I'll repeat that there are no legally required controls. There is a reference in the preamble to SCISA that says, among other things, that information sharing should occur responsibly. That's advice given by Parliament to departments, and I'm sure this advice in the preamble will lead to certain actions within the public service. However, it's left completely to the public service to determine what kind of controls or governance structure they will put in place to live by this principle of responsible information sharing.
We don't need to be overly prescriptive, but I think there need to be some high-end controls, safeguards, and governance mechanisms to ensure that this broad authority given by Parliament is exercised responsibly.