I think it takes a number of instruments. On your point that the sending institution may not be an expert, in the context of this legislation, on national security, that's quite correct. I think government envisions that before information is shared, there will be a discussion between the sending and receiving institutions as to whether, in the context of the current act, it is relevant to the mandate of the receiving institution, on which the first department may not be an expert, but the second is. There's a discussion about that.
Also, according to section 5 of SCISA as it is, the information has to relate to detection or suppression of national security threats. It may be that the sending institution is an expert, but it's more likely that the sending institution is not an expert and the receiving institution is.
It's the conversation between the two departments before the personal information is given by the sending to the receiving institution that I think will enlighten both parties as to whether the criteria of the legislation are met.