Disclosure for health research
Privacy impact assessment (PIA) summary
Overview
Researchers within the Research Branch of Correctional Servicers Canada (CSC) routinely access and use offenders' personal information (PI) for research, in accordance with CSC's mandate, policies and directives. Recently, there has been interest in partnering with external organizations that conduct research outside of federal departments and agencies. Specifically, this partnering would involve disclosure of PI about offenders to research institutions that have authorization to use provincial/territorial health administrative databases and the capacity to conduct data matching. The resulting matched data sets will be used for research about the health and health services needs of offender populations. In particular, researchers from Canadian academic research institutions and affiliated with Research Branch of CSC wish to conduct research about offenders, addictions and health.
Summary of risks and recommendations
General risks
Risk
Circumstances/ requirements change
Recommendations for mitigation
PIA
PIA is a living document, and can be amended as required.
ICES
Same
Risk
Offender identities are not protected.
Recommendations for mitigation
PIA
Confirm 'de-identification' processes are effective; re-identification is not possible.
ICES
Reviewed procedure; process being used has been approved by provincial government to protect medical records.
Risk
Data is used for unintended purposes
Recommendations for mitigation
PIA
- Projects must be approved in advance and data agreement only allows for data to be used in the approved project;
- All projects are approved by an external research ethics board.
ICES
Only approved scientists can access the data and all projects are pre-approved and reviewed by the Sunnybrook Medical Centre Research Ethics Board. Data is not used externally to the ICES site.
Risk
Data is not protected properly.
Recommendations for mitigation
PIA
Each case of sharing data has its own data sharing agreement that specifically addresses the needs of both organizations, level of protection required and references the host organizations data protection standards and procedures. The data sharing agreements can be withdrawn at any time if the organization fails to meet the requirements.
ICES
The Data Sharing Agreement will address the same level of protection provided to Ontario medical records. The data exists in a secure facility, with a secure data storage are with limited access, and access to records with identifiable information are only available to three employees (data covenanters) who conduct the de-identification process.
Risk
Notice to Offenders of data use is not explicit.
Recommendations for mitigation
PIA
Reviews are underway to ensure that offenders are informed that data may be used for research purposes.
ICES
Same
Risk
ATIP requests may be made about the release of personal identifiers.
Recommendations for mitigation
PIA
Research Branch will maintain a record of all disclosures.
ICES
Technical security aspects of disclosure
Risk
Data will be compromised during transmission and not destroyed at the end of the study period.
Recommendations for mitigation
PIA
Consultation between CSC IMS and the organization receiving the data will ensure the most secure methods of data transmission will be used.
ICES
ICES will be able to use highly secure data transmission options with CSC, replicating what they use with health agencies in Ontario.
Risk
Data corruption or loss may occur during data transmission.
Recommendations for mitigation
PIA
CSC will maintain a duplicate of the data sent to confirm accuracy of data that arrives at the host site.
ICES
Same
Risk
Data transmission and disposal not clearly defined.
Recommendations for mitigation
PIA
The data sharing agreement will define the method for transmitting the data, state that it meets the security requirements of both organizations and data retention and disposal methods will be clearly defined.
ICES
These will be defined in the data sharing agreement. Processing and procedures already exist at ICES.
Potential sensitivity of information once identifiers are removed
Risk
Data sharing may be sensitive even after identifiers have been removed.
Recommendations for mitigation
PIA
Fields to be disclosed will be defined in the data sharing agreement and their use will be defined in all project proposals that will use the data. Information that needs to be protected, even in aggregate form, will not be shared. All results will be presented in aggregate form so individuals cannot be identified.
ICES
Project approval is to be done at ICES and with CSC research to ensure sensitivities are addressed.
Risk
Dates may be used to identify individuals or situations.
Recommendations for mitigation
PIA
Dates will only be shared as month and year, or as an elapsed time. Exact date will not be shared.
ICES
Subsequent use and disclosure by the recipient institution
Risk
Unauthorized persons may have access to files with personal identifiers.
Recommendations for mitigation
PIA
Access to personal identifiers in the original data set will be limited to persons whose job specifically allows such access and who have the required security.
ICES
Only the data covenanters at ICES will have access to the personal identifiers. These three individuals are approved to have access to Ontario medical records information with personal identifiers. Personal identifiers are not shared beyond the data covenanters. Researchers never have access to personal identifiers.
Risk
Conditions for terms of use, termination, retention and disposal of data will be forgotten.
Recommendations for mitigation
PIA
Annual review of all data sharing agreements will be conducted to ensure they are current and continue to meet the needs of both organizations.
ICES
Same
Risk
Data protection is not consistent across systems and CSC data is not treated with the same care required by other legislation.
Recommendations for mitigation
PIA
The data sharing agreement will require data protection at the highest standard of either CSC or the receiving organization.
ICES
Data protection will be based on the requirements of Ontario medical records, a standard equivalent or higher than required for CSC data.
Risk
The de-identification process will not be robust.
Recommendations for mitigation
PIA
Through analysis, the de-identification process will be confirmed.
ICES
The standards used by ICES for de-identification are the strongest available given the type of information they normally work with.
Risk
Re-identification may occur.
Recommendations for mitigation
PIA
Algorithms to de-identify the data set are strong. Data that could identify a single individual will be removed. Researchers will agree not to attempt re-identification.
ICES
ICES has procedures to address this. Re-identification has not been an issue within their data systems.
Page details
- Date modified: