Government of Canada
Symbol of the Government of Canada

Draft 2nd Edition of the TCPS (December 2008)

Chapter 5

PRIVACY AND CONFIDENTIALITY

There is widespread agreement about the rights of research participants to privacy and the corresponding duties of researchers to treat personal information in a confidential manner. Indeed, the respect for privacy in research is an internationally recognized norm and ethical standard. Privacy rights are protected in the Canadian Constitution,[1] our country’s most fundamental statement of rights and freedoms, and they are also protected in federal and provincial/territorial statutes. Model voluntary codes[2] have also been adopted to govern access to, and the protection of, personal information. Some professional organizations have also established privacy codes that establish the rights and obligations of their members regarding collection, use and disclosure of personal information.

This Policy is based on a proportionate approach to ethical assessment of research, where more stringent review and protections are applied to research that poses greater risks to participants. Privacy risks in research relate to the identifiability of participants and the potential harms they may experience from collection, use and disclosure of personal information. Privacy risks arise at all stages of the research life cycle, including initial collection of information, use and analysis to address research questions, dissemination of research results, retention of information, and disposal of research records or devices on which information is stored. Researchers and research ethics boards (REBs) should identify and mitigate privacy risks, keeping in mind that a matter that is not considered sensitive or embarrassing in the researcher’s culture may be so in a prospective participant’s culture.

A. Key Definitions and Principles

Privacy

Privacy refers to an individual’s right to be free from intrusion or interference by others. It is a fundamental right in a free and democratic society. Individuals have privacy interests in relation to their bodies, personal information, thoughts and opinions, personal communications with others, and spaces they occupy. Research affects these various domains of privacy in different ways, depending on its objectives and methods. An important aspect of privacy is the right to control information about oneself. The concept of consent is related to the right to privacy. Privacy is respected if an individual has an opportunity to exercise control over personal information by consenting to, or withholding consent for, collection, use and/or disclosure of information. (For further discussion of consent, see Chapter 3 [“Free and Informed Consent”].)

Confidentiality

The duty of confidentiality refers to the obligation of an individual or organization to safeguard information entrusted to it by another. The duty of confidentiality includes obligations to protect information from unauthorized access, use, disclosure, modification, loss or theft. Fulfilling the duty of confidentiality is essential to the trust relationship between researcher and research participant, and to the integrity of the research enterprise.

Security

Security refers to measures used to protect information. It includes physical, administrative and technical safeguards. An individual or organization fulfils its confidentiality duties, in part, by adopting and enforcing appropriate security measures. Physical safeguards include use of locked filing cabinets and location of computers containing research data away from public areas. Administrative safeguards include development and enforcement of organizational rules about who has access to personal information about research participants. Technical safeguards include use of computer password, firewall, anti-virus, encryption and other measures that protect data from unauthorized access, loss or modification.

Types of Information

Researchers collect, use, share and seek access to different types of information about research participants. Privacy concerns are strongest in regard to information that identifies a specific research participant, and they attenuate as it becomes more difficult or impossible to associate information with a particular participant. Privacy concerns also vary with the sensitivity of the information and the extent to which access, use or disclosure may harm an individual by exposing them to embarrassment, stigma, discrimination or other detriments.

Information may be categorized as follows:

  • Identifying information: The information identifies a specific research participant through direct identifiers (e.g., name, address, social insurance number or personal health number).
  • Identifiable information: The information could be used to re-identify a participant through a combination of indirect identifiers (e.g., date of birth, place of residence or unique personal characteristic) using reasonably foreseeable means.
  • De-identified/coded information: Identifiers are removed and replaced with a code. Depending on access to the code, it may be possible to re-identify specific research participants (e.g., participants are assigned a code name and the principal investigator retains a list that links the code name with the participant’s actual name so data can be re-linked if necessary.) Researchers who have access to the code and the data have identifiable information.
  • Anonymized information: Information is irrevocably stripped of identifiers, and a code is not kept to allow future re-linkage.
  • Anonymous information: Information never had identifiers associated with it (e.g., anonymous surveys).

In this Policy, the term “personal information” refers to identifying and identifiable information about an individual. This includes identifiable information about personal characteristics such as age, culture, educational background, employment history, health care, life experiences, religion, social status and other matters where an individual has a reasonable expectation of privacy. In assessing privacy risks, researchers and REBs should also consider the possibility that, despite the removal of personal identifiers, a small or unique group (such as a group with a rare condition or an Aboriginal community) may be identified. Individuals within that group may experience stigma, embarrassment or other harm resulting from being identified individually or being associated with the group. If researchers are uncertain if the information to which they seek access constitutes personal information under this Policy, they should consult their REB.

Collection and use of anonymous data in research is the easiest way to protect participants, although this is not always possible or desirable. A “next-best” alternative is to anonymize the data at the earliest opportunity. While anonymization often protects participants from identification, the ability to link anonymized datasets with other information sources may lead to re-identification of individuals. Growing technological capacities facilitate re-identification, as is discussed in Section E (“Data Linkage”). Failing the feasibility of using anonymous or anonymized data for research - and there are many reasons why data may need to be gathered and retained in an identifiable form - the duty of confidentiality becomes paramount.

B. The Duty of Confidentiality

Article 5.1 Researchers must maintain confidentiality of personal information about research participants, subject to any legal and ethical duties to disclose confidential information.

Application When researchers obtain personal information with a promise of confidentiality, following through with that promise is integral to respect for research participants and the integrity of the research enterprise. Breaches of confidentiality may cause harm to the trust relationship between the researcher and the research participant, to other individuals or groups, and/or to the reputation of the research community.

The duty of confidentiality applies to information obtained directly from participants or from other researchers or organizations that have legal, professional or other obligations to maintain the confidentiality of personal records.

A researcher’s duty of confidentiality is not absolute. In certain exceptional and compelling circumstances, researchers may have legal and ethical obligations to disclose information revealed to them in confidence, such as reporting information to authorities to protect the health, life or safety of a research participant or third party. Researchers should be aware of laws (such as laws that require reporting of children in need of protection) or ethical codes (such as professional codes of conduct) that may require disclosure of information they obtain in a research context.

Researchers who believe they may have a legal or ethical duty to disclose information obtained in a research context should consult with colleagues, any relevant professional body, the REB and/or legal counsel regarding an appropriate course of action.

Article 5.2 Researchers must describe measures for meeting confidentiality obligations and explain any limits on confidentiality:

  1. In application materials they submit to the research ethics board; and
  2. During informed consent discussions with potential research participants.

Application Researchers should inform potential research participants of these legal and/or ethical disclosure duties at the time of obtaining consent so the participants understand the limits of the confidentiality promise.

Researchers should also inform participants if personal information may be provided to government departments or agencies, personnel from an agency that monitors the research, a research sponsor (such as a pharmaceutical company), the REB or a regulatory agency.

In rare cases, a third party may seek access to information obtained and/or created in a research context. An access request may seek voluntary disclosure of information or may seek to compel disclosure through force of law (such as seeking a subpoena). Researchers must make reasonable efforts to maintain their promise of confidentiality to research participants within the extent permitted by law and ethical principles. This may involve resisting requests for access, such as opposing court applications seeking disclosure.

When designing their research, researchers should incorporate any applicable statute-based or other legal principles that may afford protection for the privacy of participants and confidentiality of research information.

C. Safeguarding Information

Article 5.3 Researchers should assess privacy risks and threats to the security of information for all stages of the research life cycle and implement appropriate measures to protect information. Researchers must provide details to the research ethics board regarding their proposed measures for safeguarding information, for the full life cycle of information - that is, its collection, use, dissemination, retention and disposal.

Application Safeguarding information helps respect the privacy of research participants and helps researchers fulfil their confidentiality obligations. In adopting measures to safeguard information, researchers should follow disciplinary standards and practices for the collection and protection of information for research purposes. Formal privacy impact assessments are required in some institutions and under legislation or policy in some jurisdictions. Security measures should take into account the nature and type of data (e.g., paper records or electronic data stored on a mobile device; whether information contains direct or indirect identifiers). Principles for safeguarding information apply both to original documents and copies of information.

Factors relevant to the REB’s assessment of the adequacy of the researchers’ proposed measures for safeguarding information include:

  1. The type of information to be collected;
  2. The purpose for which the information will be used;
  3. Limits on the use, disclosure and retention of the information;
  4. Appropriate security safeguards for the full life cycle of information;
  5. Any modes of observation (e.g., photographs or videos) or access to information (e.g., sound recordings) in the research that may allow identification of particular participants;
  6. Any intended uses of personal information from the research; and
  7. Any anticipated linkage of data gathered in the research with other data about participants, whether those data are contained in public or personal records. (See also Section E [“Data Linkage”].)

In considering the adequacy of proposed data protection measures for the full life cycle of information, REBs should not automatically impose a requirement that researchers destroy the research data. Data retention periods vary depending on the research discipline, research purpose and kind of data involved. Data destruction is not a typical part of the qualitative research process; in some situations formal data sharing with participants may occur - for example, by giving individual participants copies of a recording or transcript as a gift for personal, family or other archival use. Similarly, some funding bodies, such as the Social Sciences and Humanities Research Council and the Canadian Institutes of Health Research, have specific policies on data archiving and sharing.[3]

In disseminating research results, researchers should not disclose direct identifiers without the consent of research participants. Researchers should take reasonable measures to ensure against inadvertent identification of individuals or groups in publications or other means of dissemination, and they must address this issue to the satisfaction of the REB.

In some instances, participants may wish to be identified for their contributions to the research. Where possible, researchers should negotiate agreement with participants about if and how participants may be identified to recognize their contribution. Negotiation may help resolve any disagreement on this issue between individual participants and groups of which they are a member (where, for example, an individual wants to be recognized, but the broader group or community expresses objection). Researchers and REBs should also pay heed to disciplinary standards regarding identification and acknowledgment of research participants.

In disseminating results, researchers should avoid being put in a position of becoming informants for authorities or leaders of organizations. For example, when records of prisoners, employees, students or others are used for research purposes, the researcher should not provide authorities with results that could identify individuals, unless the prior written consent of the participants is obtained. Researchers may, however, provide administrative bodies with aggregated data that cannot be linked to individuals, for purposes such as policy-making or program evaluation. To obtain informed consent, researchers should advise potential participants if aggregated data from a study may be disclosed, particularly where such disclosure may pose risk of harm to the participants. For example, aggregate data provided to authorities about illicit drug use in a penitentiary may pose harms to the prisoners, even though they are not identified individually.

Consideration of future uses of personal information refers not just to research, but also to other purposes, such as the future use of research videos for educational purposes. It is essential that proposed future uses of information be specified in sufficient detail that prospective participants may give free and informed consent. In most cases, it is inappropriate to seek prospective permission for unspecified future uses of personal information at the same time consent is being sought for participation in a specific study. (Refer to Chapter 12 [“Human Tissue”] for guidance on establishment of large-scale biobanking projects where participants may have an option of agreeing to broader categories of future uses.) Secondary use of personal information is discussed further in the next section of this chapter, and Chapter 3 (“Free and Informed Consent”) addresses free and informed consent in detail.

Internet research may raise special privacy, confidentiality and security issues that researchers and REBs need to take into account. Research data sent over the Internet may require encryption or use of special denominalization software to prevent interception by unauthorized persons or other risks to data security. In general, identifying data obtained through research that is kept on a computer and connected to the Internet should be encrypted.

Article 5.4 Institutions or organizations where research data are held have a responsibility to establish appropriate institutional security safeguards.

Application In addition to the security measures researchers implement to protect data, safeguards put in place at the institutional or organizational level also provide important protection. Such data security safeguards should include physical, administrative and technical measures.

