It starts with the legislation itself, so I would say that the standard matters and rules around retention matter. It should not be for the bureaucracy to decide how long they are going to keep the information. There should be rules of law on this.
There should be a legal requirement to have agreements whereby you bring the general principles to something more down to earth—what kind of information will be shared for what purpose, etc. Some accountability mechanisms in these agreements would be helpful.
Review of the agreements by review bodies like me, like SIRC, and so on would be helpful, because that will put an expert lens on whether the agreements strike the right balance. It will inform the review bodies as to how to direct their case investigations further down the road.