Appendices
CIHR Best Practices for Protecting Privacy in Health Research (September 2005)
- A-1 - CIHR Privacy Advisory Committee: Members
- A-2 - Drafting process and consultations in 2004
- A-3 - Real world case studies and links to the elements
- A-4 - Diversity of health research and future considerations
- A-5 - Selected documents and web links
- A-6 - Glossary
- A-7 - Tables of concordance with privacy legislation
- Explanatory note
- Application of Canadian privacy legislation
- For Element #1
- For Element #2
- For Element #3
- Conditions for use and disclosure for research purposes without consent
- For Element #4
- For Element #5
- Provision of all information relevant to voluntary and informed consent
- For Element #6
- Statutory prohibitions to secondary use/disclosure of personal information to contact individuals to participate in research
- For Element #7
- For Element #8
- For Element #9
- Retention and destruction of personal information
- For Element #10
- References
A-1 CIHR Privacy Advisory Committee
Members Privacy commissioners
David Loukidelis
Information and Privacy Commissioner of British Columbia
(Privacy-enhancing Technologies)
Debra Grant
Senior Health Privacy Specialist Information and Privacy Commissioner/Ontario
Research ethics boards (REBs)
Sharon Buehler
Co-Chair, Research Ethics Board, Memorial University
Don Willison
(CIHR-funded research on REBs) Scientist, Centre for Evaluation of Medicines, McMaster University
Health researchers
Charlyn Black (Health Services Research)
Director, BC Centre for Health Services and Policy Research
Colin L. Soskolne (Epidemiology)
Professor, Department of Public Health Sciences,
University of Alberta
Voluntary health organizations
Roy West
Co-Chair, Science and Research Committee,
Health Charities Council of Canada
Patients/consumers
Mary Vachon
Psychotherapist and Consultant in Private Practice
Professor, Depts. of Psychiatry and Public Health Science,
University of Toronto
Clinical Consultant, Wellspring
Phil Upshall
Chair, Canadian Alliance on Mental Illness and Mental Health
President- The Mood Disorders Society of Canada
Policy-makers
Heather McLaren
Director, Legislative Unit
Manitoba Health
Data producers/custodians
Joan Roch
Former Chief Privacy Officer, CIHI
Privacy Consultant
Michael Wolfson
Assistant Chief Statistician
Statistics Canada
Aboriginal interests
Bronwyn Shoush
CIHR Institute Advisory Board Member- Institute of Aboriginal People's Health,
Director, Aboriginal Justice Initiatives Unit,
Alberta Solicitor General
Health service providers
Denis Cournoyer
Associate Physician, McGill University Health Centre;
Associate Professor, Dept. of Medicine and Oncology,
McGill University
Ethics/law
Brent Windwick
Partner, Field LLP
Former Executive Director, Health Law Institute
Bartha Maria Knoppers
Canada Research Chair in Law and Medicine;
Professor, Public Law Research Centre, Faculty of Law,
University of Montreal
Ex officio members
Interagency Advisory Panel on Research Ethics (PRE):
Pierre Deschamps, PRE member
Member of the Canadian Human Rights Tribunal
Social Sciences and Humanities Research Council of Canada (SSHRC)
Christian Sylvain (alternate : Jocelyn Girard)
Director, SSHRC Corporate Policy and Planning
National Council on Ethics in Human Research (NCEHR)
Fern Brunger, NCEHR Member
Assistant Professor, Health Care Ethics, Faculty of Medicine
Memorial University
Health Canada
Ross Hodgins/John Horvath
Privacy Division Information, Analysis & Connectivity Branch,
Health Canada
International advisor
William W Lowrance
International Consultant in Health Policy and Ethics, Geneva, Switzerland
Canadian Institutes of Health Research
Patricia Kosseim - Chair
Former A/Director, Ethics Office
General Counsel, Office of the Privacy Commissioner of Canada
Sheila Chapman
Senior Ethics Policy Advisor
Mylène Deschênes
Former Senior Ethics Policy Advisor
Sylvie Burion
Project Officer
A-2 Drafting process and consultations in 2004
The Canadian Institutes of Health Research (CIHR) is Canada's main federal funding agency for health research. CIHR's mandate is to invest in research that has the potential to lead to improved health for Canadians, more effective health services and products, and a strengthened Canadian health care system. CIHR-funded health research must also meet the highest standards of scientific excellence and ethics.
Recognizing that one of the key ethical challenges for the health research community is to appropriately protect the privacy of those individuals whose information is used for research purposes, CIHR has initiated and promoted dialogue with the broad health research community on a range of privacy-related matters for many years. In particular, a multi-stakeholder workshop in November 2002 entitled Privacy in Health Research: Sharing Perspectives and Paving the Way Forward resulted in a number of recommendations including that CIHR initiate the development of privacy best practices and promote the harmonization of privacy laws and policies that impact on health research.
Following on these recommendations, CIHR established a Privacy Advisory Committee (PAC) in 2003 to advise CIHR on the development of privacy best practices for health research, and on strategies for consultation, communication and knowledge translation. CIHR, with the advice of PAC, developed Guidelines for protecting privacy and confidentiality in the design, conduct and evaluation of health research- Best Practices, Consultation Draft, April 2004.Footnote 97 A wide range of stakeholders was consulted on this draft from March through September, 2004. The current version of the Privacy Best Practices was revised to reflect the feedback received.
Response to consultations in 2004
We thank the many organizations and individuals who provided feedback on the 2004 draft Guidelines.Footnote 98 The consultation period extended from March through September, 2004, with some written comments being received through mid-October. There were three streams for providing feedback: (1) written comments received in response to invitations sent to key stakeholders, and through an on-line feedback questionnaire; (2) three multi-stakeholder workshops on specific themes aimed at addressing potential gaps in coverage; and (3) two small group dialogue sessions with citizens.
We heard that the broad health research community, including review and oversight bodies, were generally supportive of this initiative, while also making a number of suggestions for improvements of the draft Best Practices. We also were reminded that there is a diversity of points of view within and between stakeholder groups on privacy and confidentiality issues. Some respondents commented that the draft privacy best practices were too restrictive and could impede research, and others thought they were not restrictive enough. We heard from discussions with citizens that there appears to be generally strong support for health research, but also concern about potential unauthorized uses of personal information.
In response to feedback received, we have made the following main changes for this 2005 release:
- A change in the title to: "Best Practices for Protecting Privacy in Health Research". Respondents noted that the previous title was too long, and combined both "guidelines" and "best practices" concepts. Also, it was noted that the document is meant to be recommended practices, which aspire in the future to the status of mandatory policy; thus there was general agreement that the term "best practices" was most appropriate at this stage.
- A revision of the Executive Summary to better reflect the main text.
- A clearer explanation of CIHR's mandate - to promote health research that meets the highest standards of excellence and ethics.
- Addition of accompanying tables on relevant legal requirements, as guideposts for health researchers, research ethics boards and others, but not intended to serve as formal legal advice.
- Addition of an accompanying table on different research areas, user groups, data collection methods, and activities, to demonstrate the applicability of this document to a wide range of target users.
- Addition of an index to research methods covered in the Privacy Best Practices, to help researchers navigate the document to find relevant sections.
- A more explicit acknowledgement of the different fundamental values in play, such as the rights and responsibilities of individuals, and the ethical framework articulated in the Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS).
- A clear recognition that the default position in health research should be the requirement for consent from individual participants.
- Acknowledgement that the reality of researchers in such fields as health services and population health differs significantly from that of clinical researchers, with reference to CIHR Secondary Use of Personal Information in Health Research: Case Studies document.
- Strengthened recognition of the privacy concerns of communities and groups.
- Strengthened coverage of privacy issues for qualitative methods and inductive data collection and analysis.
- Strengthened coverage of genetic data, and confirmation that the scope of the Privacy Best Practices does not extend to the management and governance of human biological materials.
- Recognition of the tension between the principles of limiting access and retention of personal data, and the growing importance of making research data (particularly from publicly-funded research) available for broad research use and social benefit, with encouragement for researchers to think about these issues and to be explicit about what they plan to do with the data they collect.
Not surprisingly, given the extent of feedback received, the diversity in points of view, and the need to limit the scope and size of the document, not all requests for changes could be met. For example, these Best Practices do not specifically address privacy issues associated with health surveillance, program quality assurance studies, or private industry-funded research. Nevertheless, these Best Practices could serve as models for best practices developed in these other areas. And in response to requests for more focus on Aboriginal research and qualitative research methods, we provide some additional coverage in this 2005 document. However, we look forward to the more detailed work in these areas being coordinated through the Interagency Advisory Panel on Research Ethics.
As we note throughout this document, these Best Practices will need to continually evolve to reflect new best practices, refinements of existing practices, the findings of research on privacy, and changes in the legal and policy framework for health research in Canada.
A-3 Real world case studies and links to the elements
In 2002, CIHR published Secondary Use of Personal Information in Health Research: Case Studies (November 2002).Footnote 99 Nineteen case studies were developed to describe real-life examples of actual research involving secondary use of data in Canada. These case studies highlighted the practical challenges that arise when applying various legal and ethical norms in the specific context of population health and health services research. The case studies identified a number of ethical and legal issues that warranted further consideration and discussion.
The summary table of issues from the Case Studies is reprinted below, with an additional column on the far right providing a link to relevant sections of the Best Practices.Footnote 100
Case study # | Title of case study | Collection / use / linkage of data | Issues raised | Relevant to Privacy Best Practices Element #: |
---|---|---|---|---|
1 | The computerization of medical practices for the enhancement of therapeutic effectiveness | Collection and use of coded data from patient medical records contained in doctors' offices; no direct patient contact involved; implied consent with possibility of opting out. | Prior contact by original data custodian. Form of consent required | 3, 4, 6 , 7 |
2 | Seasonal patterns of Winnipeg hospital use | Linkage and analyses of coded data contained in provincial databases routinely collected for other purposes (i.e. hospital discharge data and population registry file); no direct contact involved; no consent obtained. | Impracticability of obtaining consent. Long-term retention of data for future research purposes. | 3, 7, 8, 9 |
3 | Assessing the accuracy of the Nova Scotia health survey | Linkage and analyses of coded data contained in provincial databases routinely collected for other purposes (i.e. hospital discharge data and physician claims database); no direct contact involved; no consent obtained. | Impracticability of obtaining consent. | 3, 4, 7, 8 |
4 | National diabetes surveillance system | Creation of a national diabetes database of aggregate data by linking and assembling coded data contained in provincial databases routinely collected for other purposes (i.e. hospital files, physician billing records and drug claims data); no direct contact involved; no consent obtained. | Impracticability of obtaining consent. Need for harmonization of laws and policies across jurisdictions. Long-term retention of data for future research purposes. | 3, 7, 8, 9, 10 |
5 | Use of RFLP molecular epidemiology to find out how tuberculosis is spread among people infected with HIV | Linkage and analyses of TB bacteria grown from individual sputum samples in a public health laboratory, with non-identifying demographic data held by the province's health ministry; no direct contact involved; no consent obtained. | What constitutes personal information. Form of consent required. | 2, 3, 4, 7, 8 |
6 | HIV seroprevalence among women undergoing abortion | Linkage of non-identifying questionnaires with non-identifying test results of blood samples obtained for therapeutic abortion purposes; direct patient contact; written consent obtained. | Form of consent required. Need for harmonization of laws and policies across jurisdictions. | 3, 4, 6, 10 |
7 | New use of anti-arrhythmia drugs in Saskatchewan | Linkage and analyses of coded data contained in provincial databases routinely collected for other purposes (i.e. drug claims database, hospital discharge data and physician billing records); no direct contact involved; no consent obtained. | Impracticability of obtaining consent. | 3, 7, 8 |
8 | Barriers to accessing health care in Canada: is the System Fair? | Linkage and analyses of personal information contained in Statistics Canada's National Population Health Survey, with provincial databases routinely collected for other purposes (i.e. hospital discharge data and physician billing data); direct contact involved; express consent obtained. | Validity of informed consent. Need for harmonization of laws and policies across jurisdictions. | 5, 7, 8, 10 |
9 | Needle stick injuries in nursing and laboratory staff | Collection and use of non-identifying questionnaires, combined with general statistics at each participating hospital; direct contact involved; express consent obtained. | Prior contact by original data custodian. Mandatory reporting and the researchers' duty of confidentiality. | 4, 6, 7, 9 |
10 | A randomized controlled trial of call/recall of 'hard-to-reach' women for Pap tests | Linkage of personal information from electronic medical records, with provincial cancer and cytology registries for purpose of assembling study population; direct contact involved; no individual consent obtained but physician authorization granted. | Prior contact by original data custodian. Impracticability of obtaining consent. Long-term retention of data for consistent research purposes. | 6, 7, 8, 9 |
11 | The impact of having elderly and welfare patients in Quebec pay a greater share in the costs of their prescription drugs | Linkage and analyses of coded data routinely collected in provincial databases for other purposes (i.e. prescriptions claims data, hospital discharge data, physician billing data and mortality data); no direct contact involved; no consent obtained. | Distinction between policy evaluation and research. Impracticability of obtaining consent. | 2, 3, 8 |
12 | A randomized drug policy trial with camouflaged contacting of patients | Linkage of coded data routinely collected in provincial databases for other purposes (i.e. prescriptions claims data, hospital discharge data, physician billing data and mortality data) for the purpose of assembling a study population; quality of life questionnaires then sent to potentially eligible research subjects through camouflaged contacting method; consent obtained for linking questionnaires with administrative data. | Distinction between policy evaluation and research. Prior contact by original data custodian. | 5, 6, 8 |
13 | Cancer and other health problems associated with breast implants | Linkage and analysis of personal information obtained from hospital records and clinical records, with data obtained from provincial cancer registries and registrars of vital statistics; no direct contact involved; no individual consent obtained, but nation-wide publicity program conducted. | Unique legal status of cancer registries. Prior contact by original data custodian. Impracticability of obtaining consent. | 2, 3, 4, 7 |
14 | Second cancers following treatment for non-Hodgkin lymphoma | Linkage and analysis of personal information obtained from a provincial cancer registry with personal information contained in hospital and radiotherapy center records; no direct contact involved; no individual consent obtained as 75% of the study cohort had died. | Unique legal status of cancer registries. Prior contact by original data custodian. Impracticability of obtaining consent. | 3, 5, 6 |
15 | Ontario familial colon cancer registry | Reviewing tumour pathology report forwarded to a provincial cancer registry, as validated by attending surgeons, in order to first identify and invite eligible patients and families for inclusion in the registry; survey data and tissue samples then collected; direct contact involved; consent obtained. | Unique legal status of cancer registries. Prior contact by original data custodian. Implications of assembling genetic information as a particularly sensitive category of personal information. | 2, 5, 6, 7 |
16 | Rapid surveillance of cancer in neighbourhoods and near point sources of pollution | Linkage and analysis of personal information contained in a provincial cancer registry with a provincial property assessment file and mortality database; no direct contact involved; no consent obtained; community-wide publicity and consultation process are planned. | Unique legal status of cancer registries. Impracticability of obtaining consent. Community interests. | 2, 3, 7, 8 |
17 | Patient outreach via PharmaNet | Automatic flagging of eligible research subjects in the province's drug claims database through the use of a computerized algorithm in order to assemble a study population without any human intervention; direct patient contact involved; consent obtained. | Prior contact by original data custodian. | 3, 6 |
18 | The registry of the Canadian Stroke Network | Creation of a national stroke registry by collecting, linking and assembling patients' survey data, health care utilization data and mortality data; direct patient contact involved; consent obtained. | Prior contact by original data custodian. Validity of informed consent. Long-term retention of data for future research purposes. Need for harmonization of laws and policies across jurisdictions. | 3, 4, 5, 7, 10 |
19 | Studying the health of health care workers | Linkage and analyses of coded health data contained in provincial databases routinely collected for other purposes (i.e. hospital records, physician billing data, and drug claims data); no direct contact involved; no consent obtained. | Impracticability of obtaining consent. Long-term retention of data for future research purposes. | 3, 7, 8, 9 |
A-4 Diversity of health research and future considerations
To understand the scope of these Best Practices, it is helpful to consider the multi-faceted landscape of CIHR-funded health research in this country.
Health research projects span a spectrum of disciplines and methods.
These Best Practices are intended to address the full spectrum of CIHR-funded research.Footnote 101 CIHR categorizes health research in four broad themes, as defined in its Grants and Awards Guide:Footnote 102
- Bio-medical research
Research with the goal of understanding normal and abnormal human functioning, at the molecular, cellular, organ system and whole body levels, including development of tools and techniques to be applied for this purpose; developing new therapies or devices that improve health or the quality of life of individuals, up to the point where they are tested on human subjects. Studies on human subjects that do not have a diagnostic or therapeutic orientation. - Clinical research
Research with the goal of improving the diagnosis, and treatment (including rehabilitation and palliation), of disease and injury; improving the health and quality of life of individuals as they pass through normal life stages. Research on, or for the treatment of, patients. - Health services research
Research with the goal of improving the efficiency and effectiveness of health professionals and the health care system, through changes to practice and policy. Health services research is a multidisciplinary field of scientific investigation that studies how social factors, financing systems, organizational structures and processes, health technologies, and personal behaviours affect access to health care, the quality and cost of health care, and, ultimately, Canadians' health and well-being. - Social, cultural, environmental and population health
Research with the goal of improving the health of the Canadian population, or of defined sub-populations, through a better understanding of the ways in which social, cultural, environmental, occupational and economic factors determine health status.
CIHR encourages multi-disciplinary research that cuts across these broad thematic areas.
CIHR-funded health research also spans a range of research methods, including quantitative methods (typically based on large numbers of participants, involving hypothesis generation and testing, and statistical analyses of data) and qualitative methods (typically not involving the testing of hypotheses, but rather more open-ended and inductive analysis and collaborative observation techniques, often with smaller numbers of individuals).Footnote 103
Health research projects may cross community, provincial, territorial or national boundaries.
Health research may involve particular cultural groups or communities, such as Aboriginal groups or remote communities.
A single health research study may have multiple sites in more than one province or territory. Research teams may be composed of a network of investigators drawn from across the country and across disciplines. CIHR's 13 "virtual" institutes are founded on this model, promoting collaboration among investigators in various jurisdictions, working on similar questions from different perspectives.
And, because health is a global issue, health research can have an international dimension. Researchers collaborate with colleagues in other countries as they have in the multi-year international Human Genome Project and in CIHR's Global Health initiative.
Health research is conducted in various settings, often supported by a mix of public and private funds.
A great deal of research is based at universities where investigators may have both public and private funding sources. Governments and affiliated research or statistical agencies conduct research on such things as emerging public health issues and the effectiveness of the health care system. They increasingly look for private-public partnerships in sponsorship. Statistical and research agencies with a public mandate conduct research within their agencies and frequently also serve as data stewards permitting, under strict controls, access to their data by external researchers such as those with CIHR funding.
Potential data sources for health research are also diverse.
Individuals are one essential source of health-related data. Individuals are recruited, for example, for clinical trials of new treatments and therapies; and for surveys (conducted by telephone, by mail or in person) on personal lifestyles and attitudes and on the health status of the population. Sometimes the interactions of individuals or groups are simply observed and documented.
Existing databases that were not originally created for research purposes are also important sources of data for health research. These databases have the potential to provide data that are difficult to obtain or cannot be obtained directly from individuals, such as physician diagnoses and records of hospital treatment (in health administrative databases), official registration of births, deaths and cause of death (in population registries), and disease trends and geographic "hot spots" in the population over time (in health surveillance databases).
Thus, these Best Practices have a broad scope, encompassing the wide spectrum of CIHR-funded health research intended to contribute generalizable knowledge to protect and improve human health.
For a more detailed description of the diversity of health research methods, the tables in this section provide examples of studies recruiting individuals or communities, and the wide range of important sources of research data.
Table 1: Examples of studies recruiting individuals or communities
Examples of participants | Examples of data items collected | Examples of research potential | Examples of data collection methods |
---|---|---|---|
Residents of a rural community |
|
|
|
Individuals with asthma |
|
|
|
Individuals with colon cancer |
|
|
|
Tamil refugees in the Greater Toronto area |
|
|
|
Table 2: Examples of databases with research potential, held in diverse settings
Databases | Examples of dataFootnote 104 | Examples of research potential | Examples of data holders |
Health administrative databases |
|
|
|
Population registries |
|
|
|
Disease registries |
|
|
|
Clinical research databases |
|
|
|
Human genetic material banks |
|
|
|
Health surveillance databases |
|
|
|
Survey databases |
|
|
|
Future considerations: The changing landscape of health research
The research landscape is an evolving one, as our knowledge and technological capacities continue to advance. In particular, the impact of new developments on research is still to be determined in areas such as:
- the projected implementation of electronic health records across Canada over the next decade;
- discoveries in genomics and research on genetic-environmental interactions;
- emerging standards for Aboriginal research;Footnote 105
- increasing use of health-related databases, such as hospital and vital statistics records, for multiple purposes including patient care and management, program management, public health functions and services (e.g. cancer screening, vaccinations, chronic disease risk factor surveillance, obesity interventions) and research; and
- government-led initiatives toward a harmonized legal framework for protecting the privacy and confidentiality of health information across all jurisdictions in Canada.
A-5 Selected documents and web links
Selected international and national guidelines
- Council for International Organization of Medical Societies (CIOMS):
- International Ethical Guidelines for Biomedical Research Involving Human Subjects (2002)
- International Ethical Guidelines for the Ethical Review of Epidemiological Studies (1991)
(currently under revision. See Website)
- European Commission- Data protection
- Interagency Advisory Panel on Research Ethics:
- Canadian Institutes of Health Research, Natural Sciences and Engineering Research Council of Canada, Social Sciences and Humanities Research Council of Canada: Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS), 1998 (with 2000, 2002, 2005 amendments)
- Medical Research Council (United Kingdom):
- Ethics Series- Personal Information in Medical Research (2000) [ PDF (303 KB) ]
- Quebec Network of Applied Genetic Medicine (RMGA):
All policies- Statement of Principles on the Ethical Conduct of Research Involving Populations
- Statement of Principles: Human Genome Research, Version 2000
- Research in Human Genetics and Consent (French only)
- UK Biobank Project:
For other key guidance documents see the Interagency Advisory Panel for Research Ethics web site.
Privacy legislation
- CIHR A Compendium of Canadian Legislation Respecting the Protection of Personal Information in Health Research (April 2000, to be updated 2005)
- Federal/Provincial/Territorial Oversight Offices-web links:
- Canada (Federal)
- British Columbia
- Alberta
- Saskatchewan
- Manitoba
- Ontario
- Quebec
- Prince Edward Island
- Nova Scotia
- New Brunswick
- Newfoundland and Labrador
- Yukon
- Northwest Territories- Email : atippcomm@theedge.ca
- Nunavut- Email : atippcomm@theedge.ca
Disclosure controls
- Statistics Canada:
- Quality Guidelines (4th Edition- Oct 2003), pg. 61-66,
- Guide for Researchers under Agreement with Statistics Canada (July 2004), Appendix 2- More on Disclosure and Disclosure Risk
Related documents
- CIHR Procedure for Addressing Allegations of Non-compliance with Research Policies.
