26(1)The Corporation shall enter into a written agreement with a service provider containing provisions with respect to the collection, use and disclosure of information, including personal information, that relates directly to and is necessary for the provision of the service.
26(2)An agreement entered into under subsection (1) shall
(a)
provide for the protection of personal information against risks, including unauthorized access, use, disclosure or destruction, and
(b)
contain any terms, conditions, prohibitions, restrictions or requirements prescribed by regulation relating to the access, use, disclosure or destruction of personal information.
26(3)Subject to section 28, a service provider shall not disclose any information, including personal information, disclosed to, collected by or used by the service provider under this Act unless in accordance with an agreement under subsection (1).
26(4)An agreement entered into under subsection (1) shall be deemed to be the written agreement for the protection of personal information between a public body and a service provider as required under the Right to Information and Protection of Privacy Act.