CIHR Best Practices for Protecting Privacy in Health Research (September 2005)

[ PDF (856 KB) | Help ]

Cat. No.: MR21-63/2005E-HTML
ISBN: 0-662-41057-2


Table of contents

Acronyms

CIHR Privacy Advisory Committee: Recommendations

Privacy Best Practices: 10 elements in summary form

How to navigate the document: Areas of special interest

Introduction

Privacy Best Practices: 10 elements

How to read these elements

  • Element #1 - Determining the research objectives and justifying the data needed to fulfill these objectives
  • Element #2 - Limiting the collection of personal data
  • Element #3 - Determining if consent from individuals is required
  • Element #4 - Managing and documenting consent
  • Element #5 - Informing prospective research participants about the research
  • Element #6 - Recruiting prospective research participants
  • Element #7 - Safeguarding personal data
  • Element #8 - Controlling access and disclosure of personal data
  • Element #9 - Setting reasonable limits on retention of personal data
  • Element #10 - Ensuring accountability and transparency in the management of personal data

Appendices


Acronyms

CIHR Canadian Institutes of Health Research
CSA Canadian Standards Association
ICH GCP International Conference on Harmonization of Technical Requirements for Registration of Pharmaceuticals for Human Use- Good Clinical Practice: Consolidated Guideline
NCEHR National Council on Ethics in Human Research
NIH National Institutes of Health (United States of America)
NSERC Natural Sciences and Engineering Research Council of Canada
PAC CIHR Privacy Advisory Committee
PRE Interagency Advisory Panel on Research Ethics
REB Research Ethics Board
RMGA Quebec Network of Applied Genetic Medicine
SSHRC Social Sciences and Humanities Research Council of Canada
TCPS Canadian Institutes of Health Research, Natural Sciences and Engineering Research Council of Canada, Social Sciences and Humanities Research Council of Canada, Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans, 1998 (with 2000, 2002, 2005 amendments)
U.S. United States of America

CIHR Privacy Advisory Committee1 - Recommendations

Background

Recognizing that one of the key ethical challenges for the health research community is to appropriately protect the privacy of those individuals whose information is used for research purposes, CIHR has promoted and initiated dialogue with the broad health research community on a range of privacy-related matters for many years. In particular, a multi-stakeholder workshop in November 2002 entitled Privacy in Health Research: Sharing Perspectives and Paving the Way Forward resulted in a number of recommendations, including that CIHR initiate the development of privacy best practices and promote the harmonization of privacy laws and policies that impact on health research.

Privacy Advisory Committee

Following on these recommendations, CIHR established a Privacy Advisory Committee (PAC) in 2003 to advise CIHR on the development of privacy best practices for health research, and on strategies for consultation, communication and knowledge translation. The Committee's mandate ends with the public release of the Privacy Best Practices in 2005.

PAC members were drawn from across Canada and include an international advisor. They represent themselves, not their organizations or institutions. Members bring the perspectives of the following interested groups: privacy commissioners, research ethics boards, health researchers, voluntary health organizations, patients/consumers, policy-makers, data providers, law/ethics, Aboriginal communities, and health service providers. Ex-officio members are drawn from key groups involved in developing or implementing research ethics policy/regulations, namely the Interagency Advisory Panel for Research Ethics, the National Council on Ethics in Human Research, Health Canada, and the Social Sciences and Humanities Research Council of Canada. The Natural Sciences and Engineering Research Council of Canada was invited to appoint a member on PAC but preferred to assume a consultative role. PAC members agreed by consensus to have the CIHR Ethics Office chair the Committee in the role of facilitator.

An earlier version of the current document was the subject of public consultations through 2004. The current document was revised based on feedback received.

Recommendations

The following recommendations are intended to promote the effective implementation of these Privacy Best Practices in the health research community and to ensure that these best practices continue to respond to the evolving nature of health research and challenges of privacy protection.

Continuous learning and evaluation

  • These Privacy Best Practices must continue to evolve to reflect improved practices and innovative solutions over time, and to reflect and influence ongoing legislative developments. Recognizing that important issues have yet to be addressed (see Key Outstanding Issues), these should be tackled by developing supporting modules with the active engagement of the relevant communities and through targeted research.
  • There should be an assessment of the impact that the Best Practices will have over time on research ethics board decision-making and researcher practice. Mechanisms should be put in place to enable this assessment. These mechanisms should include a formal process, such as a CIHR Standing Committee, to assess implementation and the need for improvement of the Best Practices over time. A web tool should be considered for channelling research findings and capturing practical experiences to inform the ongoing evolution of the Best Practices.

Implementation strategy

  • These Privacy Best Practices should be revised in two years. With ongoing feedback and evaluation, PAC expects that the Best Practices will be adapted, as necessary, for the purpose of becoming mandatory CIHR funding policy. These Best Practices should also be referred to the Interagency Advisory Panel on Research Ethics with a view to encouraging their eventual application, in revised form, as Tri-Agency funding policy. For this to happen, the social science perspective needs to be strengthened.

Support for implementation

  • Underpinning the implementation strategy for these Privacy Best Practices, there should be a strong emphasis on the importance of training and education support for institutions, research ethics boards and researchers. CIHR should consider developing a web-based document as an educational resource.
  • In addition, institutions should be encouraged to provide adequate support for the infrastructure needed to implement and operationalize these Best Practices on a systematic basis. PAC recommends that there be a line item in the budget of researchers' grant applications to accurately reflect the increased cost involved in adhering to these Best Practices so as to enhance commitment and feasibility.

Harmonization of oversight framework

  • There should be continuing efforts by CIHR to support and influence the federal, provincial and territorial legislative harmonization agenda as well as the development of a national system of research ethics oversight.

Key outstanding issues

  • Privacy concerns related to the transnational flow of data need to be addressed. These could include clear interpretive provisions and the development of coherent and reciprocal minimum standards to be included in international data transfer agreements.
  • A separate process or initiative should be undertaken to develop a policy framework for the physical collection, use and storage of human biological specimens (in contrast to the personal information that may be derived from those specimens) as these are critically important and complex areas of activity that are having increasing importance in research.
  • As one important means of responding to public concerns over potential unauthorized uses of personal information gathered for research, CIHR should consider raising discussion among stakeholders and governments about the desirability and feasibility of introducing in Canada instruments such as the Certificates of Confidentiality issued in the United States to protect sensitive information on research participants from forced disclosure.2

Privacy Best Practices - 10 elements in Summary Form

These Privacy Best Practices are intended to provide guidance for the health research community in Canada on the application of fair information principles to research involving personal information, and to assist in the interpretation of the Tri-Council Policy Statement: Ethical Conduct for Research involving Humans (TCPS) by offering additional detail and practicality.

In turn, as these Best Practices evolve in light of practice, they have the potential to inform the ongoing development of the TCPS and relevant laws and policy.

These Privacy Best Practices do not replace existing laws, policies and professional codes of conduct that apply to certain types of personal information, designated organizations and/or specific kinds of activity.

Privacy Best Practices

The Elements are presented in summary in this section to provide a quick reference for the reader. Full descriptions of each Element along with links to selected excerpts from the TCPS are in the main body of this document.

Tables of Concordances are included in the Appendices to supplement key provisions in the Elements with cross-references to related requirements under Canadian privacy legislation. The Tables should be used only as preliminary guidance. The application of the information in the Tables to a particular research project should be determined in consultation with a legal advisor.

ELEMENT #1: Determining the research objectives and justifying the data needed to fulfill these objectives

At the outset of the research design process, and as thoroughly as possible given the proposed research method, researchers should:

  • identify and document research objectives and questions as a basis for determining what data will be needed;
  • anticipate and document research questions related to the primary research objective, which might become relevant after the initial data analyses; and
  • anticipate and document likely future uses of the data, including possible collaborations with other researchers or possible commercial uses.

In the case of a database created for general research purposes, researchers should define the scope and purpose in a way that will be meaningful for research ethics boards (REBs) and any prospective research participants, even if the boundaries are at a relatively general level. This is an opportunity to be as open and transparent as possible about the proposed research, and to reassure research participants and REBs that although future research purposes are not specified in detail, data management, storage and use will occur within a defined framework, including review and approval by an REB.

If appropriate, setting up an advisory committee drawn from the scientific community, other relevant areas (such as ethics, policy, or information technology) and those affected by the condition or health event under study, can assist in defining the scope and strategic priorities for a research project in the context of both short and long-term initiatives.

All potential relevant and useful research questions cannot always be foreseen at the outset of a research project. For example, researchers using inductive methods of research may discover an "emergent" research approach through encounters with and in collaboration with research participants. In such research, the development of research questions and procedures is an ongoing process. While planning their research, researchers should attempt to foresee both obvious and emerging issues related to privacy. These should be included in the submission to an REB. Researchers should also document for an REB any amendments to the protocol and consequent privacy protection strategies emerging over the course of the study.

ELEMENT #2: Limiting the collection of personal data

Researchers should plan to collect personal data only as necessary for the research. The amount of personal information collected and the level of identifiability and sensitivity of this information should be restricted to what is necessary to achieve the research objectives.

Consider first whether individually identifiable data are needed, or whether non-identifiable data or aggregate data would serve the research objectives (e.g. data on individuals grouped by age or some other meaningful variable).

For research involving secondary use of data for research, if identifiable data are required for the research, direct identifiers should be avoided or concealed, to the extent that is reasonably practical (e.g. as soon as a data linkage has been completed). Data without direct identifiers can be:

  • coded to allow a trace-back to individuals, by means of:
    • single-coding (the researcher has the key to the code to link the research data back to direct identifiers, which are held separately); or
    • double-coding (an increased level of confidentiality protection over single coding because the data holder does not give the researcher the key to re-identify individuals); or
  • without a code, if the capacity to trace the research data or results back to individuals is not required for the research purpose.

Even if the direct identifiers in shared data have been removed or coded, consider how to minimize the collection or sharing of potentially identifying data elements.

For inductive data collection, for example where open-ended interview techniques are used, the extent of personal data to be collected may not always be foreseeable in detail at the outset of the interview. In these cases, the ongoing negotiation of consent with research participants is the best way to ensure that the privacy of individuals and the community is being appropriately protected.

ELEMENT #3 : Determining whether consent from individuals is required

Voluntary and informed consent from legally competent individuals or authorized third parties is a fundamental principle in research involving humans, and specifically for the use of their personal data.

Under specified circumstances, given a satisfactory rationale by the researcher, an REB may approve the waiver of a consent requirement, or a partial waiver of some elements of a consent requirement. According to TCPS Article 2.1(c), the REB must find and document that:

"(i) The research involves no more than minimal risk to the subjects;
(ii) The waiver or alteration is unlikely to adversely affect the rights and welfare of the subjects;
(iii) The research could not practicably be carried out without the waiver or alteration;
(iv) Whenever possible and appropriate, the subjects will be provided with additional pertinent information after participation; and
(v) The waived or altered consent does not involve a therapeutic intervention."

In addition to REB approval, access to personal data for research without consent will be subject to specific legal requirements in relevant jurisdictions.

When a research objective requires the collection of personal information directly from individuals to whom the data belong and linking to other sources to form a combined file, consent should be sought for both types of data collection at the time of direct contact with prospective research participants.

For secondary use of data for research, an REB should consider the following factors in determining whether a research proposal meets the requirements for waiver of consent:

  • necessity of personal data for the research purposes;
  • potential harms and benefits of the research;
  • inappropriateness or impracticability of consent;
  • expectations of individuals;
  • views of relevant groups;
  • legal requirements; and
  • openness (informing the public).

These factors, and the description in the Elements, expand on TCPS Article 2.1(c)(i)- (iii).

An REB may determine that seeking consent from individuals is inappropriate because there is potential harm to individuals from direct contact, or contact with individuals is not permitted under a previous data-sharing agreement, law or policy.

Seeking consent from individuals for the use of their personal data may be considered impracticable when there are difficulties in contacting or notifying individuals for reasons such as:

  • the size of the population being researched;
  • the proportion of prospective participants likely to have relocated or died since the time the personal information was originally collected; or
  • the lack of an existing or continuing relationship between prospective participants and the data holder who would need to contact them (e.g. a patient database that does not have a regular follow-up program to maintain a complete and accurate record of changes in registrants' contact information over time);

such that:

  • there is a risk of introducing bias into the research because of the loss of data from segments of the population that cannot be contacted to seek their consent, thereby affecting the validity of results and/or defeating the purpose of the study; or
  • the additional financial, material, human, organizational and other resources needed to obtain consent could impose a hardship or burden on the researchers or organization so burdensome that the research could not be done.

ELEMENT # 4: Managing and documenting consent

Consent is an ongoing process that begins upon first contact with prospective participants or authorized third parties, and ends only with the conclusion of their participation in the research or use of their information. Participants should understand that their consent is voluntary, to be obtained without manipulation, undue influence or coercion, and can be withdrawn at any time.

Evidence of initial and ongoing consent and the withdrawal of consent should be documented as appropriate for audit and legal purposes.

