Disclosure for health research

Privacy impact assessment (PIA) summary

Overview

Researchers within the Research Branch of Correctional Servicers Canada (CSC) routinely access and use offenders' personal information (PI) for research, in accordance with CSC's mandate, policies and directives. Recently, there has been interest in partnering with external organizations that conduct research outside of federal departments and agencies. Specifically, this partnering would involve disclosure of PI about offenders to research institutions that have authorization to use provincial/territorial health administrative databases and the capacity to conduct data matching. The resulting matched data sets will be used for research about the health and health services needs of offender populations. In particular, researchers from Canadian academic research institutions and affiliated with Research Branch of CSC wish to conduct research about offenders, addictions and health.

Summary of risks and recommendations

General risks

Risk

Circumstances/ requirements change

Recommendations for mitigation

PIA

PIA is a living document, and can be amended as required.

ICES

Same

Risk

Offender identities are not protected.

Recommendations for mitigation

PIA

Confirm 'de-identification' processes are effective; re-identification is not possible.

ICES

Reviewed procedure; process being used has been approved by provincial government to protect medical records.

Risk

Data is used for unintended purposes

Recommendations for mitigation

PIA
  1. Projects must be approved in advance and data agreement only allows for data to be used in the approved project;
  2. All projects are approved by an external research ethics board.
ICES

Only approved scientists can access the data and all projects are pre-approved and reviewed by the Sunnybrook Medical Centre Research Ethics Board. Data is not used externally to the ICES site.

Risk

Data is not protected properly.

Recommendations for mitigation

PIA

Each case of sharing data has its own data sharing agreement that specifically addresses the needs of both organizations, level of protection required and references the host organizations data protection standards and procedures. The data sharing agreements can be withdrawn at any time if the organization fails to meet the requirements.

ICES

The Data Sharing Agreement will address the same level of protection provided to Ontario medical records. The data exists in a secure facility, with a secure data storage are with limited access, and access to records with identifiable information are only available to three employees (data covenanters) who conduct the de-identification process.

Risk

Notice to Offenders of data use is not explicit.

Recommendations for mitigation

PIA

Reviews are underway to ensure that offenders are informed that data may be used for research purposes.

ICES

Same

Risk

ATIP requests may be made about the release of personal identifiers.

Recommendations for mitigation

PIA

Research Branch will maintain a record of all disclosures.

ICES

Technical security aspects of disclosure

Risk

Data will be compromised during transmission and not destroyed at the end of the study period.

Recommendations for mitigation

PIA

Consultation between CSC IMS and the organization receiving the data will ensure the most secure methods of data transmission will be used.

ICES

ICES will be able to use highly secure data transmission options with CSC, replicating what they use with health agencies in Ontario.

Risk

Data corruption or loss may occur during data transmission.

Recommendations for mitigation

PIA

CSC will maintain a duplicate of the data sent to confirm accuracy of data that arrives at the host site.

ICES

Same

Risk

Data transmission and disposal not clearly defined.

Recommendations for mitigation

PIA

The data sharing agreement will define the method for transmitting the data, state that it meets the security requirements of both organizations and data retention and disposal methods will be clearly defined.

ICES

These will be defined in the data sharing agreement. Processing and procedures already exist at ICES.

Potential sensitivity of information once identifiers are removed

Risk

Data sharing may be sensitive even after identifiers have been removed.

Recommendations for mitigation

PIA

Fields to be disclosed will be defined in the data sharing agreement and their use will be defined in all project proposals that will use the data. Information that needs to be protected, even in aggregate form, will not be shared. All results will be presented in aggregate form so individuals cannot be identified.

ICES

Project approval is to be done at ICES and with CSC research to ensure sensitivities are addressed.

Risk

Dates may be used to identify individuals or situations.

Recommendations for mitigation

PIA

Dates will only be shared as month and year, or as an elapsed time. Exact date will not be shared.

ICES

Subsequent use and disclosure by the recipient institution

Risk

Unauthorized persons may have access to files with personal identifiers.

Recommendations for mitigation

PIA

Access to personal identifiers in the original data set will be limited to persons whose job specifically allows such access and who have the required security.

ICES

Only the data covenanters at ICES will have access to the personal identifiers. These three individuals are approved to have access to Ontario medical records information with personal identifiers. Personal identifiers are not shared beyond the data covenanters. Researchers never have access to personal identifiers.

Risk

Conditions for terms of use, termination, retention and disposal of data will be forgotten.

Recommendations for mitigation

PIA

Annual review of all data sharing agreements will be conducted to ensure they are current and continue to meet the needs of both organizations.

ICES

Same

Risk

Data protection is not consistent across systems and CSC data is not treated with the same care required by other legislation.

Recommendations for mitigation

PIA

The data sharing agreement will require data protection at the highest standard of either CSC or the receiving organization.

ICES

Data protection will be based on the requirements of Ontario medical records, a standard equivalent or higher than required for CSC data.

Risk

The de-identification process will not be robust.

Recommendations for mitigation

PIA

Through analysis, the de-identification process will be confirmed.

ICES

The standards used by ICES for de-identification are the strongest available given the type of information they normally work with.

Risk

Re-identification may occur.

Recommendations for mitigation

PIA

Algorithms to de-identify the data set are strong. Data that could identify a single individual will be removed. Researchers will agree not to attempt re-identification.

ICES

ICES has procedures to address this. Re-identification has not been an issue within their data systems.

Page details

Date modified: