Federal Privacy Commissioner on Bill c-27 news release.

Report into the 2021 cyber attack on Newfoundland health information systems released.

Privacy Commissioner of Canada announced his office is launching a joint investigation into OpenAI

Federal Privacy Commissioner launches new guidance on workplace privacy

Cybersecurity: Best Practices for Setting Up a Security Operations Centre

Alberta IPC finds risk of significant harm from stolen server.

Updates to Chapter 3 for the Guide to FOIP and the Guide to LA FOIP are now available!

Steps for effectively deploying multi-factor authentication.

Concerns about AI

Federal Privacy Commissioner issued updated guidance on privacy in the work place


Research: post pandemic

April 16, 2020 - Ron Kruzeniski, Information and Privacy Commissioner

As I listen to the news, my head keeps telling me there will be many opportunities and much interest in researching many and varied aspects of this world pandemic. I expect there will also be interest on the part of Saskatchewan researchers. Maybe some have started, but I expect as soon as things return to normal, researchers will ramp up research projects and be wanting personal information and personal health information.

The law is VERY CLEAR that researchers can ask public bodies for de-identified information. Each public body has to decide how much information it will provide; that is a policy decision. Those public bodies under privacy legislation are allowed to provide de-identified information.

What is de-identified information? It is the information without your or my name, address, or any unique identifier such as the individual’s Social Insurance Number (SIN) or Health Services Number (HSN). For example, subsection 3(2)(a) of The Health Information Protection Act (HIPA) states that it does not apply to statistical information or de-identified personal health information that cannot reasonably be expected, either by itself or when combined with other information available to the person who receives it, to enable the subject individuals to be identified. A public body can provide all the information that does not identify you or me.

If the health trustee or the researcher has the consent of the individuals to use their personal health information, then that is the best way to go. In many cases, that won’t be possible. Either the health trustee did not obtain consent to research or there are thousands and thousands of records and getting consent would not be possible.

If research is being done in such a way that it requires information from two sources and the name, SIN or HSN are sought to connect the information of an individual; that presents a challenge. The Data Matching Agreements Act is not yet proclaimed. Nonetheless, The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and HIPA have always authorized use and disclosure of personal information or personal health information for legitimate research purposes in the public interest. The best case scenario, and for research at the population level, de-identified data should be used and should suffice for those purposes. However, those same laws provide for the use of identifiable data when appropriate, but I must emphasize the need for written agreements to ensure that data is protected. This rigour is necessary to ensure that if data is used from one or multiple sources that what is provided is used as intended and protected throughout the process.

I note section 29 of HIPA, requires all research projects where personal health information is used or disclosed by a trustee, must be approved by a research ethics committee that has been approved by the Saskatchewan Minister of Health. If a research ethics committee is small and nimble it should never be a barrier to good research.

I have heard that some say “privacy” is a barrier to research. I do not believe or accept that point of view. That is why I wrote this blog to show that good research can continue and the barriers to obtaining the data should be minimal. If public bodies are citing “privacy” as the problem, they are giving the wrong reason and it just might be they don’t want to provide the information or to cooperate. Privacy is not the barrier.


Categories: BlogTags:

Back to Blog