The majority of research studies use an opt-in consent. Opting-in means that prior to the start of the research or data collection, informed individuals give clear indication that they voluntarily agree to participate in the research.

Presumed consent with an opt-out mechanism should be used only when an REB considers prior opt-in consent to be inappropriate or impracticable. A valid opt-out mechanism means that individuals have the opportunity at some time during the research or data collection process to give a clear indication (in writing or orally) that they do not want to be participants in the research or to have their data used in the research. If individuals do not choose to opt-out of the research, their consent is presumed as long as they were given reasonable notice of the research and meaningful opportunity to opt-out.

Collection of data without direct personal identifiers may be necessary or proposed when the research deals with highly sensitive conditions or activities. In such circumstances, consent should be documented but the identity of research participants should not be linkable to their data or to results of analyses.

The researcher may need information on who does not want to participate in research or who withdraws from research, for example to document who is not to be included in follow-up research activities; and/or to take into consideration relevant characteristics of the population not included in the study, when reporting possible bias in research results. In these circumstances, researchers may obtain information about non-participants or those withdrawing consent only with individuals' consent or the approval of an REB to waive the consent requirement in the particular circumstances.

Participants in qualitative studies are especially vulnerable to unintended identification. For example, in quoting interviewees, biographical details may be revealed that make protecting identities difficult. Therefore, paying attention to the trust relationship between researcher and participant, and obtaining ongoing consent, are very important.

ELEMENT #5: Informing prospective research participants about the research

Researchers should provide to prospective participants or to authorized third parties disclosure of all information relevant to voluntary and informed consent.

Information should be communicated to prospective participants in plain language, in oral and/or written form, so that it is easily understood.

The amount of time taken to communicate information to prospective participants should be appropriate to the need, not excessive nor too brief. For example, the information could be layered, with a one-page summary of the research, a short consent form, an appendix with more detailed information and instructions on how to obtain more information.

During the consent process, the researcher should determine whether the participant wishes to be informed of any meaningful research results that specifically relate to them.

Researchers, particularly those in the areas of health services, population and public health, and genetics/genomic research who study whole populations, should strive to communicate with the relevant population and governmental authorities regarding results that are pertinent to the improvement of health and/or the prevention of disease. The population studied should be made aware of possible socio-economic discrimination or group stigmatization as a result of the research results, such as because of perceptions of genetic risks. In the context of genetic research, the population should also be informed of the means taken to minimize the risks.

In the consent process and discussion, researchers using qualitative methods may consider involving participants in the writing and reporting process, depending on the circumstances.

For a hybrid project involving the direct collection of data from individuals and secondary use of data from other sources, the prospective research participant should also be informed of all expected types and sources of personal data to be used, any expected linkages and the expected purposes for which data will be used.

When personal data are to be entered into a database for multiple research uses over an extended period, research participants should also be informed of such things as: expected types of studies, expected data types and purposes, expected commercial uses, data retention period, and the process for overseeing the use and security of data. Participants may also be given the opportunity to provide authorization for future uses, with or without re-contact, including the opportunity to withdraw consent (and any identifying information) in the future. Additional options may include:

  • to be re-contacted on a regular (or as needed basis) to seek consent for new research uses of the data, if desired and practicable; and/or
  • to not be re-contacted, but to authorize the researchers to use the data only in certain ways in the future (e.g. with or without direct identifiers, coded or in non-identifiable form; or for certain areas of research).

ELEMENT #6: Recruiting prospective research participants

The proposed recruitment procedure and materials should be included in the submission for REB approval. The procedure and materials should foster the conditions for voluntary consent, and not exert undue influence on prospective participants to agree to take part in research.

Initial contact with individuals about a research project should be made by someone that individuals would expect to have relevant information about them, or in other ways that do not inappropriately intrude on their life or privacy.

Wherever possible, the researcher should anticipate at the time of the original collection the future uses of personal information for further recruitment purposes, and seek consent from individuals for these purposes.

The REB will need to determine if consent is required for the secondary use of personal information for recruitment purposes. Researchers and REBs should be aware of any legal restrictions on contacting individuals in these circumstances.

When a researcher is making a request for access to data to recruit participants, the preferred option is for the data holder to determine eligibility of individuals for the research on the basis of criteria provided by the researchers, and to make the initial contact to:

  • inform eligible individuals about the research so that they can contact the researcher, if interested, or
  • to seek consent from individuals to release their nominal information to the researcher who will contact them to inform them about the research.

When the preferred option is impracticable or inappropriate, an REB may consider whether a researcher should be permitted access to minimal personal data only for the purposes of determining eligibility for the research or contacting individuals to invite them to join the study. If it is legally permissible and the REB considers it appropriate, personal information may be released with appropriate confidentiality protection such as a signed confidentiality agreement with access restricted to the data holder's site and use limited to the stated purpose.

Researchers should avoid situations where eligible individuals are not aware, prior to being contacted, of information about themselves that makes them eligible for participation in the research, such as a cancer diagnosis.

Typical scenarios for recruiting participants, including community-based research and genetics research, and preferred approaches are briefly described.

ELEMENT #7: Safeguarding personal data

Institutions or organizations where research data are held have a responsibility to establish appropriate institutional security safeguards. Data security safeguards should include organizational, technological and physical measures.

Researchers should take a risk assessment and management approach to protecting research data from loss, corruption, theft or unauthorized disclosure, as appropriate for the sensitivity and identifiability of the data.

REBs should review and approve researchers' proposed measures for safeguarding any personal data to be collected.

ELEMENT #8: Controlling access and disclosure of personal data

Data sharing for research purposes - whether of linked or unlinked data sets - is an important way of enabling socially valuable research. It avoids unnecessary duplication of data collection, which reduces the burden on research participants and permits researchers to use limited or scarce resources more productively.

However, once approved by an REB, there should be strict limits on access to data and secure procedures for data linkage, subject to data-sharing agreements.

When personal data are essential to research objectives and questions, researchers need a plan for making public the results of research in ways that do not permit tracing back to individuals if they do not wish their identities to be known.

The most secure way of conducting data linkages requested by external researchers is for the data holder to conduct the linkage and provide linked data sets to the researcher without direct identifiers and at the minimum level of identifiability necessary for the research purpose. If that is not practicable, a trusted third party may conduct the linkage or the researcher may conduct the linkage on the data holder's site. As a last option, a researcher may be permitted to conduct the linkage at a secure site but under strict controls, as specified in a data-sharing agreement. Following the linkage of datasets, the person doing the data linkage should reduce datasets to the lowest level of identifiability needed to accomplish the research objectives.

Data-sharing agreements bind data providers and researchers to their respective responsibilities and obligations for protecting personal data. Data-sharing agreements should set out the terms and conditions under which data providers will allow researchers to access personal data for research purposes.

In assessing the privacy aspects of research, researchers and REBs should also be aware of the possibility that in some instances individuals may want their identities to be known-for example, when individuals want their contribution to research as participants to be recognized, or where they want to help others afflicted with a similar condition. In some qualitative research, individual participants may understand and willingly accept the possibility that their identities may be revealed in the public reporting of research results.

ELEMENT #9: Setting reasonable limits on retention of personal data

Personal data should be retained as long as is necessary to fulfill the research purposes. Personal data may then be destroyed or returned to the data provider, if appropriate, as set out in the terms of the original collection, data-sharing agreement, institutional policies, and legal requirements.

Retention periods for personal data should be defined in writing. Researchers should be explicit about what they plan to do with the data they collect and have storage, management and access policies in place.

When personal data are collected in a database to support general health research purposes in the future, personal data may be retained for the general purposes originally consented to, subject to security safeguards proportionate to the identifiability and sensitivity of the data.

Administrative databases such as hospital discharge records and vital statistics registries, which may be used to support health research, may retain personal data over the long-term, provided that this is permitted according to legislation or the mandate of a public body such as a government health department.

Any long-term retention of personal data established for general health research purposes should be subject to periodic audits and effective oversight by independent third parties including REBs.

ELEMENT #10: Ensuring accountability and transparency in the management of personal data

Individuals and organizations engaged in health research involving personal data are accountable for the proper conduct of such research in accordance with applicable funding policies, privacy principles and/or legislation. Processes and practices must be clearly established and implemented in order to give meaningful effect to these policies, principles or laws. Proper accountability and transparency practices require adequate resources for such things as communication, education and training relating to privacy.

Roles and responsibilities of all those involved in the conduct and evaluation of research should be clearly defined and understood, including those of researchers, their employing institutions, REBs, any data stewardship committees, Privacy Commissioners and other legally-designated privacy oversight agencies. Their concerted efforts should aim to provide a coherent governance structure for effective and efficient data stewardship.

Recognizing that transparency may enhance public support for, and interest in, socially valuable research, individuals and organizations engaged in the conduct and evaluation of health research should:

  • be open to the public with respect to the objectives of the research;
  • be open about the policies and practices relating to the protection of personal data used in the research;
  • promote ongoing dialogue between the research community and privacy oversight agencies; and
  • promote ongoing dialogue between the research community and the community at large (the public).

When a database is created for multiple research purposes, or across multiple sites or jurisdictions, researchers and institutional data holders should promote coordinated and streamlined approaches to the review of privacy and confidentiality concerns, and to data stewardship over the long term.

A centralized data stewardship committee could be put in place to authorize future uses of the database in accordance with the research objectives and, where applicable, within the parameters set by the consent obtained from participants. The responsibilities of this committee could include the review of data access requests; long-term management of the database; coordination of reviews by local REBs (e.g. by means of agreements between REBs, institutions and researchers, as appropriate); and provision of information to the public (e.g. on a web site).

How to navigate the document: Areas of special interest*

Areas of special interest Element #. section #. subsection # TCPS excerpts at end of element #
Type of project
Single research project 1.1, 9.1.1
Database created for long-term research use 1.2, 5.7, 9.1.2
Qualitative (e.g. inductive analysis) 1.4, 2.4, 4.3, 5.4, 8.4.1 Element #3
Genetics/Genomics 2.2, 3.5, 5.3, 6.3.3 Element #5, 8
Data collection (sources)
Individuals (legally competent) 2.2, 3.1, 4.1, 5.3.1, 5.5, 6.1.1, 6.2, 6.3 Element #5
Individuals not legally competent Element #3
Children Element #3
From individuals and secondary use or disclosure
3.2, 5.6
Communities 3.3.5, 5.3.2, 6.3.2
Secondary use or disclosure 2.3, 3.3, 6.1, 8.1 Element #2, 3, 5, 6
Data linkage 2-Summary guide (b), 8.2 Element #8
Real world case studies Appendix A-3
Examples of studies recruiting individuals or communities Appendix A-4 Table 1
Examples of databases with research potential, in diverse settings Appendix A-4 Table 2
Additional stewardship, oversight
Advisory committee on research priorities
1.3
Data stewardship committee 10.2.4
Legal requirements
Tables of concordance with privacy legislation Appendix A-7

 

* based on feedback during 2004 consultations on draft CIHR privacy best practice guidelines.

Introduction

CIHR's Mandate

The Canadian Institutes of Health Research (CIHR) is Canada's main federal funding agency for health research. CIHR's mandate is to invest in research that has the potential to lead to improved health3 for Canadians, more effective health services and products, and a strengthened Canadian health care system. CIHR-funded health research must also meet the highest standards of scientific excellence and ethics.

In the area of ethics, one of the key challenges for the health research community is to protect the privacy of individuals and the confidentiality of personal information, at a time of great change in research. For example, technological advances in information technology and the advance of genetic research are challenging existing standards and mechanisms for privacy protection. Also, the sheer number, diversity and complexity of new privacy laws and policies within and beyond Canada's borders are increasing the practical challenges faced by researchers, particularly for those conducting studies across jurisdictions. And, while there are increasing demands for privacy protection in health research, there is also clear recognition that health research plays a critical role in improving the health of Canadians and supporting an evidence-based health care system.

Goals

These Best Practices are intended to be innovative approaches to the challenge of protecting the privacy of individuals and the confidentiality of personal information in the context of health research. These Best Practices are meant to:

  • provide guidance for health researchers in the design and conduct of health research involving personal information;
  • be a resource for research ethics boards and institutions to consult when reviewing and evaluating health research involving personal information; and
  • through the uptake and application of these Best Practices in the development of privacy laws or policies across Canada, contribute toward a more coherent and harmonized framework for addressing privacy and confidentiality issues in health research.
Statement of values

These Best Practices primarily reflect the values articulated in two foundational documents: the Tri-Council Policy Statement: Ethical Conduct for Research involving Humans (TCPS), Canada's national ethics guidelines for research funded by the three main federal funding agencies, and internationally accepted fair information principles codified by the Canadian Standards Association.

Tri-Council Policy Statement (TCPS)

The Best Practices are firmly embedded in CIHR's ongoing commitment to support TCPS.4 Compliance with TCPS is mandatory for all research funded through the three main federal research funding agencies: Canadian Institutes of Health Research (formerly Medical Research Council of Canada), Natural Sciences and Engineering Research Council of Canada (NSERC) and Social Sciences and Humanities Research Council of Canada (SSHRC). Research ethics boards (REBs) also use the TCPS as guidance in the review of research funded through other sources.

The broad ethical framework of the TCPS is based on recognition of the need for and social value of research, along with moral imperatives to respect human dignity, ethical guiding principles and the law.5 Ethical guiding principles for research include respect for privacy and confidentiality, among the following fundamental and interrelated ethical guiding principles in the TCPS:

Respect for human dignity
Respect for justice and inclusiveness
Respect for free and informed consent
Balancing harms and benefits
Respect for vulnerable persons
Respect for privacy and confidentiality
Minimizing harm
Maximizing benefit6

The TCPS acknowledges privacy as a fundamental value, and dignity and autonomy of individuals as the ethical basis of respect for the privacy of research subjects. These national research ethics guidelines also recognize that the right to privacy is not absolute and that compelling and specifically identified public interests may justify an infringement of that right, specifically the requirement to obtain consent before collecting, using or disclosing personal information.7

Fair information principles

These Best Practices are also grounded in internationally recognized fair information principles, which are at the heart of Canadian privacy legislation and form the basis of the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information.8 These ten core principles are:

  1. Accountability - An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
  2. Identifying Purposes -The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
  3. Consent - The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
  4. Limiting Collection - The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
  5. Limiting Use, Disclosure, and Retention - Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
  6. Accuracy - Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
  7. Safeguards - Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
  8. Openness - An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
  9. Individual Access - Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  10. Challenging Compliance - An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

The CSA Code was not designed specifically for the research context. Thus, these Best Practices are intended to provide guidance on the application of these fair information principles to health research.

Scope of application Voluntary guidance in the Canadian context

These Best Practices are intended as voluntary guidance for the health research community in Canada. They are based on and are consistent with the TCPS, and they are designed to assist in the interpretation of the TCPS by offering additional detail and practicality. In turn, as these Best Practices evolve in light of practice, they have the potential to inform the ongoing development of the TCPS and relevant laws and policy.

Applicable legislation and policy

These Privacy Best Practices do not replace existing laws, policies and professional codes of conduct that apply to certain types of personal information, designated organizations and/or specific kinds of activity. Researchers, REBs and institutions should be aware of, and continue to comply with, the relevant laws, policies and codes, including the TCPS, that govern research activities in their respective jurisdictions. In the case of multi-centre research crossing provincial, territorial or even national borders, several privacy laws and policies may have to be considered and complied with.

To help health researchers, REBs and others navigate the sea of privacy laws and policies, a series of tables are included in the Appendix highlighting existing requirements relating to privacy in selected legislation.

Health research

Consistent with CIHR's mandate, these Privacy Best Practices are intended to be a resource primarily for the health research community, and are relevant to health research that requires ethics review under the TCPS.9

Health research is interdependent on a range of knowledge-generating activities that are generally perceived to be outside the boundaries of research, but which are related to the improvement of health and health services. These "non-research" activities, such as public health surveillance, health service management, and program quality assurance and improvement, are beyond the manageable scope of the present document. In the future, however, these Best Practices could potentially serve as models for best practices in these related areas, with the necessary adaptations.

Personal information

These Best Practices cover identifiable personal information. Identifiable personal information may contain a direct link to a specific individual (e.g. name and street address, personal health number, etc.) or any element or a combination of elements that allows indirect identification of an individual (e.g. if birth date combined with postal code and other personal information on the record such as ethnicity could lead to the identification of an individual).

The TCPS definition of identifiable personal information covers a wide range of personal information that may be used in the conduct of research.10 For example, health researchers may need information about such things as a person's clinical history and use of health care services, but also about broad determinants of health, such as a person's education, employment, and income level.

The scope of personal information covered in these Privacy Best Practices includes personal information derived from blood and other human biological materials (e.g. information such as blood type, DNA code and the presence or absence of disease), but not the materials themselves. The privacy issues related to the banking, storage and use of those biological materials are beyond the scope of this document.

Commitment to continuous learning and review

These Privacy Best Practices are expected to evolve over time in response to changes in the circumstances of research and as new best practices emerge. One of the valuable ways in which researchers, REBs and institutions can assist the evolution of this document is by bringing to the attention of the CIHR Ethics Office lessons learned through the application of these Best Practices and suggesting areas for further development.

Emailed feedback can be sent to the CIHR Ethics Office at ethics-ethique@cihr-irsc.gc.ca.

Privacy Best Practices: 10 Elements

How to read these elements

These Best Practices are organized into a series of elements that should be considered in the design, conduct and evaluation of health research to address privacy and confidentiality concerns. These elements are not meant to represent a step-by-step process, since many of the elements are interdependent.

As noted in the Introduction, the TCPS and the laws of Canada are the minimum standard for protecting privacy and confidentiality in health research. To indicate the links between these Best Practices and the TCPS, and as another vehicle for promoting wider knowledge of that national Policy Statement, excerpts from TCPS are provided at the end of most Element sections. These are relatively short excerpts and do not include all text related to a particular topic. Readers are encouraged to use these excerpts merely as guides toward a more comprehensive review of the TCPS.11

In addition, concordance tables of selected privacy legislation are presented in the Appendix, organized by the corresponding Best Practice Element and by jurisdiction. These concordance tables are intended to supplement the Best Practices and should only be used as preliminary guidance. The application of the legal provisions in the tables to a particular research project must be determined in consultation with a legal advisor. In addition, any health professional belonging to a regulatory college has the responsibility of complying with that college's code of ethics.

In addition to the TCPS and applicable laws, CIHR-funded researchers conducting clinical trials intended for use in seeking regulatory approval for pharmaceuticals must review and be in compliance with the Food and Drug Regulations- Division 5 Drugs for clinical trials involving human subjects, the ICH12 Guidance E6: Good Clinical Practice: Consolidated Guideline (ICH GCP), and other Health Canada guidance.13

Please note the distinction made in these Elements between a "research participant" and "data subject". In the Best Practices, a research participant is an individual who consents to participation in research and who is the subject of personal data or information collected for research. A data subject is an individual who is the subject of personal data/information collected for research purposes, but who has not been directly approached to provide consent.

ELEMENT #1: Determining the research objectives and justifying the data needed to fulfill these objectives

General statement

At the outset of the research design process, and as thoroughly as possible given the proposed research method, researchers should:

  • identify and document research objectives and questions as a basis for determining what data will be needed;
  • anticipate and document research questions related to the primary research objective, which might become relevant after the initial data analyses; and
  • anticipate and document likely future uses of the data, including possible collaborations with other researchers or possible commercial uses.

1.1 Research study

For each research study, researchers should identify and document the specific research objectives and related research questions.

Researchers should also describe and justify the data needed to fulfill the research objectives and to answer any related research questions.

Example:

Research study: Impact of ethnic group membership and age on health

Study objectives: To examine and compare the health status, health care, and social involvement of distinct ethnic groups living in [region X of province Y], to inform policy development by community organizations and governments.

Research questions: (examples) What is the association between health status, experience of health care and ethnicity? What are the impacts of personal support networks and activity level on health status and perceived well-being?

Personal data needed and justification:
Initials: To assist in checking for duplicate records, using a combination of initials and demographic data.

Demographics (date of birth, gender, ethnicity...): Needed to make between-group comparisons on health variables by ethnicity, and between- and within-group comparisons by other demographic variables.

Physical health and sense of well-being/Use of health services: Needed to investigate and compare health status and perceived health status by health care-related knowledge, behaviours, attitudes and use.

Meaning of health and of aging: Needed to explore the meanings of health and illness and the cultural context of aging in the ethnic community.

Family and friends/Social activities: Needed to investigate the impact of family structure and interaction and environmental factors on measures of health and well-being.

1.2 Creation of a database for general research purposes

Define the scope and purpose of the database in a way that will be meaningful for REBs and any prospective research participants, even if the boundaries are at a relatively general level.

Even though all of the research studies that may use data from this database cannot be anticipated or explained in detail at the time the database is being created, try to describe the types of studies that could be undertaken.

In addition to the scope and purpose, describe what the database will not be used for. This is an opportunity to be as open and transparent as possible about the proposed research, and to reassure research participants and REBs that although future research purposes are not specified in detail, data management, storage and use will occur within a defined framework, including review and approval by an REB.

Describe the general types of personal data that are necessary for these general research objectives (e.g. diagnoses, risk factors, outcomes). Include data that are expected to be collected over the lifespan of the database, particularly if there will be multiple data collection periods per participant, or data that will be requested from secondary sources. Be as specific as possible.

Example:

Research database on disease X

Research objectives:

  1. Compiling statistics on population trends in disease X and in its risk factors.
  2. Conducting health and epidemiological research to improve screening and treatment programs for disease X.

Types of research questions (examples):

  1. What is the association between disease X and risk factors such as diet, tobacco use, physical activity level, education, income or gender?
  2. What is the risk of developing disease X after exposure to environmental risk factors, such as pollutants in the area of residence?
  3. What is the cost-effectiveness and efficacy of screening programs for disease X?
Types of personal data to be collected over multiple collection periods Research justification
Name, address, telephone number Contact information to follow-up with participants for further data collection
Demographic information Assess other variables by demographics of the population
Family history Disease X is known to have an inherited basis
Diet, reproductive factors, physical activity, anthropometric measures, education, income, gender Assess risk factors for disease X
Medical conditions, medication use Assess impact of other existing conditions on disease X and effectiveness of medications.

Limits on data uses (examples):
Access to data will be restricted to academic and health researchers with a primary purpose of public (non-commercial) benefit, for the purpose of research on disease X or related conditions. The database will be managed by an independent data stewardship committee14 to ensure that the confidentiality of the information is maintained and access is controlled, consistent with the consents obtained from participants. Any future use of the data for new purposes will require approval by an REB.

1.3 Advisory committee for defining the scope and strategic priorities of the research

If appropriate, setting up an advisory committee drawn from the scientific community, other relevant areas (such as ethics, policy, or information technology) and those affected by the condition or health event under study, can assist in defining the scope and strategic priorities for a research project in the context of both short and long-term initiatives.

Data stewardship tasks could be addressed by this advisory committee or by another body, as described in Element #10, 10.4.

Example:

Multi-year family-centered study on childhood condition X

Research objectives

  1. Track and assess the factors that facilitate or hinder the development of family-centered provincial services for children with condition X and their family members.
  2. Provide guidance to community organizations and provincial governments.
  3. Validate questionnaire and interview methods for creating individualized family service plans.
  4. Assess long term effectiveness and adverse effects of standard and emerging treatments for Condition X.

Setting the scope of research

  • Initial partnership between the research team and Provincial Ministry of Children's Services results in agreement on key objectives.
  • A Local Advisory Committee is established to assist in setting out the scope and strategic priorities for the research program, to review research progress, to facilitate the achievement of study objectives, and to assist with the dissemination of results; with representatives from the Ministry, provincial clinic for childhood condition X, two community advocacy groups for persons with condition X, and parent representatives.
  • A National Project Advisory Committee with representation from provinces actively interested in this initiative meets annually to advance services to young children with condition X, and to plan and disseminate research findings.

1.4 Qualitative research using inductive data collection and analysis

It is important to recognize that all potential relevant and useful research questions cannot always be foreseen at the outset of a research project. For example, researchers using inductive methods of research may discover an "emergent" research approach through encounters with and in collaboration with research participants. In such research, the development of research questions and procedures is an ongoing process. For example, open-ended interviewing often goes down avenues not anticipated leading to new questions and new approaches.

The wide range of methods in inductive approaches makes it difficult to document detailed and specific strategies for protection of privacy. Therefore, while planning their research, researchers should attempt to foresee both obvious and emerging issues related to privacy. These should be included in the submission to a research ethics board.

Researchers should also document for a research ethics board any amendments to the protocol and consequent privacy protection strategies emerging over the course of the study. For relatively junior researchers, mentorship can be especially helpful for ensuring adherence to REB requirements.

LINK TO TRI-COUNCIL POLICY STATEMENT:

[Informing prospective participants of purposes]

Article 2.4 "... researchers or their qualified designated representatives shall provide prospective subjects with the following: ... (b) ..."A comprehensible statement of the research purpose..." (pg. 2.5)

[Informing REBs of purposes]

Article 3.2 "...researchers shall secure REB approval for obtaining identifiable personal information about subjects. Approval for such research shall include such considerations as: (a) The type of data to be collected; (b) The purpose for which the data will be used;..." (pg. 3.3)

ELEMENT #2: Limiting the collection of personal data

General statement

Researchers should plan to collect personal data only as necessary for the research. The amount of personal information collected and the level of identifiability and sensitivity of this information should be restricted to what is necessary to achieve the research objectives.15

2.1. Personal data: Identifiability and sensitivity

2.1.1 Identifiability

Limiting data identifiability means minimizing as much as possible, the collection of:

  • direct identifiers (e.g. name, street address) and
  • other data items that could potentially be used to identify an individual.

