The Shared Services Canada Act was made very explicit when it relates to the Access to Information Act and the Privacy Act. Shared Services Canada is responsible for managing the IT infrastructure, so managing the shell, but the content—all of the data residing in our data centres, even the content of emails within our networks—belongs to and is still under the control of the partner organization. Shared Services Canada, for the purposes of the Access to Information Act and the Privacy Act, has no control over the data that is residing on the IT infrastructure.
However, we are fully responsible and accountable, and work very closely with the partner institution in ensuring that the necessary privacy and security controls are in place in the management of that IT infrastructure, and when managing privacy breaches. While the data might be under the control of partner organizations—in other words, they would respond to access requests, because it's their data—if there's a breach that results from some sort of unfortunate IT infrastructure incident, Shared Services Canada would work side by side with the partner organizations to ensure that the breach is contained and managed, and the necessary corrective measures are in place. It's a shared responsibility.