- CIHR Use of Personal Information in Health Research: Case Studies (November 2002)
- CIHR Selected International Legal Norms on the Protection of Personal Information in Health Research (December, 2001). [ PDF (431 KB) | Help]
- W. Lowrance, Learning from Experience: Privacy and the Secondary use of Data in Health Research, November 28, 2002.
A-6 Glossary
The following terms are defined here as used in this document. Readers should be aware, however, that these terms are not yet standardized and may be used somewhat differently in other contexts.
Aggregate data. The data have been averaged or grouped into ranges (e.g. 5 or 10-year age groupings).
Camouflaged contacting. This is an approach to sampling and contacting patients with particular medical conditions in such a way that the individual making the contacting is not aware of the health status of that individual at the time of contacting. Records of individuals with and without the condition of interest are sampled in some pre-determined proportion from the original source (e.g. administrative or clinical records). Contact information about the combined-sample group is then released without any information about the health status of the individual being disclosed to the person making contact (by telephone or mail). The health status of the individual remains concealed until such time as the individual agrees to participate in the research and to disclose whether or not he or she has the condition of interest.
Coded data. Single code: A participant's data are assigned a random code. Direct identifiers are removed from the dataset and held separately. The key linking the code back to direct identifiers is available only to a limited number (e.g. senior members) of the research team. Double or multiple codes. Two or more codes are assigned to the same participant's data held in different datasets (e.g. health administrative data, clinical data, genetic samples and data). The key connecting the codes back to participants' direct identifiers is held by a third party (such as the data holder) and is not available to the researchers. Coded data refers to data that are at least single coded. (See Element #2, Section 2.2.2, Box-Definition of terms).
Consent. Agreement to participate in research (which may include the collection, use or disclosure of personal data) by a legally competent person, or by authorized third parties on behalf of those who lack legal competence. Consent, to be valid, must be voluntary and informed. For consent to be voluntary, the consent must be given without the exertion of undue influence on the person, and with the option of withdrawing from the research at any time without penalty. For consent to be informed, the person must be given information about the research, and must understand this information. (See TCPS, Section 3)
Confidentiality. Confidentiality is the obligation of an organization or custodian to protect the information entrusted to it and not misuse or wrongfully disclose it. (From The Pan-Canadian Health Information Privacy and Confidentiality Framework, January 27, 2005. Accessible on the Health Canada- Health and the Information Highway Division- eHealth Resource Centre web page, under Reports 2005).
Data. Facts or figures from which conclusions can be drawn. Data can take various forms, but are often numerical, such as daily weight measurements of each person in a group (ref. Statistics: Power from data! - Statistics Canada On-line. See also definitions for Information.
Data custodian. See Data holder.
Data holder. The Data holder may have custodianship and/or stewardship functions. These functions may be executed within the same institution/body or may be delegated to distinct but coordinated institutions/bodies. Data custodianship relates primarily to responsibility for data storage and integrity. Data stewardship relates primarily to responsibility for data definition and access authorization, particularly data access and disclosure to third parties.
Data steward. See Data holder.
Data subject. The individual who is the subject of personal data/information collected for research purposes. Distinguished from Research Participant.
Direct collection. Collection of data directly from individuals.
Direct identifiers. These are variables such as name and address, health insurance number, etc., that provide an explicit link to a respondent. (Statistics Canada)
Indirect identifiers. These are variables such as date of birth, sex, marital status, area of residence, occupation, type of business, etc. that, in combination, could be used to identify an individual. (Adapted from Statistics Canada)
Impracticable. For the purposes of this document, "impracticable" means a degree of difficulty in doing something under present conditions, where the degree of difficulty is greater than would arise if something is merely inconvenient to do but may be less than if something is impossible. The conditions for assessing "impracticability" of consent are described in Element #3.
Information. Data that have been recorded, classified, organized, related, or interpreted within a framework so that meaning emerges. Information, like data, can take various forms. An example of the type of information that can be derived from data is the number of persons in a group in each weight category or changes in weight over time.(ref. Statistics: Power from data! - Statistics Canada On-line. See also definitions for Data and Statistics.
Member-checking. This is when a researcher provides participants with the opportunity to look at transcripts of what they have said or done, and to delete or footnote what they consider to be inaccurate or sensitive information.
Non-identifiable data. Any element or combination of elements that allows direct or indirect identification of an individual was never collected or has been removed, although some elements may indirectly identify a group or region. There is no code linking the data back to the individual's identity. (See Element #2, Section 2.2.2, Box- Definition of terms)
Personal data/information. Personal data or information may contain a direct link to a specific individual (e.g. name and street address, personal health number, etc.) or any element or a combination of elements that allows indirect identification of an individual (e.g. if birth date combined with postal code and other personal information on the record such as ethnicity could lead to the identification of an individual). The scope of personal information covered in these Privacy Best Practices includes personal information derived from blood and other human biological materials (e.g. information such as blood type, DNA code and the presence or absence of disease), but not the materials themselves.
Privacy. Privacy includes a right to be free from intrusion and interruption. It is linked with other fundamental rights such as freedom and personal autonomy. In relation to information, privacy involves the right of individuals to determine when, how and to what extent they share information about themselves with others. (From The Pan-Canadian Health Information Privacy and Confidentiality Framework, January 27, 2005. Accessible on the Health Canada- Health and the Information Highway Division- eHealth Resource Centre web page, under Reports 2005).
Research. Research is defined in the TCPS as "a systematic investigation designed to develop or establish principles, facts or generalizable knowledge" (TCPS, pg. 1.1). The range of research requiring ethics review in the TCPS is listed in Appendix 1 (TCPS, pg. A.1).
Research participant. The individual who consents to participation in research and who is the subject of personal data or information collected for research. See Data Subject.
Secondary use of data for research. The data may have been collected originally for (i) a non-research purpose (e.g. for health care administrative purposes or for health care insurance billing purposes), or (ii) a different research purpose (e.g. for a study on a different but related disease).
Sensitivity. The sensitivity of personal data is related to the potential for harm or stigma that might attach to the identification of an individual because of the nature of the information. The type of information that an individual may consider sensitive could relate to: sexual attitudes, practices and orientation; use of alcohol, drugs, or other addictive substances; illegal activities; suicide; sexual abuse; sexual harassment; an individual's psychological well-being or mental health; some types of genetic information (e.g. information that predicts future illness or disability and raises concerns around future employability or insurability); and any other information that, if released, might lead to social stigmatization or discrimination. Researchers should also be aware of information that communities may consider sensitive because, for example, of its potential to stigmatize a community.
A-7 Tables of concordance with privacy legislation
Explanatory noteFootnote 106
- The Tables of Concordance supplement key provisions of the Privacy Best Practices with cross-references to related requirements under Canadian privacy legislation. The Tables also briefly summarize requirements under Canadian privacy legislation which are supplemental to the Privacy Best Practices. A full text of the provisions referred to in the Tables of Concordance can be found in the CIHR's "Compendium of Canadian Legislation Respecting the Protection of Personal Information in Health Research".Footnote 107
- The Tables are for reference purposes only and are intended to be read in conjunction with the Privacy Best Practices. References to specific Tables are found throughout the Privacy Best Practices.
- The requirements under privacy legislation will vary depending on the factual circumstances. As such, the Tables should not be relied upon as legal advice. Readers should consult the relevant privacy statute(s) and, depending on the circumstances, other applicable legal requirements as well as professional codes of ethics.
- The Tables only refer to Canadian federal, provincial and territorial privacy legislation. Municipal and local public sector privacy statutes have also been included.
- The legislation included in the Tables is current through to June 2005.
Application of canadian privacy legislation
Jurisdiction | Legislation | Entities covered by Legislation |
---|---|---|
Federal | Personal Information Protection and Electronic Documents Act |
|
Privacy Act |
|
|
British Columbia | Personal Information Protection Act |
|
Freedom of Information and Protection of Privacy Act |
|
|
Alberta | Health Information Act |
|
Personal Information Protection Act |
|
|
Freedom of Information and Protection of Privacy Act |
|
|
Municipal Government Act |
|
|
Saskatchewan | The Health Information Protection Act |
|
Freedom of Information and Protection of Privacy Act |
|
|
The Local Authority Freedom of Information and Protection of Privacy Act |
|
|
Manitoba | The Personal Health Information Act |
|
The Freedom of Information and Protection of Privacy Act |
|
|
Ontario | Personal Health Information Protection Act |
|
Freedom of Information and Protection of Privacy Act |
|
|
Municipal Freedom of Information and Protection of Privacy Act |
|
|
Quebec | An act respecting access to documents held by public bodies and the protection of personal information |
|
An act respecting the protection of personal information in the private sector |
|
|
Prince Edward Island | Freedom of Information and Protection of Privacy Act |
|
Nova Scotia | Freedom of Information and Protection of Privacy Act |
|
Municipal Government Act |
|
|
New Brunswick | Protection of Personal Information Act |
|
Newfoundland and Labrador | Access to Information and Protection of Privacy ActFootnote 110 |
|
Yukon | Access to Information and Protection of Privacy Act |
|
Northwest Territories | Access to Information and Protection of Privacy Act |
|
Nunavut | Access to Information and Protection of Privacy Act |
|
ELEMENT #1 - DETERMINING THE RESEARCH OBJECTIVES AND JUSTIFYING THE DATA NEEDED TO FULFILL THESE OBJECTIVES |
Element #1 provides that researchers should, at the outset of the research design process, identify and document research objectives as a basis for determining what data will be needed for the research. The precise identification and documentation of the purposes for collection, use and disclosure of personal (health) information is critical for the purpose of complying with various requirements under privacy legislation, including requirements relating to the principles of limiting collection of personal information, obtaining consent for collection, use and disclosure of personal (health) information, and accountability and transparency. Statutory references to each of these requirements under Canadian privacy legislation can be found in the following concordance tables in this section:
|
ELEMENT #2 - LIMITING THE COLLECTION OF PERSONAL DATA Footnote 111,Footnote 112 ELEMENT #2 - LIMITING THE COLLECTION OF PERSONAL DATA | ||
Jurisdiction | Legislation | Privacy Legislation Concordance |
Federal | Personal Information Protection and Electronic Documents Act | Schedule 1, 4.4 (Limiting Collection) |
Privacy Act |
Section 4 (Collection of personal information) Section 5 (Personal information to be collected directly from individual) |
|
British Columbia | Personal Information Protection Act |
Section 11 (Limitations on collection of personal information) Section 12 (Collection from source other than the individual) |
Freedom of Information and Protection of Privacy Act |
Section 26 (Purposes for which information may be collected) Section 27(1) (How personal information is to be collected) |
|
Alberta | Health Information Act |
Sections 18 to 21 (Collection of health information) Section 22 (Duty to collect health information from individual directly) Section 24 (Collection of health information by affiliate) Section 57 (Duty to collect, use or disclose health information with highest degree of anonymity possible) Section 58 (Duty to collect, use or disclose health information in a limited manner) Section 68(a) (Health information to be used in data matching to be collected in accordance with the Act) |
Health Information Regulation | Section 5(2) (Persons authorized to collect personal health number) | |
Personal Information Protection Act |
Section 7(1)(b) (Direct collection) Section 11 (Limitations on collection) |
|
Freedom of Information and Protection of Privacy Act |
Section 33 (Purposes for which information may be collected) Section 34(1) (Direct collection) |
|
Municipal Government Act | __ | |
Saskatchewan | The Health Information Protection Act |
Section 11 (Collection of health numbers) Section 23 (Collection on a need to know basis) Section 24 (Restrictions on collection) Section 25(1) (Direct collection) |
The Freedom of Information and Protection of Privacy Act |
Section 25 (Purpose of information) Section 26 (Manner of collection) |
|
The Local Authority Freedom of Information and Protection of Privacy Act | __ | |
Manitoba | The Personal Health Information Act |
Section 13(1) (Restrictions on collection) Section 13(2) (Limit on amount of information collected) Section 14 (Source of information) Section 26 (Collection of health numbers) |
The Freedom of Information and Protection of Privacy Act |
Section 36 (1) (Purpose of collection) Section 36(2) (Limit on amount of information collected) Section 37(1) (Manner of collection) |
|
Ontario | Personal Health Information Protection Act |
Section 30 (Extent of information) Section 34 (2) (Limits on collecting health numbers) Section 36(1) (Indirect collection) |
Freedom of Information and Protection of Privacy Act |
Section 38(2) (Collection of personal information) Section 39(1) (Direct collection) |
|
Municipal Freedom of Information and Protection of Privacy Act | __ | |
Quebec | An act respecting the protection of personal information in the private sector |
Section 5 (Necessary information) Section 6 (Collection from the person concerned) |
An act respecting access to documents held by public bodies and the protection of personal information | Section 64 (Unnecessary information) | |
Prince Edward Island | Freedom of Information and Protection of Privacy Act |
Section 31 (Purpose of Collection of Information) Section 32 (Direct collection) |
Nova Scotia | Freedom of Information and Protection of Privacy Act | Section 24(1) (Treatment of Personal Information) |
Municipal Government Act | __ | |
New Brunswick | Protection of Personal Information Act |
Schedule A, Principle 4 (Limiting Collection) Schedule B, Principle 4 (Individuals from whom personal information may be collected) |
Newfoundland and Labrador | Access to Information and Protection of Privacy ActFootnote 113 |
Section 32 (Purpose for which personal information may be collected) Section 33 (How personal information is to be collected) |
Yukon | Access to Information and Protection of Privacy Act |
Section 29 (Purpose for which personal information may be collected) Section 30 ( How personal information is to be collected) |
Northwest Territories | Access to Information and Protection of Privacy Act |
Section 40 (Purpose of collection of information) Section 41 (Collection of information from individual concerned) |
Nunavut | Access to Information and Protection of Privacy Act |
Section 40 (Purpose of collection of information) Section 41 (Collection of information from individual concerned) |
ELEMENT #3 - DETERMINING IF CONSENT FROM INDIVIDUALS IS REQUIRED | ||
Conditions For Use And Disclosure For Research Purposes Without ConsentFootnote 114 | ||
Jurisdiction | Legislation | Privacy Legislation Concordance |
Federal | Personal Information Protection and Electronic Documents ActFootnote 115 |
Sections 7(2)(c): Conditions for use by an organization for statistical, or scholarly study or research purposes:
Section 7(3)(f): Conditions for disclosure by an organization for statistical, or scholarly study or research purposes:
|
Privacy Act |
Section 8(2)(j): Conditions for use and disclosure by a government institution for research or statistical purposes: Head of the government institution:
|
|
British Columbia | Personal Information Protection Act |
Section 21: Conditions for disclosure by organizations:
|
Freedom of Information and Protection of Privacy Act |
Section 35: Conditions for disclosure by public bodies:
|
|
Alberta | Health Information Act |
Sections 27(1)(d) and 35(1)(a): Conditions for use and disclosure by a custodian:
See also section 49 (Research proposal), section 50 (Role of ethics committee), section 51 (Bar to research), section 52 (Application for disclosure of health information), section 53 (Conditions and consents), section 54 (Agreement between custodian and researcher) and section 55 (Consent of the individual is required if additional information is needed). |
Personal Information Protection Act Regulation |
Section 12(2): Conditions for disclosure by an archival institution:
Section 14(3): Conditions for disclosure by an organization that is not an archival institution:
|
|
Freedom of Information and Protection of Privacy Act |
Section 42: Conditions for disclosure by public bodies:
|
|
Municipal Government Act | __ | |
Saskatchewan | The Health Information Protection Act |
Section 29(2): Conditions for disclosure by a trustee or designated archive:
|
The Freedom of Information and Protection of Privacy Act |
Section 29(2)(k): Conditions for disclosure by public body:
|
|
The Local Authority Freedom of Information and Protection of Privacy Act |
Section 28(2)(k): Conditions for disclosure by local body:
|
|
Manitoba | The Personal Health Information Act |
Section 24: Conditions for disclosure by trustees:
|
The Freedom of Information and Protection of Privacy Act |
Section 47(4): Conditions for disclosure by public body:
|
|
Ontario | Personal Health Information Protection Act |
Section 44(1): Conditions for use by health information custodians and disclosure by health information custodians to researchers:
See also sections 34(2) and (3) (Use and disclosure of health numbers) 37(1)(j) and (3) (Permitted use for research), section 44(2) (Elements of Research plan), section 44(3) and (4) (Consideration and decision of board), section 44(5) (Content of research agreement), section 44(6) (Compliance by researcher), sections 44(10) and (11) (Research approved outside Ontario) and section 50(1)(b) (Disclosure outside Ontario). See also section 39(1)(c) (Disclosure to prescribed person who compiles or maintains a registry of personal health information for purposes of facilitating or improving the provision of health care or that relates to the storage or donation of body parts or bodily substances), section 45 (Disclosure to prescribed entities for planning and management of health systems) and section 47 (Disclosure for analysis of health system). |
Personal Health Information Protection Act, General Regulation |
Section 12 (Disclosure of health number):
Section 15 (Requirement for research ethics board) Section 16 (Requirement for a research plan) Section 17 (Disclosure by researcher) Section 18(3) and (4) (Rules applicable to section 45 prescribed entities for use and disclosure of personal health information for research purposes)Footnote 116 Section 13(4) and (5) (Rules applicable to registries of personal health information for use and disclosure of personal health information for research purposes)Footnote 117 |
|
Freedom of Information and Protection of Privacy Act |
Section 21(1)(e): Conditions for disclosure by public body:
|
|
Municipal Freedom of Information and Protection of Privacy Act | __ | |
Municipal Freedom of Information and Protection of Privacy Act, General Regulation |
Section 10(1): Terms and conditions a person must agree to before a head may disclose personal information to that person for a research purpose:
|
|
Quebec | An act respecting the protection of personal information in the private sector |
Section 21: Conditions for disclosure:
|
An act respecting access to documents held by public bodies and the protection of personal information |
Section 125: Conditions for disclosure:
|
|
Prince Edward Island | Freedom of Information and Protection of Privacy Act |
Section 39: Conditions for disclosure by public body:
|
Nova Scotia | Freedom of Information and Protection of Privacy Act |
Section 29: Conditions for disclosure by public body:
|
Municipal Government Act |
Section 485(4): Conditions for disclosure by municipality:
|
|
New Brunswick | Protection of Personal Information Act | Schedule B, section 3.4: Consent not required when public body collects, uses or discloses personal information for purposes of legitimate research in the interest of science, of learning or of public policy, or for archival purposes. |
Newfoundland and Labrador | Access to Information and Protection of Privacy Act |
Section 41: Conditions for disclosure by public body:
|
Yukon | Access to Information and Protection of Privacy Act |
Section 38: Conditions for disclosure by public body:
|
Northwest Territories | Access to Information and Protection of Privacy Act |
Section 49: Conditions for disclosure by public body:
|
Nunavut | Access to Information and Protection of Privacy Act |
Section 49: Conditions for disclosure by public body:
|
ELEMENT #4 - MANAGING AND DOCUMENTING CONSENTFootnote 119 | ||
Part 1 - Consent Requirement and Elements of Consent | ||
Jurisdiction | Legislation | Privacy Legislation Concordance and Selected Supplemental Requirements |
Federal | Personal Information Protection and Electronic Documents Act |
Schedule 1, 4.3 and 4.3.1 (Consent Requirement) Schedule 1, 4.3.4, 4.3.6 and 4.3.7 (Form of Consent) Schedule 1, 4.3.2, 4.3.5, 4.3.8 (Elements of Consent) |
Privacy Act | Sections 7 and 8 (Consent Requirement) | |
British Columbia | Personal Information Protection Act |
Sections 6 and 7 (Consent Requirement) Section 8 (Form of Consent) Section 9 (Elements of Consent) |
Freedom of Information and Protection of Privacy Act | Sections 32(b) and 33.1(1)(b) (Consent Requirement) | |
Freedom of Information and Protection of Privacy Regulation |
Section 6 (Form of Consent) Supplemental Requirement to CIHR Privacy Best Practices: Consent to disclosure of personal information must be in writing and specify to whom the personal information may be disclosed and how the personal information may be used. |
|
Alberta | Health Information Act |
Section 34(1) and (3) (Consent Requirement) Section 34(2), (4), (5) and (6) (Form of Consent) Supplemental Requirement to CIHR Privacy Best Practices: Consent to disclosure of personal health information must be in writing or be provided electronically and must include:
|
Health Information Regulation |
Section 6(2) (Electronic Consent) Supplemental Requirement to CIHR Privacy Best Practices: An electronic consent or a revocation of an electronic consent is valid only if the level of authentication is sufficient to identify the individual who is granting the consent or revoking the consent, as the case may be. |
|
Personal Information Protection Act |
Section 7 (Consent Requirement) Section 8 (Form of Consent) Section 9 (Withdrawal or variation of consent) Section 10 (Consent obtained by deception) |
|
Freedom of Information and Protection of Privacy Act | Sections 39(1)(b) and 40(1)(d) (Consent Requirement) | |
Freedom of Information and Protection of Privacy Regulation |
Section 6(1) (Form of Consent) Supplemental Requirement to CIHR Privacy Best Practices: Consent to use or disclosure of personal information must be in writing and must specify to whom the personal information may be disclosed. |
|
Municipal Government Act | __ | |
Saskatchewan | The Health Information Protection Act |
Sections 5, 26 and 27 (Consent Requirement) Sections 6(1) and (2), and 7 (Elements of Consent) Sections 6(3),(4) and (5) (Form of Consent) |
The Freedom of Information and Protection of Privacy Act | Sections 28 and 29 (Consent Requirement) | |
The Freedom of Information and Protection of Privacy Regulations |
Section 18 (Form of Consent) Supplemental Requirement to CIHR Privacy Best Practices: Consent to be in writing unless the head of the public body determines that it is not reasonably practicable. |
|
The Local Authority Freedom of Information and Protection of Privacy Act | __ | |
The Local Authority Freedom of Information and Protection of Privacy Regulations |
Section 11 (Form of Consent) Supplemental Requirement to CIHR Privacy Best Practices: Consent to be in writing unless the head of the local body determines that it is not reasonably practicable. |
|
Manitoba | The Personal Health Information Act | Sections 21(b) and 22(1)(b) (Consent Requirement) |
The Freedom of Information and Protection of Privacy Act | Sections 43(b) and 44(1)(b) (Consent Requirement) | |
Ontario | Personal Health Information Protection Act |
Section 29 (Consent Requirement) Sections 18(1), 18(5), 18(6) and 19 (Elements of Consent) Section 18(2), (3) and (4) (Form of Consent) |
Freedom of Information and Protection of Privacy Act | Section 41(a) and 42(b) (Consent Requirement) | |
Municipal Freedom of Information and Protection of Privacy Act | __ | |
Quebec | An act respecting the protection of personal information in the private sector |
Sections 12 and 13 (Consent Requirement) Section 14 (Elements and Form of Consent) Supplemental Requirement to CIHR Privacy Best Practices: Consent must be manifest, free and enlightenedFootnote 121 |
An act respecting access to documents held by public bodies and the protection of personal information | Section 53(1) and 59 (Consent Requirement) | |
Prince Edward Island | Freedom of Information and Protection of Privacy Act | Section 36(1)(b) and 37(1)(c) (Consent Requirement) |
Freedom of Information and Protection of Privacy Act, General Regulations |
Section 6 (Form of Consent) Supplemental Requirement to CIHR Privacy Best Practices: Consent to use or disclose personal information must (a) be in writing and (b) specify to whom the personal information may be disclosed and how the personal information may be used. |
|
Nova Scotia | Freedom of Information and Protection of Privacy Act | Sections 26(b) and 27(b) (Consent Requirement) |
Freedom of Information and Protection of Privacy Regulations |
Sections 7(2) and 8 (Form of Consent) Supplemental Requirement to CIHR Privacy Best Practices: Consent to use of personal information must (i) be in writing, (ii) identify the information, and (iii) specify to whom the information may be disclosed and how the information may be used.Footnote 122 |
|
Municipal Government Act | __ | |
New Brunswick | Protection of Personal Information Act |
Schedule A, Principle 3 (Consent Requirement) Schedule B, 3.1 and 3.2 (Form of Consent) |
Newfoundland and Labrador | Access to Information and Protection of Privacy ActFootnote 123 | Sections 38(1)(b) and 39(1)(b) (Consent Requirement) |
Yukon | Access to Information and Protection of Privacy Act | Sections 35 (b) and 36 (b) (Consent Requirement) |
Access to Information Regulation |
Section 2 (Consent to disclosure of personal information) Supplemental Requirement to CIHR Privacy Best Practices: Consent to disclosure to be in writing and specify to whom the personal information may be disclosed and how it may be used. |
|
Northwest Territories | Access to Information and Protection of Privacy Act | Sections 43 (b) and 48 (b) (Consent Requirement) |
Access to Information and Protection of Privacy Regulations |
Section 5 (Form of Consent) Supplemental Requirement to CIHR Privacy Best Practices: The consent of an individual to a public body's use or disclosure of his or her personal information must be in writing and specify to whom the personal information may be disclosed and how it may be used. |
|
Nunavut | Access to Information and Protection of Privacy Act | Sections 43 (b) and 48 (b) (Consent Requirement) |
Access to Information and Protection of Privacy Regulations | Section 5 (Form of Consent)
Supplemental Requirement to CIHR Privacy Best Practices: The consent of an individual to a public body's use or disclosure of his or her personal information must be in writing and specify to whom the personal information may be disclosed and how it may be used. |
ELEMENT #4 - MANAGING AND DOCUMENTING CONSENT | ||
Part 2 - Consent by Substitute Decision MakersFootnote 124 | ||
Jurisdiction | Legislation | Privacy Legislation Concordance |
Federal | Personal Information Protection and Electronic Documents Act | Schedule 1, 4.3.6 - (Consent by authorized representatives) |
Privacy Act Privacy Regulations | Section 10 (Exercise of rights on behalf of minors, persons deemed incompetent, or deceased persons) | |
British Columbia | Personal Information Protection Act Regulations |
Section 2 (Who may act for minors and others) Section 3 (Who may act for deceased persons) Section 4 (Determination of nearest relative) |
Freedom of Information and Protection of Privacy Regulation | Section 3 (Who can act for young people and others) | |
Alberta | Health Information Act | Section 104(1) (Exercise of rights by other persons) |
Personal Information Protection Act | Section 61(1) (Exercise of rights by other persons) | |
Freedom of Information and Protection of Privacy Act | Section 84 (Exercise of rights by other persons) | |
Saskatchewan | The Health Information Protection Act | Section 56 (Exercise of rights by other persons) |
The Freedom of Information and Protection of Privacy Act | Section 59 (Exercise of rights by other persons) | |
Manitoba | The Personal Health Information Act | Section 60 (Exercising rights of another person) |
The Freedom of Information and Protection of Privacy Act | Section 79 (Exercising rights of another person) | |
Ontario | Personal Health Information Protection Act |
Section 5 (Substitute decision-maker) Sections 23 and 26 (Persons who are entitled to consent to the collection, use, or disclosure of personal health information) Section 25 (Authority of substitute decision-maker) Section 27 (Appointment of representative) |
Freedom of Information and Protection of Privacy Act | Section 66 (Exercise of rights of deceased, etc., persons) | |
Quebec | An act respecting the protection of personal information in the private sector | - |
An act respecting access to documents held by public bodies and the protection of personal information | Section 53 (Person with parental authority may authorize disclosure for a minor) | |
Prince Edward Island | Freedom of Information and Protection of Privacy Act | Section 71 (Exercise of rights by other persons) |
Nova Scotia | Freedom of Information and Protection of Privacy Act | Section 43 (Exercise of right or power by other persons) |
New Brunswick | Protection of Personal Information Act | Schedule B, section 3.3 (Consent can be given by a parent, guardian or other representative of the individual in appropriate circumstances) |
Newfoundland and Labrador | Access to Information and Protection of Privacy ActFootnote 125 | Section 65 (Exercising rights of another person) |
Yukon | Access to Information and Protection of Privacy Act | Section 62 (Personal Representation) |
Northwest Territories | Access to Information and Protection of Privacy Act | Section 52 (Exercise of Rights by other persons) |
Nunavut | Access to Information and Protection of Privacy Act | Section 52 (Exercise of Rights by other persons) |
ELEMENT #5 - INFORMING PROSPECTIVE RESEARCH PARTICIPANTS ABOUT THE RESEARCHFootnote 126 | ||
Jurisdiction | Legislation | Privacy Legislation Concordance and Selected Supplemental Requirements |
Federal | Personal Information Protection and Electronic Documents Act |
Schedule 1, 4.2 (Purpose for collection must be identified at the time of collection and must be documented) Schedule 1, 4.3.2 (Knowledge and consent) |
Privacy Act | Section 5(2) (Individual to be informed of purpose of collection) | |
British Columbia | Personal Information Protection Act | Section 8(3) 10(1), 14 and 17 (Notice requirements for collection, use and disclosure) |
Freedom of Information and Protection of Privacy Act |
Section 27(2) (Information to be given regarding purposes for collection) Supplemental Requirement to CIHR Privacy Best Practices:
|
|
Alberta | Health Information Act |
Sections 21(2) and 22(3) (Information to be given regarding purposes for collection) Supplemental Requirement to CIHR Privacy Best Practices:
|
Personal Information Protection Act | Section 8(3) and 13 (Notification requirements for collection, use and disclosure) | |
Freedom of Information and Protection of Privacy Act |
Section 34(2) (Information to be given regarding purpose for collection) Supplemental Requirement to CIHR Privacy Best Practices:
|
|
Municipal Government Act | __ | |
Saskatchewan | The Health Information Protection Act | Sections 6 and 9 (Individual must be informed of purposes for collection use, and disclosure of the individual's personal health information) |
The Freedom of Information and Protection of Privacy Act | Section 26(2) (Individual must be informed of the purposes for the collection) | |
The Local Authority Freedom of Information and Protection of Privacy Act |
Section 25(2) (Individual to be informed of purposes of collection) Section 57(l) (Lieutenant Governor in Council may make regulations prescribing any matter to be included in notice) |
|
Manitoba | The Personal Health Information Act | Section 15 (Notice of collection practices) |
The Freedom of Information and Protection of Privacy Act |
Section 37(2) (Individual must be informed of the purposes for the collection) Supplemental Requirement to CIHR Privacy Best Practices:
|
|
Ontario | Personal Health Information Protection Act | Section 18(5) and (6) (Knowledge of purposes of collection) |
Freedom of Information and Protection of Privacy Act |
Section 39(2) (Information to be given regarding purpose for collection) Supplemental Requirement to CIHR Privacy Best Practices:
|
|
Municipal Freedom of Information and Protection of Privacy Act |
Section 29(2) (Individual must be informed of primary purposes of collection) Supplemental Requirement to CIHR Best Practices:
|
|
Municipal Freedom of Information and Protection of Privacy Act, General Regulation |
Section 4(1) (When notice not required)
|
|
Quebec | An act respecting the protection of personal information in the private sector | Section 8 (Information to be given regarding purpose for collection) |
An act respecting access to documents held by public bodies and the protection of personal information |
Section 65 (Information to be given regarding purpose for collection) Supplemental Requirement to CIHR Privacy Best Practices:
|
|
Prince Edward Island | Freedom of Information and Protection of Privacy Act |
Section 32(2) (Right to be informed regarding purpose for collection) Supplemental Requirement to CIHR Privacy Best Practices:
|
Nova Scotia | Freedom of Information and Protection of Privacy Regulations |
Section 8 (Requirement before use) Supplemental Requirement to CIHR Privacy Best Practices:
|
Municipal Government Act | __ | |
New Brunswick | Protection of Personal Information Act | Schedule A, Principle 2 and Schedule B, section 2.1 (Purposes for collection must be identified) |
Newfoundland and Labrador | Access to Information and Protection of Privacy ActFootnote 127 |
Section 33(2) (Information regarding purpose for collection) Supplemental Requirement to CIHR Privacy Best Practices:
|
Yukon | Access to Information and Protection of Privacy Act |
Section 30(2) (Information regarding purpose for collection) Supplemental Requirement to CIHR Privacy Best Practices:
|
Northwest Territories | Access to Information and Protection of Privacy Act |
Section 41(2) (Information regarding purpose for collection) Supplemental Requirement to CIHR Privacy Best Practices:
|
Nunavut | Access to Information and Protection of Privacy Act |
Section 41(2) (Information regarding purpose for collection) Supplemental Requirement to CIHR Privacy Best Practices:
|
ELEMENT #6 - RECRUITING PROSPECTIVE RESEARCH PARTICIPANTS | ||
Statutory Prohibitions to Secondary Use/Disclosure of Personal Information to Contact Individuals to Participate in ResearchFootnote 128 | ||
Jurisdiction | Legislation | Privacy Legislation Concordance |
Federal | Personal Information Protection and Electronic Documents Act | __ |
Privacy Act | __ | |
British Columbia | Personal Information Protection Act | Section 21(b): An organization may disclose, without the consent of the individual, personal information for a research purpose if the disclosure is on condition that it will not be used to contact persons to ask them to participate in the research. |
Freedom of Information and Protection of Privacy Act | Section 35 (a.1): A public body may disclose personal information for a research purpose without the consent of the individual only if the information is disclosed on condition that it not be used for the purpose of contacting a person to participate in the research. | |
Alberta | Health Information Act | Section 55: If the researcher wishes to contact the individuals who are the subjects of the information disclosed for research purposes to obtain additional health information, the custodian or an affiliate of the custodian must first obtain consents from those individuals to their being contacted for that purpose. |
Personal Information Protection Act Regulation | Section 12(3)(d): If personal information is to be disclosed by an organization under a research agreement, the person to whom the information is to be disclosed must agree to not contact any individual to whom the information relates. | |
Freedom of Information and Protection of Privacy Regulation | Section 8(f): The agreement required by the Act for disclosure of personal information without consent of the individual for research purposes must include provision that recipient will not contact any individual to whom the personal information relates, directly or indirectly, without the prior written authority of the public body. | |
Municipal Government Act | __ | |
Saskatchewan | The Health Information Protection Act | __ |
The Freedom of Information and Protection of Privacy Act | __ | |
The Local Authority Freedom of Information and Protection of Privacy Act | __ | |
Manitoba | The Personal Health Information Act | Section 24(5): If a research project will require direct contact with individuals, a trustee must not disclose personal health information about those individuals without first obtaining their consent. Trustee need not obtain their consent if the information consists only of the individuals' names and addresses. |
The Freedom of Information and Protection of Privacy Act | __ | |
Ontario | Personal Health Information Protection Act | Section 44(6)(e): Researcher shall not make contact or attempt to make contact with the individual, directly or indirectly, unless the custodian obtains the individual's consent to being contacted.Footnote 129 |
Freedom of Information and Protection of Privacy Act, General Regulation | Section 10(1)6: Before a head may disclose personal information for a research purpose to a person, that person must agree not to contact any individual to whom personal information relates, directly or indirectly, without the prior written authority of the institution. | |
Municipal Freedom of Information and Protection of Privacy Act | __ | |
Quebec | An act respecting the protection of personal information in the private sector | __ |
An act respecting access to documents held by public bodies and the protection of personal information | __ | |
Prince Edward Island | Freedom of Information and Protection of Privacy Act | __ |
Nova Scotia | Freedom of Information and Protection of Privacy Regulations | Section 9: Research agreement must contain condition that recipient not contact any individual to whom personal information relates, directly or indirectly, without the prior written authority of the public body. |
Municipal Government Act | __ | |
New Brunswick | Protection of Personal Information Act | __ |
Newfoundland and Labrador | Access to Information and Protection of Privacy Act | __ |
Yukon | Access to Information and Protection of Privacy Act | __ |
Northwest Territories | Access to Information and Protection of Privacy Regulations | Section 8: Research agreement must contain condition that the recipient must not contact any individual to whom the personal information relates, directly or indirectly, without the prior written authority of the public body. |
Nunavut | Access to Information and Protection of Privacy Regulations | Section 8: Research agreement must contain condition that the recipient must not contact any individual to whom the personal information relates, directly or indirectly, without the prior written authority of the public body. |
ELEMENT #7 - SAFEGUARDING PERSONAL DATAFootnote 130,Footnote 131 | ||
Part 1 - General Safeguarding Requirements | ||
Jurisdiction | Legislation | Privacy Legislation Concordance and Selected Supplemental Requirements |
Federal | Personal Information Protection and Electronic Documents Act |
Schedule 1, 4.7 (Safeguards for protecting personal information) Schedule 1, 4.1.4 (Policies and practices to be implemented to protect personal information) |
Privacy Act | Section 62 (Security Requirements) | |
British Columbia | Personal Information Protection Act |
Section 5 (Policies and practices) Section 34 (Protection of personal information) |
Freedom of Information and Protection of Privacy Act |
Section 30 (Protection of personal information) Supplemental Requirements to CIHR Privacy Best Practices:
|
|
Alberta | Health Information Act |
Section 60 (Duty to protect health information) Section 63 (Duty to establish or adopt policies and procedures) |
Health Information Regulation |
Section 8 (Record of safeguards to be maintained) Supplemental Requirements to CIHR Privacy Best Practices:
|
|
Personal Information Protection Act |
Section 6 (Policies and practice) Section 34 (Protection of information) |
|
Freedom of Information and Protection of Privacy Act |
Section 38 (Protection of personal information) Sections 40(1)(h)and(i) and 40(4) (Authorization to disclose personal information to officers and employees for purposes of carrying out their functions) |
|
Municipal Government Act | __ | |
Saskatchewan | The Health Information Protection Act |
Section 16 (Duty to protect) Section 23 (Collection, use and disclosure on a need-to-know basis) Supplemental Requirement to CIHR Privacy Best Practices:
|
The Freedom of Information and Protection of Privacy Act | __ | |
The Local Authority Freedom of Information and Protection of Privacy Act | __ | |
Manitoba | The Personal Health Information Act |
Section 18 and 19 (Security Safeguards) Section 20(3) (Limitation on trustee's employees) |
Personal Health Information Regulation |
Section 2 (Written security policy and procedure) Section 3 (Access restrictions and other precautions) Section 4 (Additional safeguards for electronic health information systems) Section 5 (Authorized access for employees and agents) Section 6 (Orientation and training for employees) Section 7 (Pledge of confidentiality for employees) Section 8 (Audit) Supplemental Requirements to CIHR Privacy Best Practices:
|
|
The Freedom of Information and Protection of Privacy Act | Section 41 (Protection of personal information) | |
Ontario | Personal Health Information Protection Act |
Section 10 (Information Practices) Section 12 (Security) Section 13 (Handling of Records) Supplemental Requirements to CIHR Privacy Best Practices:
|
Personal Health Information Protection Act, General Regulation |
Section 6(3) (Prescribed requirements for health information network provider.) Supplemental Requirements to CIHR Privacy Best Practices:
|
|
Freedom of Information and Protection of Privacy Act, General Regulation | Section 4 (Measures to protect records) | |
Municipal Freedom of Information and Protection of Privacy Act | __ | |
Quebec | An act respecting the protection of personal information in the private sector |
Section 10 (Safety measures) Section 20 (Authorized employee access to personal information without consent for the performance of duties of employees) |
An act respecting access to documents held by public bodies and the protection of personal information |
Section 62 (Authorization to receive personal information for the discharge of duties) Section 76 (Declaration to the Commission required when establishing a file on individual) Supplemental Requirement to CIHR Privacy Best Practices:
|
|
Prince Edward Island | Freedom of Information and Protection of Privacy Act |
Section 35 (Protection of personal information) Section 37(1)(g) and (g.1) (Authorization to disclose personal information to officers and employees for purposes of carrying out their functions) |
Nova Scotia | Freedom of Information and Protection of Privacy Act |
Section 24(3) (Treatment of personal information) Section 27(f) (Authorization to disclose personal information to officers and employees for purposes of carrying out their functions) |
Municipal Government Act | __ | |
New Brunswick | Protection of Personal Information Act | Schedule A and B, Principle 7 (Safeguards) |
Newfoundland and Labrador | Access to Information and Protection of Privacy ActFootnote 135 |
Section 36 (Protection of personal information) Section 39(1)(f) (Authorization to disclose personal information to officers and employees for purposes of carrying out their functions) Section 51(e) (Commissioner's power to comment on privacy implications of using information technology in the storage of personal information) |
Yukon | Access to Information and Protection of Privacy Act |
Section 33 (Protection of Personal Information) Section 36(1)(f) (Authorization to disclose personal information to officers and employees for purposes of carrying out their functions) |
Northwest Territories | Access to Information and Protection of Privacy Act |
Section 42 (Protection of Personal Information) Section 48(k) (Authorization to disclose personal information to officers and employees for purposes of carrying out their functions) |
Access to Information and Protection of Privacy Regulations | Section 6 (Disclosure to employees and service providers) | |
Nunavut | Access to Information and Protection of Privacy Act |
Section 42 (Protection of Personal Information) Section 48(k) (Authorization to disclose personal information to officers and employees for purposes of carrying out their functions) |
Access to Information and Protection of Privacy Regulations | Section 6 (Disclosure to employees and service providers) |
ELEMENT #7 - SAFEGUARDING PERSONAL DATA | ||
Part 2 - Requirement for a Privacy Impact AssessmentFootnote 136 | ||
Jurisdiction | Legislation | Privacy Legislation Concordance |
Federal | Personal Information Protection and Electronic Documents Act | __ |
Privacy Act | __ | |
British Columbia | Personal Information Protection Act | __ |
Freedom of Information and Protection of Privacy Act | Section 69(5): Public bodies which are ministries (i.e., excludes regional health authorities and hospitals) are required to conduct a privacy impact assessment for all new enactments, systems, projects or programs to determine whether the requirements of the Act are met. The privacy impact assessment must be conducted in accordance with the process/tool referenced in Schedule A attached hereto. | |
Alberta | Health Information Act |
Sections 64, 70(2) and (3) and 71(2) and (3): Each custodian must prepare a privacy impact assessment and must submit it to the Information and Privacy Commissioner for review and comment before implementing any proposed administrative practices and information systems or any proposed change to any such existing practices and systems in accordance with the privacy impact assessment tool referenced in Schedule A attached hereto. Section 46(5) (Requirement for the Department to conduct a privacy impact assessment in certain situations) |
Personal Information Protection Act | __ | |
Freedom of Information and Protection of Privacy Act | __ | |
Municipal Government Act | __ | |
Saskatchewan | The Health Information Protection Act | __ |
The Freedom of Information and Protection of Privacy Act | __ | |
The Local Authority Freedom of Information and Protection of Privacy Act | __ | |
Manitoba | The Personal Health Information Act | __ |
The Freedom of Information and Protection of Privacy Act | __ | |
Ontario | Personal Health Information Protection Act | __ |
Personal Health Information Protection Act, General Regulation | Section 6(3) subparagraph 5: A person who provides goods or services for the purpose of enabling a custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall perform, and provide to each applicable health information custodian a written copy of the results of, an assessment of the services provided to the health information custodians, with respect to, (i) threats, vulnerabilities and risks to the security and integrity of the personal health information, and (ii) how the services may affect the privacy of the individuals who are the subject of the information. | |
Freedom of Information and Protection of Privacy Act | __ | |
Municipal Freedom of Information and Protection of Privacy Act | __ | |
Quebec | An act respecting the protection of personal information in the private sector | __ |
An act respecting access to documents held by public bodies and the protection of personal information | __ | |
Prince Edward Island | Freedom of Information and Protection of Privacy Act | __ |
Nova Scotia | Freedom of Information and Protection of Privacy Act | __ |
New Brunswick | Protection of Personal Information Act | __ |
Newfoundland and Labrador | Access to Information and Protection of Privacy ActFootnote 137 Footnote 138 | __ |
Yukon | Access to Information and Protection of Privacy Act | __ |
Northwest Territories | Access to Information and Protection of Privacy Act | __ |
Nunavut | Access to Information and Protection of Privacy Act | __ |
Schedule A
Jurisdiction | Privacy Impact Assessment Tools |
Federal | Treasury Board of Canada Secretariat - Privacy Impact Assessment Policy |
British Columbia | Ministry of Management Services for British Columbia, Information Policy and Privacy Branch - Privacy Impact Assessment (PIA) Process |
Alberta | Information and Privacy Commissioner of Alberta - Privacy Impact Assessment: Instructions and Annotated Questionnaire [ PDF (335 KB) ] |
Saskatchewan | Office of the Saskatchewan Information and Privacy Commissioner - Privacy Impact Assessment (Short Form) [PDF (93 KB) ] |
Manitoba |
Ombudsman Manitoba, Access and Privacy Division - Privacy Compliance Tool Checklist [ PDF (9,27 KB) ] Manitoba Health - Privacy Impact Assessment (PIA) Guide (Not available on-line) |
Ontario |
Information and Privacy Commissioner/Ontario - Privacy Diagnostic Tool (PDT) Workbook [ PDF (222 KB) ] Management Board of Cabinet - Privacy Impact Assessment Guidelines |
Quebec | Ministère des Relations avec les citoyens et de L'immigration (Québec) - Modèle de pratiques de protection des renseignements personnels - dans le contexte du développement des systèmes d'information par les organismes publics [ PDF (335 KB) ] |
Prince Edward Island | N/A |
Nova Scotia | N/A |
New Brunswick | N/A |
Newfoundland and Labrador |