Data identifiability can be characterized as being on a continuum, in which the division between degrees of "identifiability" are not always clear-cut. Even a dataset without direct identifiers may present a risk of indirectly identifying data subjects if the dataset contains sufficient information about the individuals concerned.

For example, data items that may increase the likelihood of an individual's identity being inadvertently revealed include:

  • geographic location (e.g. location of residence, location of health event),
  • named facilities and service providers,
  • dates (e.g. date of an automobile accident),
  • uncommon characteristics of the individual (e.g. a rare health condition or occupation), or
  • highly visible characteristics of the individual (e.g. ethnicity in certain locales).

These types of data items, if needed for the research, should be collected at a minimum level of detail consistent with the research objectives.

2.1.2 Sensitivity

The sensitivity of personal data is related to the potential for harm or stigma that might attach to the identification of an individual because of the nature of the information.16 The type of information that an individual may consider sensitive could relate to:

  • sexual attitudes, practices and orientation;
  • use of alcohol, drugs, or other addictive substances;
  • illegal activities;
  • suicide; sexual abuse;
  • sexual harassment;
  • an individual's psychological well-being or mental health;
  • some types of genetic information (e.g. information that predicts future illness or disability and raises concerns around future employability or insurability); and
  • any other information that, if released, might lead to social stigmatization or discrimination.

Researchers should also be aware of information that communities may consider sensitive because, for example, of its potential to stigmatize a community.

2.2 Collection from individuals

2.2.1 Consider first whether individually identifiable data are needed, or whether non-identifiable data or aggregate data would serve the research objectives (e.g. data on individuals grouped by age or some other meaningful variable).

2.2.2 If identifiable data are needed to meet the research objectives, determine the minimum level of identifiability that will be needed.

Does the researcher need to do any or all of the following:

  • Contact the research participant for follow-up data collection?
  • Provide data, with consent, to a health care provider to ensure clinical monitoring of the participant?
  • Return individual results to the participant?
  • Conduct data linkage with a high degree of accuracy?

If yes, the researcher will likely propose the collection of direct identifiers.

If these are not requirements of the research, the researcher should not collect direct identifiers. However, other potentially identifying elements may be needed to answer the research questions and for other data management reasons, such as to check for duplicate records. The lowest level of identifiability of these other data items should be used, consistent with the research objectives.

Examples of reducing personal detail in specific data items collected:

Personal Details

Most Identifiable

Least identifiable

Subject name

  • Full name
  • Partial name
  • Initials
  • Code
  • Blank

Age

  • Birth day/month/year
  • Birth month/year
  • Birth year; Age at a time of data collection
  • Age range (e.g. 5 or 10-year age group)

Facilities and service providers

  • Name of institution/provider
  • Specific type of facility, provider (university hospital, family physician)
  • Generic class (hospital, medical doctor)

Location of residence

  • Street address
  • 6-character postal code (e.g. one side of a city street; average of 15 households)
  • first 3 characters of postal code/Forward Sortation Area (average of 7,000 households)
  • first character of postal code (province or region; e.g. A = Nfld/Lab.; J = Que. West; K = Eastern Ont.)

Census area

  • Block (an area equivalent to a city block bounded by intersecting streets; the smallest geographic area for which population and dwelling counts are disseminated)
  • Census enumeration or dissemination area (small area composed of one or more neighbouring blcoks, used by Statistics Canada for distributing questionnaires to households and dwellings for the census collection)
  • Census subdivision (e.g. municipality, village)
  • Census agglomeration (urban core: min. 10,000 pop.)
  • Census metropolitan area (urgan core: min. 100,000 pop.)

2.3 Secondary use

2.3.1 As in 2.2.1, consider whether aggregate data on groups of individuals would serve the research objective. If not, consider whether non-identifiable data relating to individuals would serve the purpose.

2.3.2. Removal or coding of direct identifiers

If identifiable data are required for the research purpose, direct identifiers should be avoided or concealed to the extent that is reasonably practical (e.g. as soon as a data linkage has been completed). Data without direct identifiers can be:

  • coded to allow a trace-back to individuals, by means of:
    • single-coding (the researcher has the key to the code to link the research data back to direct identifiers, which are held separately); or
    • double-coding (an increased level of confidentiality protection over single coding because the data holder does not give the researcher the key to re-identify individuals); or
  • without a code, if the capacity to trace the research data or results back to individuals is not required for the research purpose.

Even if the direct identifiers in shared data have been removed or coded, consider how to minimize the collection or sharing of potentially identifying data elements.

2.4 Inductive data collection

For inductive data collection, for example where open-ended interview techniques are used, the extent of personal data to be collected may not always be foreseeable in detail at the outset of the interview. In these cases, the ongoing negotiation of consent with research participants is the best way to ensure that the privacy of individuals and the community is being appropriately protected.

Definition of terms: Individual identifiability of data

Levels of data identifiability by capacity to identity or re-identify individuals
In rank order from most to least identifiable

1) Directly identifiable: The data contains direct identifiers of an individual (e.g. name, address, health number).

2) Coded:

  1. Single coded: A participant's data are assigned a random code. Direct identifiers are removed from the dataset and held separately. The key linking the code back to direct identifiers is available only to a limited number (e.g. senior members) of the research team.
  2. Double or multiple coded: Two or more codes are assigned to the same participant's data held in different datasets (e.g. health administrative data, clinical data, genetic samples and data). The key connecting the codes back to participants' direct identifiers is held by a third party (such as the data holder) and is not available to the researchers.

3) Not directly identifiable and not coded: Direct identifiers were never collected or have been deleted, and there is no code linking the data back to the individual's identity.

4) Non-identifiable: Any element or combination of elements that allows direct or indirect identification of an individual was never collected or has been removed, although some elements may indirectly identify a group or region. There is no code linking the data back to the individual's identity.

Summary guide: Levels of data identifiability needed for research-related purposes

Research-related purposes

Specific examples

Data requested for these purposes when:

Collecting data directly from individuals:

Requesting data for secondary use:

a) Contact individuals Recruit individuals for a research project Direct identifiers Coded (Single coding is a more efficient mechanism for linking back to individuals than double-coding. Linking back becomes increasingly difficult for investigators who receive double or multiple-coded data, and therefore do not have the key to the code.)
Contact the participant for follow-up data collection
Provide data, with consent, to health care provider for clinical monitoring of the participant
Return individual results to the participant
b) Data linkage17 Conduct a data linkage with a high degree of accuracy Preferred: Direct identifiers (e.g. name and street address; or personal health number)18 Preferred: Data holder conducts linkage and provides to researcher the linked dataset without direct identifiers. Data to be provided at the lowest level of identifiability needed, consistent with the research objectives.
Conduct a data linkage with a measurable degree of accuracy sufficient for the particular research Direct identifiers or potentially identifying data items (e.g. date of birth, initials, 3-character or full postal code, gender, specific health data)
c) Data accuracy check Eliminate duplicate records Direct identifiers or potentially identifying data items Coded data so that the data holder (preferred) or researcher can use the key to check direct identifiers for duplication
d) No contact with individuals and no data linkage needed No direct identifiers need to be collected. No direct identifiers. Data to be provided at the lowest level of identifiability needed, consistent with the research objectives.

LINK TO TRI-COUNCIL POLICY STATEMENT:

[REB approval of type of data]

Article 3.2 "..researchers shall secure REB approval for obtaining identifiable personal information about subjects. Approval for such research shall include such considerations as: (a) the type of data to be collected..." (pg. 3.3)

[Secondary use of data]

Article 3.3 "If identifying information is involved, REB approval shall be sought for secondary uses of data. Researchers may gain access to identifying information if they have demonstrated to the satisfaction of the REB that: (a) identifying information is essential to the research..." (pg. 3.5)

Article 3.3 Explanatory text: "Databases can vary greatly in the degree to which personal information is identifiable. A proportionate approach should be applied by the REB to evaluate the sensitivity of the information in the database and to modulate its requirements accordingly. If it is impossible to identify individuals whose records exist within a database, then researchers should be allowed access to that database. The REB must carefully appraise the possibility of identification, in particular with regard to the extent of the harm of stigma that might be attached to identification. The REB and the researcher should also be aware of legal provisions that affect the database(s) to be used in the research.

REBs and researchers should also be sensitive to the context in which the database was created, such as a confidential relationship, as well as to the expectations of the groups or individuals at the time of the collection of the data with regard to its use, retention and disclosure. When it is unclear as to whether information is to be regarded as personal, researchers should consult their REBs. Confidential information collected in this manner should normally not be transmitted to authorities, unless required by law, the courts or similar legally constituted bodies." (pg. 3.5)

ELEMENT #3 : Determining whether consent from individuals is required

General statement

Voluntary and informed consent from legally competent individuals or authorized third parties is a fundamental principle in research involving humans, and specifically for the use of their personal data.19

Under specified circumstances, given a satisfactory rationale by the researcher, an REB may approve the waiver of a consent requirement, or a partial waiver of some elements of a consent requirement. According to TCPS Article 2.1(c), the REB must find and document that: "(i)The research involves no more than minimal risk20 to the subjects; (ii) The waiver or alteration is unlikely to adversely affect the rights and welfare of the subjects; (iii) The research could not practicably be carried out without the waiver or alteration; (iv) Whenever possible and appropriate, the subjects will be provided with additional pertinent information after participation; and (v) The waived or altered consent does not involve a therapeutic intervention."

In addition to REB approval, disclosure of personal data for research without consent will be subject to other specific legal requirements in relevant jurisdictions.21

3.1 Collection from individuals

The requirement for consent from participants applies to research involving:

  • Collection of personal (including genetic) information from persons (e.g. in face-to-face meetings, by mail, telephone or email).
  • Procedures to screen for, prevent or treat disease.
  • Medical examinations.
  • Clinical trials of new drugs or other health care products.22
3.2 Direct collection and secondary use (Hybrid model)

When a research objective requires the collection of personal information directly from individuals to whom the data belong and subsequent linking to other sources to form a combined file, consent should be sought for both types of data collection at the time of direct contact with prospective research participants.

If the secondary use involves identifying individuals eligible to be invited into a study, the procedures under Element #6 are applicable. As described in Element #6, the preferred practice is for a data holder to assess the eligibility of individuals for a particular research project (e.g. on the basis of criteria provided by the researcher). The data holder would then make the initial contact with individuals to seek their permission for disclosure of contact information to a researcher or to inform them as to how to contact a researcher. An REB will need to determine if consent is required for this secondary use of data and for the contacting of individuals.

3.3 Secondary use

When personal data are to be collected from sources other than the individuals to whom the data relate, consent should be obtained from those individuals unless an REB determines that a waiver of consent is appropriate in the specified circumstances. These circumstances should include that a waiver of the consent requirement is permitted by law.23

For secondary use of data for research, an REB should consider the factors set out in the following table in determining whether a research proposal meets the requirements for waiver of consent. These factors, and their description in the table, expand on TCPS Article 2.1(c)(i)- (iii).

Factors to consider in determining whether a research proposal meets the requirement for waiver of consent
Factor Explanation
3.3.1 Necessity of the personal data. Personal data, in the proposed amount and at the proposed level of identifiability and sensitivity, are necessary to fulfill the research objectives. (See Element #2)
3.3.2 Harm-benefit analysis, where (1) the risk of harm is minimal, and (2) potential benefits of the research to the public and individuals outweigh any potential harm to research participants or data subjects.

1) The research should present minimal risk of harm to individuals and, if appropriate, particular groups or communities. In assessing potential harm, REBs should consider:

  • the probability of harm (related to the identifiability of data24 and the adequacy of security measures)25, and
  • the magnitude of potential harm (related to the sensitivity of data),26 including potential:
    • physical injury;
    • emotional or psychological harm;
    • social harm (e.g. stigmatization);
    • financial harm (e.g. insurability, employability);
    • loss of trust;
    • harm from a perceived invasion of privacy, such as when a researcher has made secondary use of existing records with an REB waiver of the consent requirement, and then proposes to contact individuals for additional data collection; or
    • negative impact of the findings of the research.

2) Potential benefits of the research to individuals, groups, communities or the public outweigh potential harms. Where there is only minimal risk of harm, the REB need only ensure that there is public interest or other merit in the proposed research (e.g. as determined by a peer-review committee).27

3.3.3 A consent requirement being (1) inappropriate or (2) impracticable.28

1) Seeking consent from individuals may be considered inappropriate because:

  1. there is potential harm to individuals from direct contact where there is:
    1. a risk of inflicting psychological, social or other harm by contacting individuals or families with particular conditions (e.g. where making contact might reveal an individual's condition to others, against the individual's wishes; or research with minors, which would normally require parental consent, when the minors are street youth who have left home to escape abuse) or in certain circumstances (e.g. during a hospital emergency room visit); or
    2. a risk of creating additional threats to privacy by having to link otherwise usable coded data with identifiers in order to contact individuals to seek their consent; or
  2. contact with individuals is not permitted under a previous data-sharing agreement, law or policy.29

2) Seeking consent from individuals for the use of their personal data may be considered impracticable30 when there are difficulties in contacting or notifying individuals for reasons such as:

  • the size of the population being researched;
  • the proportion of prospective participants likely to have relocated or died since the time the personal information was originally collected; or
  • the lack of an existing or continuing relationship between prospective participants and the data holder who would need to contact them (e.g. a patient database that does not have a regular follow-up program to maintain a complete and accurate record of changes in registrants' contact information over time);

such that:

  1. there is a risk of introducing bias into the research because of the loss of data from segments of the population that cannot be contacted to seek their consent, thereby affecting the validity of results and/or defeating the purpose of the study; or
  2. the additional financial, material, human, organizational and other resources needed to obtain consent could impose a hardship or burden on the researchers or organization so burdensome that the research could not be done.
3.3.4 Expectations of individuals. In general, the expectations of a reasonable person in the circumstances should be taken into account (considering, for example, the nature of the research, the type of data to be collected and the context in which the data were originally collected). If individuals have previously objected to the secondary use of their data for research or to the use of their contact information, their directions should be respected.
3.3.5 Views of relevant groups.

Privacy concerns may extend beyond the individual to include well-defined groups or communities, e.g. remote communities and Aboriginal peoples.31 Also, genetic information about individuals is more than personal information-it may also be intimate information about those who share a common genetic lineage--family members, other relatives and, in some cases, well-defined communities.32

The REB may require that efforts be made to consult with family groups, Aboriginal peoples, community representatives, consumer associations, and/or special populations such as the homeless or under-housed, as appropriate, to address possible concerns of affected individuals and communities. These concerns may relate to the design and scope of the research, the recruitment of individuals, and the analysis and disseminations of results of research. This consultation process will be a high priority when dealing with controversial issues and/or individuals, groups or communities in vulnerable circumstances.

3.3.6 Legal requirements.

In addition to REB approval, access to personal data for research without consent will be subject to specific legal requirements in relevant jurisdictions. For example, some jurisdictions require some or all of the following:

  • a data-sharing agreement between the data holder and the researcher;33
  • notification and/or approval by other relevant oversight bodies;34 and/or
  • agreement that personal data will not be used to contact individuals.35
3.3.7 Openness: Informing the public. In the spirit of openness, the researcher should have an appropriate strategy for informing the general public about the research.36

LINK TO TRI-COUNCIL POLICY STATEMENT:

[Requirements for consent]

Article 2.1

"(a) Research governed by this Policy... may begin only if (1) prospective subjects, or authorized third parties, have been given the opportunity to give free and informed consent about participation...

(c) the REB may approve a consent procedure which does not include, or which alters, some of all of the elements of informed consent... or waive the requirement to obtain informed consent, provided that the REB finds and documents that: (i) The research involves no more than minimal risk to the subjects; (ii) The waiver or alteration is unlikely to adversely affect the rights and welfare of the subjects; (iii) The research could not practicably be carried out without the waiver or alteration; (iv) Whenever possible and appropriate, the subjects will be provided with additional pertinent information after participation; and (v) The waived or altered consent does not involve a therapeutic intervention." (pg. 2.1)

[Randomized clinical trials]

Article 2.1 "... (d) In studies including randomization and blinding in clinical trials, neither the research subjects nor those responsible for their care know which treatment the subjects are receiving before the project commences. Such research is not regarded as a waiver or alteration of the requirements for consent if subjects are informed of the probability of being randomly assigned to one arm of the study or another." (pg. 2.1)

[Naturalistic observation]

Article 2.3 "REB review is normally required for research involving naturalistic observation. However, research involving observation of participants in, for example, political rallies, demonstrations or public meetings should not require REB review since it can be expected that the participants are seeking public visibility." Explanatory text: "Naturalistic observation is used to study behaviour in a natural environment. Because knowledge of the research can be expected to infiuence behaviour, naturalistic observations generally implies that the subjects do not know that they are being observed, and hence cannot have given their free and informed consent...In considering research involving naturalistic observation, researchers and REBs should pay close attention to the ethical implications of such factors as: the nature of the activities to be observed; the environment in which the activities are to be observed (in particular, whether it is to be staged for the purposes of the research); and the means of recording the observations (in particular, if the records will allow subsequent identification of the subjects). Naturalistic observation that does not allow for the identification of the subjects, and that is not staged, should normally be regarded as of minimal risk..." (pg. 2.5)

[Legal competence]

"Competence refers to the ability of prospective subjects to give informed consent in accord with their own fundamental values. It involves the ability to understand the information presented, to appreciate the potential consequences of a decision, and to provide free and informed consent.It does not require prospective subjects to have the capacity to make every kind of decision. It requires that they be competent to make an informed decision about participation in particular research.The law on competence varies between jurisdictions. Researchers must comply with all applicable legislative requirements. Ethical consideration around research involving those who are not competent to give a free and informed consent on their own behalf must seek to balance (1) the vulnerability that arises from their incompetence with (2) the injustice that would arise from their exclusion from the benefits of research..." (pg. 2.9)

Article 2.5 "Subject to applicable legal requirements, individuals who are not legally competent shall be asked to become research subjects only when: (a) The research question can only be addressed using individuals within the identified group(s); and (b) Free and informed consent will be sought from their authorized representative(s); and (c) The research does not expose them to more than minimal risks without the potential for direct benefits for them." (pg 2.9)

Article 2.6 "For research involving incompetent individuals, the REB shall ensure that, as a minimum, the following conditions are met: (a) The researcher shall show that free and informed consent will be sought from the authorized third party, and how the subjects' best interests will be protected. (b) The authorized third party may not be the researcher or any other member of the research team. (c) The continued free and informed consent of an appropriately authorized third party will be required to continue the participation of a legally incompetent subject in research, so long as the subject remains incompetent. (d) When a subject who was entered into a research project through third-party authorization becomes competent during the project, his or her informed consent shall be sought as a condition of continuing participation." (pg. 2.10)

Article 2.7 "Where free and informed consent has been obtained from an authorized third party, and in those circumstances where the legally incompetent individual understands the nature and consequences of the research, the researcher shall seek to ascertain the wishes of the individual concerning participation. The potential subject's dissent will preclude his or her participation." (pg. 2.10)

[Research with children]

"..the notion of harm applied to children should be understood differently from harm in adults. Harm induced in children may have longer-term consequences to their growth and development. Furthermore, harms and benefits for children with chronic disabilities and terminal illnesses require special consideration. Every researcher working with child subjects must consider the possibility of the children suffering pain, anxiety or injury, and must develop and implement suitable precautions and ameliorating measures. Cumulative physical, moral, psychological and social consequences (relevant to pain, anxiety and injury) should be reviewed by REBs when assessing the probability, magnitude and character of any harmful impact the research may have on the child." (pg 2.10)

[Secondary use of data]

Article 3.3 "If identifying information is involved, REB approval shall be sought for secondary uses of data. Researchers may gain access to identifying information if they have demonstrated to the satisfaction of the REB that: (a) identifying information is essential to the research;(b) They will take appropriate measures to protect the privacy of the individuals, to ensure the confidentiality of the data, and to minimize harms to subjects; and (c) Individuals to whom the data refer have not objected to secondary use." (pg. 3.5)

Article 3.4 "The REB may also require that a researcher's access to secondary use of data involving identifying information be dependent on (a) The informed consent of those who contributed data or of authorized third parties; or (b) An appropriate strategy for informing the subjects; or (c) Consultation with representatives of those who contributed data." (pg. 3.5)

ELEMENT #4: Managing and documenting consent

General statement

Consent is an ongoing process that begins upon first contact with prospective participants or authorized third parties, and ends only with the conclusion of their participation in the research or the use of their information. Participants should understand that their consent is voluntary, to be obtained without manipulation, undue influence or coercion, and can be withdrawn at any time.37

Evidence of initial and ongoing consent and the withdrawal of consent should be documented as appropriate for audit and legal purposes.

4.1 Forms of consent

4.1.1 Opt-in consent

The majority of research studies use an opt-in consent. Opting-in means that prior to the start of the research or data collection, informed individuals give clear indication that they voluntarily agree to participate in the research.

Opt-in consent can be indicated in writing (e.g. by signing a consent form), orally (e.g. in a face-to-face or telephone encounter with the researcher) or by conduct (e.g. by filling out and returning a questionnaire received by mail). Consent is only voluntary if it can be withdrawn at any time.38

4.1.2 Presumed consent with opt-out

Presumed consent with an opt-out mechanism should be used only when an REB considers prior opt-in consent to be inappropriate or impracticable.

A valid opt-out mechanism means that individuals have the opportunity at some time during the research or data collection process to give a clear indication (in writing or orally) that they do not want to be participants in the research or to have their data used in the research.

If individuals do not choose to opt-out of the research, their consent is presumed as long as they were given reasonable notice of the research and meaningful opportunity to opt-out.

Ranked forms of consent and associated conditions

Type of consent Specific forms of consent Required conditions for REB consideration
(i) Opt-in consent (preferred)

Ways of opting in:

  1. Written (preferred)
  2. Oral
  3. Conduct (e.g. returning a questionnaire)

All of the following:

  • Voluntary.
  • Informed.
  • Unambiguous.
  • Obtained before beginning the research.
  • Consent can be withdrawn at any time, with a clear understanding of what that means, for example:
    • no further collection of additional data;
    • no further analyses using the already collected data; or,
    • removal of data from the database to the extent possible (Note: Non-identifiable data will be impossible to isolate and retrieve).
  • The process of consent to be documented by the researcher.
(ii) Presumed consent, with opt-out mechanism

Consent is presumed unless the person opts out

Ways of opting out:

  1. Written (preferred)
  2. Oral

All of the following:

  • Voluntary.
  • Informed (e.g. through notices, brochures, letters, media announcements):
    • of the research
    • of the opportunity to opt-out
    • of the means of opting out.
  • Accessible means for opting out.
  • Opt-out may be done at any time before or during the research, with a clear understanding of what opting out means, for example:
    • no further collection of additional data; or
    • no further analyses using the already collected data; or,
    • removal of data from the database to the extent possible (Note: Non-identifiable data will be impossible to isolate and retrieve).
  • The process of opting-out to be documented by the researcher.

4.2 Documenting consent

4.2.1 Written documentation signed by the research participant (preferred)

Whenever appropriate and practicable, a written documentation of opting-in or opting-out of research is preferred. This should be documented using a consent form or refusal statement signed by the individual.

4.2.2 Oral consent documented by the researcher

Where oral consent is obtained for telephone interviews, where written documentation is culturally unacceptable, or where there are good reasons for not recording opt-in or opt-out in writing using a form that the participant signs, an oral procedure should be managed and documented, indicating that the opt-in or opt-out was conducted orally.

4.2.3 Documented consent and collection of data without direct personal identifiers

Collection of data without direct personal identifiers may be necessary or proposed when the research deals with highly sensitive conditions or activities. In such circumstances, consent should be documented but the identity of research participants should not be linkable to their data or to results of analyses.

Example: Oral consent and non-identifiable data and results

Disease X prevalence study among women undergoing abortion in City Y. Before undergoing therapeutic abortions, women must necessarily have a blood test.

Women who were scheduled for therapeutic abortions were approached in a hospital clinic about their willingness to participate in the study on Disease X. Those who gave oral consent to participate in this study agreed to fill out questionnaires (without providing their names) about certain risk factors for disease X, and to permit the testing of leftover blood from the blood test for the presence of disease X.

For each participant, the computer generated a specific scrambled code linking the blood sample for the disease test and the answers to the questionnaire. Once the results of the disease tests were linked to the corresponding questionnaire, the computer-generated code was removed. In this way, it was not possible to identify the research participants, even if one had used the same computer program to try to retrace the scrambled codes.

The linked information for each person was thus non-identifiable so that the researchers could look at risk factors and determine the incidence of disease X but could not identify any of the research participants.

Example: Documented consent and non-identifiable data and results

From a study on workplace injuries in nursing and laboratory staff

...The study questionnaire had no name or code number on it and participants were asked not to write their name on it. The cover letter from the researcher asked participants to fill out the questionnaire, put it in the provided envelope and return it through internal [staff] mail. The letter also asked participants to then sign a response card that had their name on it, put it in a separate envelope that was also provided and deposit it into slotted drop boxes located in each work area.

The researcher did not need to know the names of persons who had responded; it was the content of the responses that was of interest. The only identifying information required was on the response card in order to allow the researcher to send targeted reminder letters to those persons who had still not responded. In addition, general reminders to return the questionnaires were also posted in designated work areas in an effort to increase response rates.

To minimize the risk of linking questionnaire responses with the names provided on the response cards, the researcher picked up the cards regularly throughout the week and the questionnaires only once every week or two. Furthermore, no data were entered until the end of data collection to reduce the possibility of identifying late respondents. With this method, the researcher could not identify who had filled out each questionnaire, but she would know from the response cards who on the list had or had not returned a questionnaire.

In this study sensitive information could be revealed about those staff who had suffered an injury at work but who had not reported it, contrary to mandatory hospital reporting policies. Some respondents may not have reported injuries because they did not want to appear careless; others may have wished to avoid the fairly lengthy follow-up procedures required of persons with certain injuries. The researchers had anticipated that this might be the case and understood that this information would be considered quite sensitive. It was for this reason that the survey was conducted with no ability to link the data collected to individuals' identities.

4.3 Qualitative research

Participants in qualitative studies are especially vulnerable to unintended identification. For example, in quoting interviewees, biographical details may be revealed that make protecting identities difficult. Deleting all possible identifiers may rob the quote of its impact and research value. Changing names and places is not a guarantee that individuals' identities will be concealed.

Therefore, paying attention to the trust relationship between researcher and participant, and obtaining ongoing consent, are very important in qualitative research. Constant sensitivity to participants' behaviour and reactions during data collection is essential. Unsolicited and unanticipated disclosures of information by participants can easily fall outside the original consent agreement.

As the interaction between a researcher and participants progresses, there may be situations where the researcher will need to recognize that participants should be given the opportunity to reiterate their consent, to withdraw from the research, or to withdraw their particular comments.39 Thus, obtaining informed consent should be an ongoing negotiation.

4.4 Documenting non-participation or withdrawal of consent

The researcher may need information on who does not want to participate in research or who withdraws from research, for example to:

  • document who is not to be included in follow-up research activities; and/or
  • take into consideration relevant characteristics of the population not included in the study, when reporting possible bias in research results.

In these circumstances, researchers may obtain information about non-participants or those withdrawing consent only with:

  • individuals' consent or
  • the approval of an REB to waive the consent requirement in the particular circumstances.40

LINK TO TRI-COUNCIL POLICY STATEMENT:

[Voluntary consent: No manipulation, undue influuence or coercion]

Article 2.2 "Free and informed consent must be voluntarily given, without manipulation, undue influence or coercion". Explanatory text: "...Undue infiuence may take the form of inducement, deprivation or the exercise of control, or authority over prospective subjects. Voluntariness is especially relevant in research involving restricted or dependent subjects, and is absent if consent is secured by the order of authorities or as a result of coercion or manipulation..REBS should also pay particular attention to the elements of trust and dependency, for example, within doctor/patient or professor/student relationships, because these can constitute undue infiuence on the patient to participate in research projects, especially those involving residents in long-term care facilities or psychiatric institutions..." (pg. 2.4)

Article 2.4 "... researchers or their qualified designated representatives shall provide prospective subjects with the following:.. (d) An assurance that prospective subjects are free not to participate, have the right to withdraw at any time without prejudice to pre-existing entitlements, and will be given continuing and meaningful opportunities for deciding whether to continue to participate.." Explanatory text:"..Articles 2.2 and 2.4(d) help to ensure that a prospective subject's choice to participate is voluntary. Pre-existing entitlement to care, education and other services shall not be prejudiced by the decision on whether to participate. Accordingly, a physician should ensure that continued clinical care is not linked to research participation, and teachers should not recruit prospective subjects from their classes, or students under their supervision, without REB approval. Nothing in this Section should be interpreted as meaning that normal classroom assessments of course work require REB approval..." (pg. 2.6)

[Evidence of consent]

Article 2.1 "...(b) Evidence of free and informed consent by the subject or authorized third party should ordinarily be obtained in writing. Where written consent is culturally unacceptable, or where there are good reasons for not recording consent in writing, the procedures used to seek free and informed consent shall be documented..." Explanatory text: "Free and informed consent... encompasses a process that begins with the initial contact and carries through to the end of the involvement of research subjects in the project. As used in this Policy, the process of free and informed consent refers to the dialogue, information sharing and general process through which prospective subjects choose to participate in research that involves themselves. " (pg. 2.1)

[Written and oral documentation]

Article 2.1 Explanatory text: "Article 2.1 (b) states the preference for written evidence of free and informed consent. The article acknowledges that written consent is not always appropriate. For most people in our society, a signed statement is the normal evidence of consent. However, for some groups or individuals, a verbal agreement, perhaps with a handshake, is evidence of trust, and a request for a signature may imply distrust. Nonetheless, in most cases a written statement of the information conveyed in the consent process, signed or not, should be left with the subject. In some types of research, oral consent may be preferable. In others, written consent is mandatory. Where oral consent is appropriate, the researcher may wish to make a contemporaneous journal entry of the event and circumstances. These and like elements may sometimes need to be refined in concert with the REB, which plays an essential education and consultative role in the process of seeking free and informed consent. When in doubt about an issue involving free and informed consent, researchers should consult their REB." (pg. 2.2)

[Witness of signatures]

Article 2.4 Explanatory Text: "In some circumstances, having a witness to the signatures on the consent form may be felt to be appropriate. In law, the role of a witness is only to attest that the person actually signed the form; a witness is not responsible for certifying such factors as the signature being obtained under defined conditions or that the signers were competent. However, a court might subsequently seek the opinions of the witness on such issues". (pg. 2.8)

[Time allocation]

Article 2.4 Explanatory Text: "Rushing the process of free and informed consent or treating it as a perfunctory routine violates the principles of respect for persons, and may cause difficulty for potential subjects. The time required for the process of free and informed consent can be expected to depend on such factors as the magnitude and probability of harms, the setting where the information is given (e.g. hospital or home) and the subject's situation (e.g., level of anxiety, maturity or seriousness of disease)." (pg. 2.8)

[Translating materials]

Article 2.1 Explanatory text: "The requirement for free and informed consent should not disqualify research subjects who are not proficient in the language used by the researchers from the opportunity to participate in potential research. Such individuals may give consent provided that one or more of the following are observed to the extent deemed necessary by the REB, in the context of a proportionate approach to the harms envisaged in the research and the consent processes that are to be used: An intermediate not involved in the research study, who is competent in the language used by the researchers as well as that chosen by the research subject, is involved in the consent process; The intermediary has translated the consent document or approved an existing translation of the information relevant to the prospective subject; The intermediary has assisted the research subject in the discussion of the research study; The research subject has acknowledged, in his or her own language, that he or she understands the research study, and the nature and extent of his or her participation, including the risks involved, and freely gives consent..." (pg. 2.2.)

ELEMENT #5: Informing prospective research participants about the research

General statement

Researchers should provide to prospective participants or to authorized third parties disclosure of all information relevant to voluntary and informed consent.

As part of the consent process, the researcher or other appropriate person (depending on the approved recruitment procedure) should explain such things as the nature of the research, what information will be collected and how it will be used in this study and possible future studies, as well as the risks and benefits of the research, so that they can make an informed decision about whether they wish to participate.

Researchers must ensure that prospective participants are given adequate opportunities to ask questions, discuss their concerns and consider their participation.41

5.1 Understandable language

Information should be communicated to prospective participants in plain language, in oral and/or written form, so that it is easily understood.42

5.2 Reasonable time allocation

The amount of time taken to communicate information to prospective participants should be appropriate to the need, and should be neither excessive nor too brief. For example, the information could be layered, so that participants are given a one-page summary, a short consent form with headings corresponding to core elements (e.g. requirements of participation, right to refuse and withdraw), and more detailed information in an appendix. Participants should also be informed about how to obtain more details if desired (e.g. via a web site or a toll-free telephone number).

5.3 Communicating results back to research participants

5.3.1 Informing research participants about results specifically relating to themselves

During the consent process, the researcher should determine whether the participant wishes to be informed of any meaningful research results that specifically relate to them.43 Also, there should be agreement on how any results relating to the participant will be communicated to the participant (e.g. whether the information will be provided first to a genetic counsellor or a health care provider).

5.3.2 Informing populations of general results and potential negative impacts

The results of research should be made public to contribute towards better understanding of the health issue under investigation. Researchers, particularly those in the areas of health services, population and public health, and genetics or genomic research, who study whole populations, should strive to communicate with the relevant population and governmental authorities regarding results that are pertinent to the improvement of health and/or the prevention of disease. Where appropriate, researchers, in collaboration with the population concerned, should facilitate the development and the implementation of a follow-up plan in response to the research findings.44

The population studied should be made aware of possible socio-economic discrimination or group stigmatization as a result of the research results, for example, due to perceptions of genetic risks. In the context of genetic research, the population should also be informed of the means taken to minimize the risks. To avoid misleading or unrealistic expectations, the researchers should make known the limitations of the research results and of their practical or potential application.45

5.4 Qualitative research

Researchers using qualitative methods may consider involving participants in the writing and reporting process, depending on the circumstances. For example, during the process of informing prospective research participants about the research, it may be appropriate:

  • to provide participants with the opportunity to look at transcripts and to delete or footnote what they consider to be inaccurate or sensitive information (known as member-checking);
  • to ask participants if they wish to be publicly acknowledged in articles coming from the research; or
  • to invite community leaders or representatives to help interpret the findings to their constituencies.

5.5 Providing information about privacy to prospective research participants

The following categories of information relating to privacy matters should be included in the information provided to prospective research participants:

Basic information Explanation
1) Research objectives46 and procedure
  • Specific research objectives and related questions.
2) Data types and uses47
  • Types of data to be collected and why.
  • Any planned or foreseeable commercial uses of the data.
  • If appropriate, a statement indicating whether test results are for research purposes only or if they can serve other non-research purposes (e.g. clinical care).
3) Voluntary basis for participation48
  • Voluntary basis for participation, and ongoing meaningful opportunities to decide whether to continue.
  • Withdrawal, without any negative effect on a person's reasonable expectations of rights and benefits, being possible at any time (but be clear that data which have already been made non-identifiable cannot be retrieved and destroyed).
  • Option of contacting other family members to ask their willingness to be contacted by the researcher (e.g. in genetic research, participants should make first contact with related family members).
  • Circumstances under which the researcher may terminate the participant's involvement in the research (e.g. in clinical drug trials).
4) Risks, benefits, compensation
  • Possible risks or discomforts to the research participant (including physical, emotional and psychological impacts, or privacy intrusion).
  • Benefits of the research in general and, if relevant, the benefits to the individual participant.
  • Any compensation offered to participants should not constitute an undue influence to agree to participate.49
5) Confidentiality and safeguards50
  • Protection of data confidentiality (e.g. affirmation that genetic data will not be given to third parties)
  • General description of security measures (e.g. coding of data,51 locked storage).
6) Data access and legal disclosure requirements52
  • Who will have access to the data and for what purposes (include any legal requirements, such as mandatory public health reporting of certain diseases or obligation to produce evidence on court order; access required for scientific integrity such as auditing or verification of data; and any plans to archive or destroy the data).
7) Reporting of results53
  • Explanation of the conditions, if any, under which personal results are to be reported back (e.g. results of genetic testing should normally be reported back to the participant through a physician and with provision of genetic counseling; conditions for informing implicated family members of research results should be clearly stated).
  • A clear statement, if relevant, of conditions under which results will not be given to the participant (e.g. exploratory research for which results are not clinically meaningful or community-based research where results are applicable only to the community).
  • Explanation of the impossibility for researchers to trace results from non-identifiable data back to individuals.
8) Data retention54
  • Time period that data will be retained (e.g. provide a specified time period or, if for an extended/indefinite period, provide a specified time for REB review).
9) Inquiries and complaints55
  • Who is available to answer questions about the research.
  • Who to contact about the ethics of the research.
  • Who to complain to about the research.
  • Who to contact if the participant decides to withdraw consent.

5.6 Collection from individuals and secondary use (Hybrid model)

For a hybrid project involving the direct collection of data from individuals and secondary use of data from other sources, the prospective research participant should also be informed of:

  • all expected types and sources of personal data to be accessed and used;
  • any expected linkages; and
  • the expected purposes for which data will be used (e.g. health survey data to be collected and linked, with consent, to health records to investigate health care use in the population).

5.7 Creation of a database for general research purposes

5.7.1 Information to be provided at time of collection

When personal data are to be entered into a database for multiple research uses over an extended period, research participants should also be informed, at the time of collection, of the following:

Basic information Explanation
1) Expected types of studies
  • The type of studies that might be conducted, with possible examples (e.g. research on cardio-vascular disease).
2) Expected data types and purposes
  • The types of data to be collected from all sources including data linkages, and for what research purposes.
3) Expected commercial uses
  • Any anticipated commercial uses.
4) Data retention period
  • For how long the data will be retained (if for an extended/indefinite period, provide a specified time for REB review).
5) The process for overseeing the use and security of data
  • The process being implemented to ensure proper data stewardship and data security, including:
    • the main rules governing future uses of the database;
    • the process by which requests for data access will be reviewed and monitored; and
    • the organization or persons to whom the researcher is accountable for the proper management of the data.
6) Authorization for future uses, with or without re-contact
  • Options for the participant to control future uses of personal data in the database. These options should include the opportunity to withdraw consent (and any identifying information) in the future, and may also include the options:
    • To be re-contacted on a regular (or as needed basis) to seek consent for new research uses of the data, if desired and practicable; and/or
    • To not be re-contacted, but to authorize the researchers to use the data only in certain ways in the future, for example:
      • only for certain research purposes (to be determined with the participant during the consent process);
      • only for the original broad purposes for establishing the database;
      • for any purposes as long as a research ethics board has approved the proposed research;
      • at what level of identifiability (e.g. with or without direct identifiers, coded, or in non-identifiable form):56 and
      • with or without linkages to other data sources (e.g. with controls over what can be linked, and who can access the linked data).

Example: Informing participants and presenting options for control of new uses of data

The invitation to participate in the study is made by a dedicated nurse coordinator employed by, and accountable to, the participating hospital. The nurse coordinator arranges, at a convenient time for the patient (and his/her family), to explain the study and seek the patient's consent to participate. Patients can refuse or can agree to any or all of the following:

  • Access to their current hospitalization records by the nurse coordinator to collect information relevant to their condition, for future research uses.
  • A follow-up telephone call by the nurse coordinator 6 months after the onset of their health event to determine longer-term changes in their functional ability-this survey information is also intended for inclusion in the registry for future research purposes.
  • Linkage of their data in the study database, with administrative files from the provincial Ministry of Health, and other sources such as laboratory and physician records, in order to collect information about physician and laboratory services, subsequent hospitalizations, and causes of death. The linked data will be used for research on the use of health care services and effects on health for patients with condition X; and
  • Use of their non-identifiable records in future analyses performed at the independent not-for-profit research organization based in City Y. The results of these analyses are to be released in aggregate form to third-party private companies seeking to improve services and products related to condition X.

5.7.2 Promotion of openness and accountability57

5.7.2 Promotion of openness and accountability

 

Researchers should endeavour to keep participants informed of future data uses through continuing means (e.g. web site information), as part of an ongoing commitment to openness and to the maintenance of informed consent.

LINK TO TRI-COUNCIL POLICY STATEMENT:

[Information to be provided to research participants]

Article 2.4 "Researchers shall provide, to prospective subjects or authorized third parties, full and frank disclosure of all information relevant to free and informed consent. Throughout the process of free and informed consent, the researchers must ensure that prospective subjects are given adequate opportunities to discuss and contemplate their participation. Subject to the exception in Article 2.1 (c), at the commencement of the process of free and informed consent, researchers or their qualified designated representatives shall provide prospective subjects with the following:

(a) Information that the individual is being invited to participate in a research project;

(b) A comprehensible statement of the research purpose, the identity of the researcher, the expected duration and nature of participation, and a description of research procedures;

(c) A comprehensive description of reasonably foreseeable harms and benefits that may arisefrom research participation, as well as the likely consequences of non-action, particularly in research related to treatment, or where invasive methodologies are involved, or where there is a potential for physical or psychological harm;

(d) An assurance that prospective subjects are free not to participate, have the right to withdrawat any time without prejudice to pre-existing entitlements, and will be given continuing and meaningful opportunities for deciding whether to continue to participate; and

(e) The possibility of commercialization of research findings, and the presence of any apparent oractual or potential conflict of interest on the part of researchers, their institutions or sponsors." (pg. 2.5, 2.6)

"..REBs may require researchers to provide prospective subjects with additional information, such as that detailed in Table 1..." (pg. 2.6)

"Table 1: Additional Information that may be required for some projects

  1. An assurance that new information will be provided to the subjects in a timely manner whenever such information is relevant to a subject's decision to continue or withdraw from participation;
  2. The identity of the qualified designated representative who can explain scientific or scholarly aspects of the research;
  3. Information on the appropriate resources outside the research team to contact regarding possible ethical issues in the research;
  4. An indication of who will have access to information collected on the identity of subjects, description of how confidentiality will be protected, and anticipated uses of data;
  5. An explanation of the subject's responsibilities;
  6. Information on the circumstances under which the researcher may terminate the subject's participation in the research;
  7. Information on any costs, payments, reimbursement for expenses or compensation for injury;
  8. In the case of randomized trials, the probability of assignment to each option;
  9. For research on biomedical procedures, including health care interventions: information about
    (a) forgoing alternative procedures that might be advantageous to the subject; (b) whichaspects of the research involve the use of procedures that are not generally recognized or accepted; and (c) particularly in trials of therapeutic interventions, the care provided if the potential subject decides not to consent to participation in the study;
  10. The ways in which the research results will be published, and how the subjects will be informed of the results of the research." (pg. 2.7)

[Genetic counseling]

Article 8.4 "Genetics researchers and the REB shall ensure that the research protocol makes provision for access to genetic counseling for the subjects, where appropriate." Explanatory note: "Genetic counselors who are formally trained to impart genetic information have two main roles in dealing with a family: The first is to educate regarding the condition in question, and the second is to counsel by presenting options or possible action scenarios in a non-directive manner. The complexity of genetic information along with its social implications usually requires that free and informed consent be supplemented with genetic counseling." (pg. 8.4)

[Conditions for less than full disclosure]

Article 2.1 Explanatory text: "... the REB should exercise judgment on whether the needs for research justify limited and/or temporary exception to the general requirements for full disclosure of information relevant for a research subject's meaningful exercise of free and informed consent. In such cases, subjects may be given only partial information or they may be temporarily led to believe that the research has some other purpose because full disclosure would likely colour the responses of the subjects and thus invalidate the research. For example, social science research that critically probes the inner workings of publicly accountable institutions might never be conducted without limited recourse to partial disclosure. Also some research in psychology seeks to learn about human responses to situations that have been created experimentally. Such research can only be carried out if the subjects do not know in advance about the true purpose of the research...Another scenario, in questionnaire research, embeds questions that are central to the researcher's hypotheses within distractor questions, decreasing the likelihood that subjects will adapt their responses to their perceptions of the true objective of the research. For such techniques to fall within the exception to the general requirements of full disclosure for free and informed consent, the research must meet the requirements of Article 2.1 (c)..." (pg. 2.2- 2.3)

[Secondary uses]

Article 3.2 Explanatory text: "It is essential that subsequent uses of data be specified in sufficient detail that prospective subjects may give free and informed consent; it is inappropriate to seek blanket permission for "research in general". (pg. 3.4)

ELEMENT #6: Recruiting prospective research participants

General statement

To recruit research participants, the researcher will typically need to complete the following steps, each of which involves the researcher or another more appropriate person having access to personal information:

Step A: Assess eligibility criteria for the research and assemble a list of eligible individuals.
Step B: Establish initial contact with eligible individuals.
Step C: Inform eligible individuals about the research, as part of the informed consent process.

The proposed recruitment procedure and materials should be included in the submission for REB approval.

The procedure and materials should foster conditions for voluntary consent, and not exert undue influence on prospective participants to agree to take part in the research.58

Initial contact with individuals about a research project should be made by someone that individuals would expect to have relevant information about them, or in other ways that do not inappropriately intrude on their life or privacy.

If permitted by law59 and subject to REB approval, the data holder who would normally have access to the required personal information is the preferred person to access that information to assess eligibility of individuals for the research (Step A) and to make initial contact with those individuals (Step B), unless the REB considers this approach to be impracticable or inappropriate.

Typical scenarios for recruiting participants and preferred approaches are described under 6.3.

6.1 Consent and secondary use of personal information to assess eligibility and contact individuals

The REB will need to determine if consent from individuals is required for the secondary use of their personal information for assembling a list of eligible individuals for research or contacting these individuals to seek their consent for participation.60 Researchers and REBs should be aware of any legal restrictions on contacting individuals in these circumstances.61

6.1.1 Anticipating future uses of personal information at the time of the original collection

Wherever possible at the time of the original collection of personal information from individuals, the researcher and/or data custodian should anticipate the future uses of this information to assemble eligibility lists for research or to contact eligible individuals, and should seek consent for these future uses at that time.

For example, patients could be asked at the time of the original collection of their personal information whether they consent to the health care provider reviewing their records and contacting them to inform them of research for which they are eligible. If such a prior opt-in consent procedure is not a practicable option, a health care provider could inform patients through notices that their personal information may be reviewed from time to time for recruitment purposes, and that they have the opportunity to opt-out. If patients do not opt-out, their consent for the use of their personal information to assess their eligibility for research or to contact them about the research project would be presumed.

6.2 Initial contacting and informing prospective participants

6.2.1 Trust vs. undue influence

Recruitment raises complex issues around who is the appropriate person to make initial contact and inform eligible individuals about the research. On the one hand, individuals may feel more comfortable if approached by a data holder, such as a clinic physician or nurse, whom they trust and accept as having access to their personal information. On the other hand, individuals may be unduly influenced to agree to participate in research if approached by someone on whom they are dependent, for example, their employer, health provider, community leader or program director.

In some cases, someone who has a relationship of some influence over prospective research participants may be the preferred person to contact individuals and inform them of the research where this is considered the best way to ensure that prospective research participants fully understand the risks and the benefits of the research to themselves. For example, a health care provider or professional (who may or may not be involved in the research) may be the preferred person to contact individuals and inform them about the research because of a relationship of medical confidence, special expertise and/or in-depth knowledge of the patients' situations. It is critical in such cases that the participants are reassured that their reasonable expectations of care will be met whether or not they take part in the research.62

6.2.2 Prior communication

Researchers should avoid situations where eligible individuals are not aware, prior to being contacted, of information about themselves that makes them eligible for participation in the research. For example, a health care provider may not yet have informed the patient of a diagnosis (e.g. cancer) that is in the patient health record and that is used to determine eligibility. The researcher should confirm with the data holder that individuals have been informed of relevant health-related information before initiating contact.

6.3 Selected scenarios and preferred recruitment practices

Index to recruitment scenarios

6.3.1 Scenario: * Eligible research participants are in a city telephone directory.
6.3.2 Scenario: * A research team proposes to recruit research participants from members of an Aboriginal community.
6.3.3 Scenario: *A genetics researcher proposes to recruit the family members of research participants.
6.3.4 Scenarios: * The researcher has access to personal data from prior research studies. * The research unit of a hospital is proposing to conduct research on patients. * The researcher is the health care provider of eligible individuals.
6.3.5 Scenario: * The researcher is external to the data-holding organization, and is submitting a proposal to conduct research on patients, employees or students of the organization.
6.3.6 Scenario: * A clinician-researcher at a health care facility wants to conduct research on patients being treated by another physician in the same facility. * An academic wants to conduct research on students in his or her university department or program, but not in a class that he or she is currently teaching.

6.3.1 Scenario: * Eligible research participants are in a city telephone directory.

When eligibility information and the means of notifying individuals about the research are publicly available, the researcher should normally be able to make the initial contact without needing an intermediary.

6.3.2 Scenario: * A research team proposes to recruit research participants from members of an Aboriginal community.

As a general rule, researchers planning to work in a community should make contact with and inform community leaders and groups relevant to their research, prior to initiating the recruitment or informed consent process with members of that community.

For many Aboriginal communities and groups, approval by local authorities may be required prior to beginning the recruitment of research participants.63

6.3.3 Scenario: * A genetics researcher proposes to recruit the family members of research participants.

For the purpose of recruiting relatives for genetic or genomic research, there should be no direct contact between the researcher and the family members of the initial research participant. In order to respect the privacy of the participant and his family, only the participant or his/her spouse or a designated family member should contact other family members to ask their willingness to be approached by the researcher. The principal researcher (or a member of the research team) should not directly contact the family.64

6.3.4 Scenarios: * The researcher has access to personal data from prior research studies. * The research unit of a hospital is proposing to conduct research on patients. * The researcher is the health care provider of eligible individuals.

In these scenarios, the researcher is the data holder or is employed by the data holder. If permitted by law65 and subject to REB approval, the data holder may assess the eligibility of individuals for the research.

 

The data holder should have rules nevertheless to limit the number of people permitted access to data for this purpose.66

 

Preferred options for contacting individuals will depend on whether the REB considers that the researcher/data holder has undue influence over prospective research participants (see the Options table).

Options for contacting individuals according to whether the researcher/data holder has influence over prospective research participants

Option Contacting prospective research participants
A) If the researcher/data holder is not in a position of undue influence. If the researcher/data holder is not in a position of undue influence over prospective participants with regard to the research, the researcher should make the initial contact and inform prospective participants about the research, if permitted by law and subject to REB approval.
B) If the researcher/data holder is in a position of undue influence.

In some cases, the researcher/data holder is considered to potentially be in a position of undue influence over eligible individuals with regard to the research or there is a potential conflict of interest. For example, an REB may decide that patients who will be recruited for a clinical trial being conducted by their health care provider may not understand the difference between the research treatment and the standard treatment provided at the health centre.

In such cases, initial contact with prospective research participants should be made by neutral means, so that there is no undue influence exerted on individuals to participate. For example, a neutral person on the research team or in the data holder's agency who is not in a position of authority over prospective research participants, could contact eligible individuals. Alternatively, it may be possible to make initial contact with eligible individuals by advertising in newspapers or in public locations, and then having a neutral member of the research team or staff provide further information to interested individuals.

