraph 3, the rule does not apply if compliance with the rules complies with the following conditions: For more information, see Chapter 2-4 of the Treasury Board Manual on Privacy and Data Protection. 2) Sensitivity of information: the type of information involved in the information exchange project should be defined. Is it obviously of a very sensitive personal nature or does it seem to be quite harmless information? Is the information very up-to-date and, for this reason, more sensitive, or has the time spent been able to reduce this sensitivity, so that, in certain circumstances, disclosure would not result in a measurable violation of individuals` privacy? On the other hand, could the disclosure of information reopen old wounds after a while? The CSDP undertakes to collect only personal data directly related to its operational activities and limits the collection to the information necessary to achieve the identified purposes. . .