Office of the Information and Privacy Commissioner for Newfoundland and Labrador - Privacy Audit, A Compliance Review Tool Centre for Health Information - Privacy Impact Assessment for Researchers [ PDF ] |
Yukon | N/A |
Northwest Territories | N/A |
Nunavut | N/A |
ELEMENT #8 - CONTROLLING ACCESS AND DISCLOSURE OF PERSONAL DATA | ||
Part 1 - Specific Data Matching/Linkage ProvisionsFootnote 139 | ||
Jurisdiction | Legislation | Privacy Legislation Concordance |
Federal | Personal Information Protection and Electronic Documents Act | __ |
Privacy Act | __ | |
British Columbia | Personal Information Protection Act | Section 21 - Any linkage of personal information to other information must not be harmful to the individuals and the benefits to be derived from the linkage must clearly be in the public interest. |
Freedom of Information and Protection of Privacy Act | Section 35 - Any record linkage must not be harmful to the individuals and the benefits to be derived from the record linkage must clearly be in the public interest. | |
Alberta | Health Information Act |
Section 1(1)(g) (Definition of "data matching")Footnote 140 Section 68 (General prohibition on data matching) Section 69 (Permitted data matching by custodians) Section 70 (Data matching between custodians; privacy impact assessment required) Sections 71 and 32 (Data matching between custodians and non-custodians; privacy impact assessment required; obligation to notify Privacy Commissioner) Section 72 (Data matching for research; obligation to comply with provisions regarding disclosure for research purposes without consent (sections 48-56)) Section 107(5) (Offence to fail to notify Commissioner) |
Personal Information Protection Act | __ | |
Freedom of Information and Protection of Privacy Act | Section 42(b) - Record linkages cannot be harmful to the individuals the information is about and the benefits to be derived from the linkage must be clearly in the public interest | |
Municipal Government Act | __ | |
Saskatchewan | The Health Information Protection Act | __ |
The Freedom of Information and Protection of Privacy Act | __ | |
The Local Authority Freedom of Information and Protection of Privacy Act | __ | |
Manitoba | The Personal Health Information Act | __ |
The Freedom of Information and Protection of Privacy Act |
Section 46 - Approval must be obtained from head of the public body to use or disclose personal information for linking or matching purposes. The head may have to refer the proposal to the review committee for advice. Section 47(4) - Any information linkage, must not be likely to harm individuals and benefits to be derived from research and any information linkage must clearly be in the public interest. |
|
Ontario | Personal Health Information Protection Act, General Regulation | Section 16(3) - A research plan must include a description of how personal health information will be used in the research, and if it will be linked to other information, a description of the other information as well as how the linkage will be done. |
Freedom of Information and Protection of Privacy Act | __ | |
Municipal Freedom of Information and Protection of Privacy Act | __ | |
Quebec | An act respecting the protection of personal information in the private sector | __ |
An act respecting access to documents held by public bodies and the protection of personal information |
Section 68.1 (Permitted data matching/Requirement for written agreement) Section 69 (Obligation to maintain confidentiality) Section 70 (Submission of data matching agreements to Commission/ Public body; Tabling of agreement in National Assembly; Obligation to publish in Gazette) |
|
Prince Edward Island | Freedom of Information and Protection of Privacy Act | Section 39(b) - Record linkages cannot be harmful to the individuals the information is about and the benefits to be derived from the linkage must be clearly in the public interest. |
Nova Scotia | Freedom of Information and Protection of Privacy Act | Section 29(b) - Record linkages cannot be harmful to the individuals the information is about and the benefits to be derived from the linkage must be clearly in the public interest. |
Municipal Government Act | Section 485(4)(b) - Record linkages cannot be harmful to the individuals the information is about and the benefits to be derived from the linkage must be clearly in the public interest. | |
New Brunswick | Protection of Personal Information Act | __ |
Newfoundland and Labrador | Access to Information and Protection of Privacy ActFootnote 141 |
Section 41 - Record linkages cannot be harmful to the individuals the information is about and the benefits to be derived from the linkage must be clearly in the public interest. Section 51(e) - Commissioner may comment on implications for protection of privacy of using or disclosing personal information for record linkage. |
Yukon | Access to Information and Protection of Privacy Act | Section 38 - Record linkages cannot be harmful to the individuals the information is about and the benefits to be derived from the linkage must be clearly in the public interest. |
Northwest Territories | Access to Information and Protection of Privacy Act | Section 49 - Record linkages cannot be harmful to the individuals the information is about and the benefits to be derived from the linkage must be clearly in the public interest |
Nunavut | Access to Information and Protection of Privacy Act | Section 49 - Record linkages cannot be harmful to the individuals the information is about and the benefits to be derived from the linkage must be clearly in the public interest |
ELEMENT #8 - CONTROLLING ACCESS AND DISCLOSURE OF PERSONAL DATA | ||
Part 2 - Data-sharing Agreements for Research PurposesFootnote 142 | ||
Jurisdiction | Legislation | Privacy Legislation Concordance and Selected Supplemental Requirements |
Federal | Personal Information Protection and Electronic Documents Act | Schedule 1, 4.1.3 (Organization must use contractual means to provide for comparable level of protection when personal information is being processed by a third party) |
Privacy Act | Section 8(2)(j) (Requirement and content of data sharing agreements) | |
British Columbia | Personal Information Protection Act |
Section 21(1) (Requirement and content of data sharing agreements) Supplemental Requirement to CIHR Privacy Best Practices:
|
Freedom of Information and Protection of Privacy Act |
Section 35 (Requirement and content of data sharing agreements) Supplemental Requirement to CIHR Privacy Best Practices:
|
|
Alberta | Health Information Act |
Section 54(1) (Agreement between researcher and custodian) Supplemental Requirement to CIHR Privacy Best Practices:
|
Health Information Regulation | Section 8(4) (Additional requirements when health information is used or disclosed outside Alberta) | |
Personal Information Protection Act Regulation |
Sections 12(2), 12(3) and 14(3) (Requirement and content of data sharing agreement) Supplemental Requirement to CIHR Privacy Best Practices:
|
|
Freedom of Information and Protection of Privacy Act | Section 42 (Requirement for data sharing agreement) | |
Freedom of Information and Protection of Privacy Regulation |
Section 8 (Content of data sharing agreement) Supplemental Requirement to CIHR Privacy Best Practices:
|
|
Municipal Government Act | __ | |
Saskatchewan | The Health Information Protection Act | Section 29(1) (Requirement and content of data sharing agreements) |
The Freedom of Information and Protection of Privacy Act | Section 29(2)(k) (Requirement for data sharing agreements) | |
The Local Authority Freedom of Information and Protection of Privacy Act | __ | |
Manitoba | The Personal Health Information Act | Section 24(4) (Requirement and content of data sharing agreement) |
Personal Health Information Regulation | Section 8.3 (Content of data sharing agreements) | |
The Freedom of Information and Protection of Privacy Act | Section 47(4)(c) and (d) (Requirement for data sharing agreements) | |
Ontario | Personal Health Information Protection Act | Section 44(1) and (5) (Requirement for data sharing agreements) |
Freedom of Information and Protection of Privacy Act, General Regulation | Section 10 (Content of data sharing agreements) | |
Municipal Freedom of Information and Protection of Privacy Act | __ | |
Quebec | An act respecting the protection of personal information in the private sector | Section 21 (No requirement for data sharing agreement although the Commission may impose conditions on disclosure of information for research purposes) |
An act respecting access to documents held by public bodies and the protection of personal information | Section 125 (No requirement for data sharing agreement although the Commission may impose conditions on disclosure of information for research purposes) | |
Prince Edward Island | Freedom of Information and Protection of Privacy Act | Section 39 (Requirement for data sharing agreements - no content specified) |
Nova Scotia | Freedom of Information and Protection of Privacy Act | Section 29 (Requirement for data sharing agreements - no content specified) |
Freedom of Information and Protection of Privacy Regulations |
Section 9 (Content of data sharing agreement) Supplemental Requirement to CIHR Privacy Best Practices:
|
|
Municipal Government Act | __ | |
New Brunswick | Protection of Personal Information Act | __ |
Newfoundland and Labrador | Access to Information and Protection of Privacy Act | Section 41 (Requirement for data sharing agreements) |
Yukon | Access to Information and Protection of Privacy Act | Section 38 (d) (Requirement for data sharing agreements) |
Northwest Territories | Access to Information and Protection of Privacy Act | Section 49 (c) and (d) (Requirement for data sharing agreements) |
Access to Information and Protection of Privacy Regulations |
Section 8 (Content of data sharing Agreements) Supplemental Requirement to CIHR Privacy Best Practices:
|
|
Nunavut | Access to Information and Protection of Privacy Act | Section 49(c) and (d) (Requirement for data sharing agreements) |
Access to Information and Protection of Privacy Regulations |
Section 8 (Content of data sharing Agreements) Supplemental Requirement to CIHR Privacy Best Practices:
|
ELEMENT #9 - SETTING REASONABLE LIMITS ON RETENTION OF PERSONAL DATA | ||
Retention and Destruction of Personal InformationFootnote 143,Footnote 144 | ||
Jurisdiction | Legislation | Privacy Legislation Concordance and Selected Supplemental Requirements |
Federal | Personal Information Protection and Electronic Documents Act |
Schedule 1, 4.5, 4.5.2 and 4.5.3 (Limiting use, disclosure and retention) Supplemental Requirements to CIHR Privacy Best Practices: Data retention guidelines should include minimum and maximum retention periods. |
Privacy Act | Section 6 (Retention of personal information used for an administrative purpose) | |
Privacy Act Privacy Regulations |
Section 4 (Retention of personal information that has been used by a government institution for an administrative purpose) Supplemental Requirements to CIHR Privacy Best Practices: Personal Information shall be retained (a) for at least two years following the last time the personal information was used for an administrative purpose unless the individual consents to its disposal and (b) where a request for access to the information has been received, until such time as the individual has had the opportunity to exercise all his rights under the Act. However, the information may be destroyed in an emergency in order to prevent the removal of the information from the control of the institution (section 4). A copy of every request for access received as well as a record of any information disclosed pursuant to such a request must be maintained for a period of 2 years following the date of the request (section 7). |
|
British Columbia | Personal Information Protection Act |
Section 35 (Retention of personal information) Supplemental Requirements to CIHR Privacy Best Practices: If an individual's personal information is being used to make a decision that directly affects the individual, the information must be retained for at least one year. |
Freedom of Information and Protection of Privacy Act |
Section 31 (Retention of personal information) Supplemental Requirements to CIHR Privacy Best Practices: If an individual's personal information is being used to make a decision that directly affects the individual, the information must be retained for at least one year. |
|
Alberta | Health Information Act |
Section 3 (Storage and Destruction, Other Enactments) Section 41 (Maintaining certain disclosure information) Section 60(2)(b) (Safeguards for proper disposal) Supplemental Requirements to CIHR Privacy Best Practices: A custodian that discloses a record containing individually identifying diagnostic, treatment and care information must retain that information for a period of 10 years following the date of the disclosure (section 41(2). |
Personal Information Protection Act | Section 35 (Retention of information) | |
Freedom of Information and Protection of Privacy Act |
Section 35 (Accuracy and retention) Supplemental Requirements to CIHR Privacy Best Practices: If an individual's personal information is being used to make a decision that directly affects the individual, the information must be retained for at least one year or such shorter time as approved by the individual in writing, the public body and the body that approved the retention and disposition schedule if applicable. |