D. Secondary Use of Personal Information for Research Purposes

Secondary use refers to the use in research of personal information originally collected for a purpose other than the current research purpose. Common examples are social science or public health survey datasets that are collected for specific research or statistical purposes, but then re-used to answer other research questions. Other examples are health-care or school records or biological specimens, originally created or collected for therapeutic or educational purposes, but later sought for use in research. Chapter 12 (“Human Tissue”) provides further guidance on research involving secondary use of previously collected human tissue.

Secondary use avoids duplication in primary collection and therefore reduces burdens and costs for participants and researchers. Privacy concerns arise, however, when information can be linked to individuals and when the possibility exists that individuals can be identified in published reports.

Personal information refers to identifying and identifiable information, as described in Section A of this chapter (“Key Definitions and Principles”). Articles 5.5 and 5.6 do not apply to secondary use of information that is anonymous, anonymized or de-identified/coded and where the research team has no access to the code. For example, this article does not apply to a researcher who receives a de-identified dataset from an organization, but who does not have access to a code that permits re-identification of individuals. Research use of personal information that relies exclusively on publicly available sources such as public archives and published works does not require REB review, as discussed in Chapter 2 (“Scope and Approach”).

Article 5.5 Researchers must seek research ethics board (REB) approval for secondary research use of personal information. Researchers must satisfy the REB that:

  1. Identifying or identifiable information is essential to the research;
  2. They will take appropriate measures to protect the privacy of the individuals, to ensure the confidentiality of the data, and to minimize harms to participants;
  3. Individuals to whom the data refer did not object in principle to secondary use at the initial stage of collection or otherwise make known their objection; and
  4. They have obtained any other necessary (e.g., legal) permission to access personal information for secondary research purposes.

Application If a researcher satisfies the conditions in Article 5.5(a) to (d), the REB may approve the research without requiring consent from individuals to whom the information relates.

Databases vary greatly in the degree to which information identifies or could be used to identify individuals. The REB must carefully appraise the possibility of identification and the harm or stigma that might result from identification. A proportionate approach should be applied by the REB to evaluate the identifiability of the information in the database and to modulate its own requirements accordingly.

REBs and researchers should be sensitive to the context in which information was initially obtained, such as in a relationship of trust and confidence, as well as to the understanding and/or expectations of the individual about use, retention and disclosure of the information. Known objections to secondary use should be respected. An individual may express objection to future uses at the time of initial data collection or may, at some later point, contact the organization or individual who holds the data to request that it not be used for secondary research. For example, a former patient may hear in the media about research being conducted at a local hospital and contact the facility administrators to request that her or his medical records (in their identifying or identifiable form) not be used for research.

Legislation governing protection of personal information may impose specific rules regarding disclosure of personal information for secondary research purposes. These laws may require the individual or organization that has custody or control of requested personal information to obtain approval from a privacy commissioner or other body before disclosing information to researchers, and may impose additional requirements such as information sharing agreements that describe conditions for disclosure of personal information. Researchers should be aware of relevant laws that regulate disclosure of personal information for research purposes.

Article 5.6 In highly sensitive situations, such as when personal information will be published or other instances where there is a substantial privacy risk, the research ethics board (REB) may require that a researcher’s access to personal information for secondary use be dependent on the informed consent of individuals about whom the information relates or the informed consent of authorized third parties, unless it is impossible or impracticable to obtain consent.

If the REB is satisfied that it is impossible or impracticable to obtain consent, it may require that access to personal information be dependent on:

  1. An appropriate strategy for communicating to relevant groups that personal information is intended to be used for a specified research purpose; or
  2. Consultation with representatives of individuals or groups about whom the information relates.

Researchers must report outcomes of communication or consultation under (a) or (b) to the REB.

Application In considering the applicability of this article, REBs should apply a proportionate approach to ethical assessment of research. This involves considering the likelihood and magnitude of privacy risks for individuals about whom the information relates, as well as the potential benefits of the research.

Where use of identifying or identifiable information for secondary research raises a substantial privacy risk, Article 5.6 states that the REB may require researchers to seek consent from individuals or authorized third parties. It may, however, be impossible or impracticable to contact all individuals or authorized third parties to obtain informed consent for secondary research use of information. In some jurisdictions, privacy laws may preclude researchers from using personal information to contact individuals to seek their consent for secondary use of information. Consent may also be impossible or impracticable when the group is large or its members are likely to be deceased, geographically dispersed or difficult to track. Attempting to track and contact members of the group may raise additional privacy concerns. Seeking consent from only a partial set of group members may introduce undesirable bias into the research. Financial, human and other resources required to contact individuals and obtain consent may impose undue hardship that jeopardizes the research.

Where an REB is satisfied that consent is impossible or impracticable, Article 5.6(a) states that the REB may require an appropriate strategy for distributing information to relevant groups about the proposed research. For example, researchers who propose to access identifiable patient records may post notices or distribute pamphlets at a health-care centre, because former patients may still have contact with the centre. Alternatively, under Article 5.6(b), the REB may require that there be consultation with representatives of the individuals or group. For example, researchers may develop a way to sample the opinions of a subset of individuals in the group or contact one or more organizations that are likely to represent the views and interests of the individuals. The goal of such communication or consultation is to provide an opportunity for input regarding the proposed research. In some situations, the consultation under Article 5.6(b) may take place with an organization that provides access to personal information. For example, researchers who obtain a dataset of personal information from a government agency may consult with that agency about the proposed research.

In their application materials, researchers must explain to the REB why it is impossible or impracticable to obtain informed consent from individuals. Their application should also propose a communication or consultation strategy for the REB’s consideration. Where the REB is satisfied that consent is impossible or impracticable, and that the sensitivity of the situation warrants communication or consultation under Article 5.6(a) or (b), the researchers must report the outcomes of those activities to the REB. For example, if consultation with a representative group reveals concern with an aspect of the proposed research, researchers must report this feedback to the REB. Any changes to the research must comply with guidelines regarding departures from approved research, as set out in Article 6.16 of Chapter 6 (“Governance of Research Ethics Review”).

Article 5.7 Researchers who wish to contact individuals about whom personal information relates must obtain research ethics board approval prior to contact.

Application In certain cases, a research goal may be achieved only through follow-up contact with individuals to collect additional information. However, contact with individuals whose previously collected information is used for secondary research purposes raises privacy concerns, especially where a relationship with individuals has not been maintained. Individuals might not want to be contacted by researchers or might be upset that their information was disclosed to researchers. The research benefits of follow-up contact must clearly outweigh the potential harms to individuals of follow-up contact, and the REB must be satisfied that the proposed manner of follow-up contact minimizes potential harms for individuals.

E. Data Linkage

Article 5.8 Researchers who wish to engage in data linkage that may lead to identification of individuals must obtain research ethics board approval prior to carrying out the data linkage.

Application Advances in our abilities to link databases create both new research opportunities and new threats to privacy. These techniques may provide avenues for addressing previously unanswerable questions and for generating better social and health-related information. The values underlying the ethical obligation to respect privacy oblige researchers and REBs to exercise caution in the creation and use of data of this kind. REBs should also be aware of relevant legislation and any criteria required by governments for authorization of use of data in governmental databanks.[4]

Only a restricted number of individuals should perform the function of merging databases. Researchers should either destroy the merged file immediately after use, or use enhanced security measures to store it. Whether the data are to be used statistically or otherwise, all members of the research team must maintain security of the information. When a merged database identifies a person or a group who might be at risk of substantial harm, it may be appropriate to contact those at risk or the appropriate authorities. The REB and the record holder should also be notified.


Endnotes

[1] See Canadian Charter of Rights and Freedoms, Part I of the Constitution Act, 1982, being Schedule B to the Canada Act 1982 (U.K.), 1982, c. 11.

[2] See, for example, the Canadian Standards Association’s Model Code for the Protection of Personal Information.

[3] See the SSHRC Research Data Archiving Policy and the CIHR Policy on Access to Research Outputs.

[4] See, for example, Statistics Act, Revised Statutes of Canada, 1985, Chapter S-19 as amended.