I think there are at least two steps to this question.
The receiving institution must determine whether it has the authority to collect it, to receive it. It may be that the sending institution will send too much information to the receiving institution. I would suggest that there need to be clear rules, which do not currently exist under SCISA, which require the receiving institution to get rid of it ASAP because it doesn't have the authority to collect it. That's the first thing.
Then there will be situations in which the information may be relevant for the analysis to be performed by the receiving institution, say CSIS. The information will generally lean towards the vast majority of people about whom we receive information not being security threats. That's another step where, at that point, the information needs to be set aside. It was useful for analytical purposes initially, but the analysis has now taken place and the vast majority of people about whom information is shared are not security threats. It should be destroyed then as well.