Before deciding to disclose personal data, an institution should ensure that the recipient manages the information in accordance with principles similar to those set out in Sections 4 to 8 of the Data Protection Act, also known as the Code of Fair Information Practices. The code regulates the collection, accuracy, use, disclosure, retention and availability of personal data. When exchanging personal data, parties should strive to preserve administrative, technical and physical security measures to protect the privacy of individuals and the confidentiality of their personal data. The conduct of an AER is a recognized process used by federal public authorities to identify any threats or risks that could compromise the confidentiality, security or integrity of personal data to be shared. TRAs can be short and simple or much more detailed and strict, depending on the sensitivity, criticality and complexity of the program, system or service to be evaluated. If warranted, other parties to the exchange of information may also be required to conduct a similar risk assessment process to assess potential threats and risks to information as a precondition for exchange. As noted above, institutions are required under the TBS Data Impact Assessment Directive to implement an IAP in certain circumstances, even when personal data is transmitted between programs, institutions or legal systems. The data protection impact analysis will help ensure that information exchange activities comply with data protection law and that steps are taken to reduce potential data protection risks, including the creation of an ISA containing data protection clauses. It is also a proven method for the institution to clearly identify in advance all the purposes for which personal data can be used or disclosed, including secondary uses. Any prohibition on the secondary use or subsequent disclosure of information may also be carefully considered and agreed upon by the parties in order to avoid any conflict or misunderstanding with the applicable legal provisions of any jurisdiction, including access and data protection laws and other relevant laws.