|
Municipal Government Act |
Sections 214(2) and (3) (Destruction of records) Supplemental Requirements to CIHR Privacy Best Practices:
|
|
Saskatchewan | The Health Information Protection Act | Section 17 (Retention and destruction policy) |
The Freedom of Information and Protection of Privacy Act | __ | |
The Local Authority Freedom of Information and Protection of Privacy Act | __ | |
Manitoba | The Personal Health Information Act |
Section 17 (Retention and destruction of information) Supplemental Requirements to CIHR Privacy Best Practices:
|
Personal Health Information Regulations | Section 2 (Written policy to be established) | |
The Freedom of Information and Protection of Privacy Act |
Section 40 (Retention of information) Supplemental Requirement to CIHR Privacy Best Practices: If personal information about an individual is used to make a decision that affects the individual, the public body must establish and comply with a written policy concerning the retention of the personal information (subsections 40(1) and (2)). |
|
Ontario | Personal Health Information Protection Act |
Section 13 (Handling of records) Supplemental Requirement to CIHR Privacy Best Practices: Information shall be retained for as long as necessary to allow the individual to exhaust any recourse under the Act where a request for access has been made. |
Freedom of Information and Protection of Privacy Act |
Section 40(1) (Retention of personal information) Section 40(4) (Disposal of personal information) |
|
Freedom of Information and Protection of Privacy Act, General Regulations |
Section 5 (Retention) Supplemental Requirements to CIHR Privacy Best Practices:
|
|
Freedom of Information and Protection of Privacy Act, Disposal of Personal Information Regulation |
Sections 2 to 6 (Disposal of personal information) Supplemental Requirements to CIHR Privacy Best Practices:
|
|
Municipal Freedom of Information and Protection of Privacy Act |
Section 30(1) (Retention of personal information) Section 30(4) (Disposal of personal information) |
|
Municipal Freedom of Information and Protection of Privacy Act, General Regulation |
Section 5 (Retention of personal information) Supplemental Requirement to CIHR Privacy Best Practices: Personal information to be retained for the shorter of one year after use or the period set out in a by-law or resolution made by the institution or made by another institution affecting the institution, unless the individual to whom the information relates consents to its earlier disposal. |
|
Quebec | An act respecting the protection of personal information in the private sector |
Section 12 (Use of file) Section 36 (Retention where request for access or rectification has been denied) |
An act respecting access to documents held by public bodies and the protection of personal information |
Section 73 (Destruction) Supplemental Requirement to CIHR Privacy Best Practices:
|
|
Prince Edward Island | Freedom of Information and Protection of Privacy Act |
Section 33 (Retention when information is used to make a decision) Supplemental Requirement to CIHR Privacy Best Practices:
|
Nova Scotia | Freedom of Information and Protection of Privacy Act |
Section 24(4) (Treatment of personal information) Supplemental Requirement to CIHR Privacy Best Practices:
|
Municipal Government Act |
Section 483(4) (Retention of personal information) Supplemental Requirement to CIHR Privacy Best Practices:
|
|
New Brunswick | Protection of Personal Information Act | Schedule A, Principle 5 and Schedule B, Principle 5 (Limiting use, disclosure and rentention) |
Newfoundland | Access to Information and Protection of Privacy ActFootnote 145 |
Section 37 (Retention of personal information) Supplemental Requirement to CIHR Privacy Best Practices:
|
Yukon | Access to Information and Protection Privacy Act |
Section 34 (Retention of personal information) Supplemental Requirement to CIHR Privacy Best Practices:
|
Northwest Territories | Access to Information and Protection Privacy Act |
Section 44 (Duties of public body) Supplemental Requirement to CIHR Privacy Best Practices:
|
Nunavut | Access to Information and Protection Privacy Act |
Section 44 (Duties of public body) Supplemental Requirement to CIHR Privacy Best Practices:
|
ELEMENT #10 - ENSURING ACCOUNTABILITY AND TRANSPARENCY IN THE MANAGEMENT OF PERSONAL DATA | ||
Part 1- Accountability and TransparencyFootnote 146 | ||
Jurisdiction | Legislation | Privacy Legislation Concordance |
Federal | Personal Information Protection and Electronic Documents Act |
Schedule 1, 4.1 (Accountability) Schedule 1, 4.8 (Openness) |
Privacy Act | Sections 10 and 11 (Obligations regarding personal information banks) | |
British Columbia | Personal Information Protection Act |
Section 4 (Compliance with the Act) Section 5 (Policies and Procedures) |
Freedom of Information and Protection of Privacy Act |
Section 2 (Purposes of this Act) Section 69(2) and (3) (Personal information directory of ministries) Section 69(5) (Duty of a ministry to prepare privacy impact assessment) Section 69(6) (Directory of personal information banks to be maintained by public body that is not a ministry) Section 70 (Policy manuals to be made available) |
|
Alberta | Health Information Act |
Section 2 (Purposes of the Act) Section 62 (Duty to identify responsible affiliate) Section 63 (Duty to establish or adopt policies and procedures) Section 64 (Duty to prepare privacy impact assessment) Section 66(6) (Accountability for information disclosed to an information manager) |
Health Information Regulation |
Section 8(2) (Designating responsible individual) Section 8(6) (Custodian responsible for affiliates' compliance) |
|
Personal Information Protection Act |
Section 5 (Compliance with Act) Section 6 (Policies and Procedures) |
|
Freedom of Information and Protection of Privacy Act |
Section 2 (Purposes of this Act) Section 87 (Directory of public bodies) Section 87.1 (Directory of personal information banks) Section 88 (Records available without request) Section 89 (Access to manuals) |
|
Municipal Government Act | __ | |
Saskatchewan | The Health Information Protection Act |
Preamble (Accountability obligations) Section 9 (Right to be informed) |
Freedom of Information and Protection of Privacy Act |
Section 64 (Directory to be produced) Section 65 (Access to manuals) |
|
Local Authority Freedom of Information and Protection of Privacy Act | Section 53 (Directory of local authorities including place at which applications for access to records should be made for each) | |
Manitoba | The Personal Health Information Act |
Section 2 (Purposes of this Act) Section 25(5) (Information transferred to information manager for processing deemed to be maintained by the transferring trustee) |
Personal Health Information Regulation |
Section 2 (Written security policy and procedures) Section 6 (Orientation and training of employees) |
|
The Freedom of Information and Protection of Privacy Act |
Section 2 (Purposes of this Act) Sections 75(1) and (2) (Directory to be maintained) Section 75(3) (Obligations regarding personal information bank) Section 76 (Records to be made available) |
|
Ontario | Personal Health Information Protection ActFootnote 147 |
Section 10 (Information Practices) Sections 15 to 17 (Accountability and Openness) |
Personal Health Information Protection Act, General Regulation |
Sections 6(3) subparagraph 2 (Health information network provider to provide plain language description of services provided and safeguards in place to protect against unauthorized use and disclosure) Sections 6(3) subparagraph 3 (Information to be made available to the public by health information network provider) Sections 6(3) subparagraph 4 (Information to be made available to health information custodians) Sections 6(3) subparagraph 5 (Health information network provider to perform assessment of risks to security and integrity of personal health information in providing services and detailing affect on privacy) |
|
Freedom of Information and Protection of Privacy Act |
Sections 31 to 36 (Information to be published or available) Sections 44 to 46 (Obligations regarding Personal Information Banks) |
|
Municipal Freedom of Information and Protection of Privacy Act |
Section 1 (Purposes of this Act) Section 24 (Publications of information re institutions) Section 25 (Information available for inspection) Section 26 (Head shall make annual report) Section 34 (Obligations re personal information bank index) |
|
Municipal Freedom of Information and Protection of Privacy Act, General Regulation | Section 4(2) (Where notice re collection of personal information has not been given, the head shall make available for public inspection a statement describing the purpose of the collection of personal information and the reason that notice has not been given) | |
Quebec | An act respecting the protection of personal information in the private sector | Section 17 (Accountability for information disclosed outside Quebec) |
An act respecting access to documents held by public bodies and the protection of personal information |
Section 67.3 (Register to be kept of every disclosure of personal information) Section 71 (Personal information files must be established) Section 76 (Declaration to the Commission required when establishing a file on individual) |
|
Prince Edward Island | Freedom of Information and Protection of Privacy Act |
Section 2 (Purposes of this Act) Section 73 (Records available without request) |
Nova Scotia | Freedom of Information and Protection of Privacy Act |
Section 2 (Purposes of this Act) Section 48 (Directory respecting records of public body) |
Municipal Government Act | Section 462 (Purpose of this Part) | |
New Brunswick | Protection of Personal Information Act |
Schedule A, Principle 1 (Accountability) Schedule A, Principle 8 (Openness) |
Newfoundland and Labrador | Access to Information and Protection of Privacy ActFootnote 148 |
Section 3 (Purpose) Section 67(1)(c) (Designation and delegation by the head of public body) Section 69 (Directory of information) |
Yukon | Access to Information and Protection of Privacy Act |
Section 1(1) (Purpose of the Act) Section 63 (Information Directory) Section 64 (Records available without request) |
Northwest Territories | Access to Information and Protection of Privacy Act |
Section 1 (Purpose of this Act) Section 70 (Directory of public bodies and records) Section 71 (Policy manuals must be made available to the public) Section 72 (Records available without request) |
Nunavut | Access to Information and Protection of Privacy Act |
Section 1 (Purpose of this Act) Section 70 (Directory of public bodies and records) Section 71 (Policy manuals must be made available to the public) Section 72 (Records available without request) |
ELEMENT #10 - ENSURING ACCOUNTABILITY AND TRANSPARENCY IN THE MANAGEMENT OF PERSONAL DATA | ||
Part 2 - Statutory References to Research Ethics BoardFootnote 149 | ||
Jurisdiction | Legislation | Privacy Legislation Concordance |
Federal | Personal Information Protection and Electronic Documents Act | __ |
Privacy Act | __ | |
British Columbia | Personal Information Protection Act | __ |
Freedom of Information and Protection of Privacy Act | __ | |
Alberta | Health Information Act |
Section 27(1)(d) (Approval of Ethics Committee)Footnote 150 Section 50 (Role of Ethics Committee) |
Personal Information Protection Act Regulation | Section 14(3) (Approval of Research Ethics Review Committee) | |
Freedom of Information and Protection of Privacy Act | __ | |
Municipal Government Act | __ | |
Saskatchewan | The Health Information Protection Act | Section 29(2)(ii) (Approval of research ethics committee) |
The Freedom of Information and Protection of Privacy Act | __ | |
The Local Authority Freedom of Information and Protection of Privacy Act | __ | |
Manitoba | The Personal Health Information Act | Section 24 (Approval of health information privacy committee and institutional research review committee) |
Personal Health Information Regulation | Section 8.1 (Functions of health information privacy committee) | |
The Freedom of Information and Protection of Privacy Act | __ | |
Ontario | Personal Health Information Protection Act |
Section 44(1) (Approval of Research Ethics Board) Section 44(3) and (4) (Considerations and Decisions of Research Ethics Board) |
Freedom of Information and Protection of Privacy Act | __ | |
Municipal Freedom of Information and Protection of Privacy Act | __ | |
QuebecFootnote 151 | An act respecting the protection of personal information in the private sector | __ |
An act respecting access to documents held by public bodies and the protection of personal information | __ | |
Prince Edward Island | Freedom of Information and Protection of Privacy Act | __ |
Nova Scotia | Freedom of Information and Protection of Privacy Act | __ |
Municipal Government Act | __ | |
New Brunswick | Protection of Personal Information Act | __ |
Newfoundland and Labrador | Access to Information and Protection of Privacy ActFootnote 152 | __ |
Yukon | Access to Information and Protection of Privacy Act | __ |
Northwest Territories | Access to Information and Protection of Privacy Act | __ |
Nunavut | Access to Information and Protection of Privacy Act | __ |
- Date modified: