Save the Date –Top of Mind webinar -privacy commissioners from across Canada – January 31 noon Eastern

Consultation – federal Directive on Automated Decision Making

Life Labs investigation report, Ontario and BC

Privacy cases summarized – Osler, Hoskin & Harcourt

Ontario’s IPC has podcast on indigenous data prospectives

Canada’s privacy Commissioner investigates CRA

Ontario IPC issues digital charter for schools

Blog

Research: post pandemic (updated)

October 17, 2023 - Ron Kruzeniski, Information and Privacy Commissioner

As I listen to the news, my head keeps telling me there will be many opportunities and much interest in researching many and varied aspects of this world pandemic. I expect there will also be interest on the part of Saskatchewan researchers.

The law is VERY CLEAR that researchers can ask public bodies for de-identified information. Each public body has to decide how much information it will provide; that is a policy decision. Those public bodies under privacy legislation are allowed to provide de-identified information.

What is de-identified information? It is the information without your or my name, address, or any unique identifier such as the individual’s Social Insurance Number (SIN) or Health Services Number (HSN). For example, subsection 3(2)(a) of The Health Information Protection Act (HIPA) states that it does not apply to statistical information or de-identified personal health information that cannot reasonably be expected, either by itself or when combined with other information available to the person who receives it, to enable the subject individuals to be identified. A public body can provide all the information that does not identify you or me.

If the health trustee or the researcher has the consent of the individuals to use their personal health information, then that is the best way to go. In many cases, that won’t be possible. Either the health trustee did not obtain consent to research or there are thousands and thousands of records and getting consent would not be possible.

If research is being done in such a way that it requires information from two sources and the name, SIN or HSN are sought to connect the information of an individual; that presents a challenge. The Data Matching Agreements Act is not yet proclaimed. Nonetheless, The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and HIPA have always authorized use and disclosure of personal information or personal health information for legitimate research purposes in the public interest. The best-case scenario, and for research at the population level, de-identified data should be used and should suffice for those purposes.

However, those same laws provide for the use of identifiable data when appropriate, but I must emphasize the need for written agreements to ensure that data is protected. This rigour is necessary to ensure data is used from one or multiple sources that what is provided is used as intended and protected throughout the process.

I note section 29 of HIPA, requires all research projects where personal health information is used or disclosed by a trustee, must be approved by a research ethics committee that has been approved by the Saskatchewan Minister of Health. If a research ethics committee is small and nimble it should never be a barrier to good research.

I have heard that some say “privacy” is a barrier to research. I do not believe or accept that point of view. That is why I wrote this blog to show that good research can continue and the barriers to obtaining the data should be minimal. If public bodies are citing “privacy” as the problem, they are giving the wrong reason and it just might be they don’t want to provide the information or to cooperate. Privacy is not the barrier.

Categories: BlogTags:

Back to Blog