The directive governs not only the creation of records and their eventual disposition but also their good management. Departments have to ensure that records are appropriately safeguarded.
There was reference earlier to looking at it from a risk profile, which would include examining the possibilities for inadvertent disclosure. Certainly the privacy legislation and other pieces of legislation apply to that as well. So in managing their information, departments have to be aware of all those factors. If as part of their business they are sharing that information with whoever they're sharing it with, it's still their information, used for their business purposes, and they would have to conform with the policy requirements.