 

6.3.5 Scenario: * The researcher is external to the data-holding organization, and is submitting a proposal to conduct research on patients, employees or students of the organization.

In this scenario, the researcher is not the data holder, and does not have undue influence over prospective research participants. If permitted by law,67 the preferred recruitment approach is for the data holder to assess eligibility for research and to make initial contact with eligible individuals, unless the REB considers that the preferred approach is impracticable or inappropriate (see the ranked Options table).

Ranked options for assessing eligibility and contacting prospective participants, when the researcher is not the data holder and does not have undue influence

Option Assessing eligibility and contacting prospective research participants
A) The data holder assesses eligibility and makes initial contact. (Preferred) If permitted by law and subject to REB approval, the data holder should determine eligibility of individuals for the research on the basis of criteria provided by the researcher. The data holder should make the initial contact to: (i) inform eligible individuals about the research so that they can contact the researcher, if interested, or (ii) to seek consent from individuals to release their nominal information to the researcher who will contact them to inform them about the research.
B) If the REB considers option A impracticable or inappropriate, the REB may permit the researcher to access minimal personal information for assessing eligibility and/or making contact with eligible individuals, if permitted by law and under strict controls (e.g. access restricted to data holder's site).

In some cases, the preferred option above may be considered impracticable or inappropriate. For example, the preferred option may be impracticable if:

  • the data holder does not, despite funding from the researcher, have the resources to assess eligibility and make initial contact, and therefore the research could not proceed unless an alternative recruitment procedure is used; or
  • the data holder does not have an ongoing relationship with eligible individuals to make contact (e.g. as may the case for a registrar of a population records database, or a government agency holding health insurance registration and billing information).

The preferred option may be considered inappropriate where the data holder has undue influence over eligible individuals; professional or other legal requirements makes the data custodian's involvement in the recruitment process inappropriate; or the data holder's contacting of eligible individuals would defeat the purpose of the research.68

When the preferred option is impracticable or inappropriate, an REB may consider whether a researcher should be permitted access to minimal personal data only for the purposes of determining eligibility for the research or contacting individuals to invite them to join the study69. If it is legally permissible and the REB gives approval, the researcher may be given access to personal information with appropriate confidentiality protections such as a signed confidentiality agreement with access restricted to the data holder's site, and use limited to the stated purpose.

Minimal personal data provided to the researcher should normally contain only contact information and no other personal information related to health status. However, if health-related data are inherent in the eligibility criteria used to assemble the list of individuals to be contacted, an REB may determine that camouflage sampling or other masking techniques should be used to enable researchers to contact individuals while preventing researchers from viewing any identifiable health-related information of eligible individuals prior to gaining consent.70

Option A: Examples of recruitment methods:
Health professional society makes contact with members
Prospective research participants are members of a health professional society. The Society mails out a letter (drafted by the researcher) to its members, which explains how to contact the researcher to learn more about the research.

 

Health professionals assess eligibility and make contact
Given the criteria provided by the researchers, pharmacists are automatically notified by a computer flag in a centralized database, at the time of filling a prescription, of any patient eligible for the research study (e.g. receiving a certain number of concurrent medications). This automatic flag of eligible individuals for the study is visible only to pharmacists in participating pharmacies. Once the eligible persons are identified, the pharmacists seek consent from these individuals to release their contact information to the researcher.

 

Option B: Examples of recruitment methods:
Researcher assesses eligibility and makes initial contact for data holder
Hospital administrators do not have the personnel necessary to search through files in order to identify potentially eligible research participants according to selection criteria provided by the researcher, or to establish prior contact with these individuals on behalf of the researcher. Therefore, with the approval of the REB and a signed undertaking of confidentiality by the researcher, hospital administrators provide the researcher with the names of staff, their work location and full or part-time status, in the form of a computer file. The researcher then uses the computer file to exclude staff that do not fit the eligibility criteria and to select a random sample of eligible staff. Senior hospital staff explain the study in general terms to their staff members and inform them that the researcher will be writing in the near future to individuals eligible to be included in the study. Senior staff emphasize that participation is on a purely voluntary basis. Accordingly, the researcher sends letters of invitation to participate in the research only to eligible staff members.

 

Data holder assesses eligibility and provides camouflaged list to researcher to make initial contact
The study is approved by the REB and the privacy branch of the Ministry of Health. Ministry of Health staff produces a "camouflaged" list of patient names for the researchers, containing scrambled personal health numbers of patients potentially affected by a new health care policy with scrambled numbers of a random sample of patients who are not affected by the policy. When the scrambled numbers are unscrambled and converted to names, addresses and telephone numbers by the Ministry of Health's Client Registry, the health status of each patient remains unknown to the researchers and to the Ministry of Health staff. The addition of persons not affected by the health condition prevents the researchers from knowing who is affected and who is not; only those who respond are identified. In order to be most effective, camouflaging should aim to protect the privacy of targeted patients, while limiting the total number of patients who need to be contacted.

 

6.3.6 Scenario: * A clinician/researcher at a health care facility wants to conduct research on patients being treated by another physician in the same facility. * An academic wants to conduct research on students in his or her university department or program, but not in a class that he or she is currently teaching.

In these scenarios, the researcher is not the data holder, but does potentially have undue influence over prospective participants with regard to the research.

 

Preferred approaches to assessing eligibility for research and contacting eligible individuals will depend on whether the REB considers the data holder to have undue influence over prospective research participants (see the Options table).

Options for assessing eligibility and making contact with individuals when the researcher has undue influence over prospective individuals

Option Assessing eligibility and contacting individuals
A) If the data holder is not in a position of undue influence. If the data holder is not in a position of undue influence over prospective research participants, the REB may permit the data holder to assess eligibility and make the initial contact with these individuals, if the data holder is permitted to do so by law (see scenario 6.3.5, option A).
B) If the data holder is in a position of undue influence. If the data holder is considered by an REB to have undue influence on prospective participants, the researcher could make initial contact with eligible individuals by neutral means such as by putting up notices in public areas of the facility or institution with information on how to contact the research team, and a neutral member of the research team or staff could inform interested individuals about the research (see scenario 6.3.4, option B).

 

LINK TO TRI-COUNCIL POLICY STATEMENT:

[Secondary use of data for prospective collection]

Article 3.5 "Researchers who wish to contact individuals to whom data refer shall seek the authorization of the REB prior to contact." Explanatory text: "In certain cases, the research goal may only be achieved by follow-up contact and interviews with persons. It is evident that individuals or groups might be sensitive if they discover that research was conducted on their data without their knowledge; others may not want any further contact. This potential harm underlines the importance for researchers to make all efforts to allow subjects the right to consent that their data and private information be part of a study." (pg. 3.6)

ELEMENT #7: Safeguarding personal data

General statement

Institutions or organizations where research data are held have a responsibility to establish appropriate institutional security safeguards. Data security safeguards should include organizational, technological and physical measures.71

Researchers should take a risk assessment and management approach to protecting research data from loss, corruption, theft or unauthorized disclosure, as appropriate for the sensitivity and identifiability of the data. Formal privacy impact assessments (PIAs) are required in some institutions and under legislation or policy in some jurisdictions.72

REBs should review and approve researchers' proposed measures for safeguarding any personal data to be collected.

The safeguards described in this Element are particularly relevant to research conducted within large institutions or other organizations. However, smaller scale projects should also demonstrate acceptable ways of protecting the confidentiality of data.

7.1 Threat-risk vulnerability assessment73

A vulnerability assessment assists researchers and institutions in determining an appropriate level of security for research data and the means by which the data should be received, used, stored, and managed. The following are the main steps in a vulnerability assessment:

Assessment Examples
a) Determine what assets need to be protected
  • Databases and files of personal and other confidential data
  • Database management software
  • Computer hardware, fax machines
b) Determine what to protect against
  • Five main classes of threats are: disclosure, interruption, modification, destruction and removal or loss
c) Assess the probability of the threat occurring
  • Low, medium or high
d) Assess the magnitude of the impact and consequences of the threat if it occurs
  • Loss of public trust
  • Harms to individuals (loss of privacy or trust; social stigmatization; social discrimination affecting financial, employment, insurance, or other status; loss of benefits)
  • Loss of data or equipment.
e) Assess existing safeguards and need for additional safeguards
  • Direct identifiers are separated from personal records as soon as reasonably practicable.
  • Highly identifiable and sensitive data are stored at the highest level of security, e.g. on stand-alone servers.
  • Pledge of confidentiality signed by all research staff.
f) Recommend the appropriate security safeguards to protect the assets from threats
  • See security measures proposed in 7.2 below
g) Update and regularly review these safeguards (at least annually)
  • Respond to changes in:
    • the internal technological environment (including improvements in security strategies),
    • the research project and the institution,
    • technologies available to threat agents and
    • the profile of potential threats.

7.2 Security measures

7.2.1 Organizational safeguards

  • There should be ongoing commitment to privacy and continued emphasis of its importance by all involved in the research and the institutional/organizational management.
  • All involved in the research project should be subject to a pledge of confidentiality.
  • Access to personal information should be strictly limited in terms of numbers of persons, for legitimate purposes, and strictly on a realistic need-to-know basis.
  • Data-sharing agreements between the researcher/institution and all involved should be signed prior to providing any access to data.
  • Consequences for breach of confidentiality, including dismissal and/or loss of institutional privileges, should be clearly stipulated.
  • Institutions and organizations housing research projects and archived data should, with ongoing commitment of adequate resources:
    • develop, monitor and enforce privacy and security policies and procedures;
    • appoint privacy officers and create data stewardship committees as needed; and
    • implement internal and external privacy reviews and audits.

7.2.2 Technological measures

  • Encryption, scrambling of data and other methods of reducing the identifiability of data should be used to eliminate unique profiles of potentially identifying information.
  • Direct identifiers should be removed or destroyed at the earliest possible opportunity.
  • If direct identifiers must be retained, they should be isolated on a separate dedicated server/network without external access.
  • Camouflage sampling74 or other techniques should be used, when appropriate, to prevent researchers from viewing health-related information of eligible individuals prior to gaining their consent.
  • Authentication measures (such as computer password protection, unique log-on identification, etc.) should be implemented to ensure only authorized personnel can access data.
  • Special protection for remote electronic access to data should be installed.
  • Virus-checking programs and disaster recovery safeguards such as regular back-ups should be implemented.
  • Where possible, a detailed audit trail monitoring system should be instituted to document the person, time, and nature of data access, with flags for aberrant use and "abort" algorithms to end questionable or inappropriate access.

7.2.3 Physical security

  • Computers and files that hold personal information should be housed in secure settings in rooms protected by such methods as combination lock doors or smart card door entry, with paper files stored in locked storage cabinets.
  • The number of locations in which personal information is stored should be minimized.
  • Architectural space should be designed to preclude public access to areas where sensitive data are held.
  • Routine surveillance should be conducted.
  • Physical security measures should be in place to protect data from hazards such as floods or fire.

LINK TO TRI-COUNCIL POLICY STATEMENT:

Article 3.2 Explanatory Text: "Researchers should ensure that the data obtained are stored with all the precautions appropriate to the sensitivity of the data. Accordingly, information that identifies individuals or groups should be kept in different databases with unique identifiers. Researchers should take reasonable measures to ensure against inadvertent identification of individuals or groups, and must address this issue to the satisfaction of the REB." (pg. 3.4)

ELEMENT #8: Controlling access and disclosure of personal data

General statement

Data sharing for research purposes - whether of linked or unlinked data sets - is an important way of enabling socially valuable research. It avoids unnecessary duplication of data collection, which reduces the burden on research participants and permits researchers to use limited or scarce resources more productively.

However, there should be strict limits on access to data and secure procedures for data linkage, subject to REB approval and data-sharing agreements.

When personal data are essential to research objectives and questions, researchers need a plan for making public the results of research in ways that do not permit tracing back to individuals if they do not wish their identities to be known.

8.1 Controlled levels of data access within research team and for secondary use

Researchers and institutions should protect against unauthorized disclosure and use of sensitive data or data subjects' identities, by controlling access to personal data.

Controlling access to data for research purposes means, under most circumstances, that:

  • sensitive and/or highly identifiable data are accessible to the minimum number of persons necessary on the research team on a need-to-know basis (e.g. for cleaning data, conducting data linkages, and verifying the accuracy of data matches);
  • team members have appropriate training in, and comply with, security safeguards;
  • access to coded data, or to data where the direct identifiers are removed but potentially identifying elements remain in the dataset, may be permitted for researchers outside the research team only under strictly controlled conditions described in a written agreement and following REB approval; and
  • non-identifiable data about individuals and aggregated data are made available to the general scientific community and for public use after appropriate scrutiny to minimize or avoid risks of inadvertent disclosure of individuals' identities.

Controlled access to personal data for research purposes

Access to: Who should be permitted access: (examples) Required safeguards to include:
Direct identifiers
  • Selected members of the research team
  • Selected institution employees
  • "Deemed employees" or trusted third parties, subject to the same undertaking of confidentiality as the data holder (e.g. institution employees)
  • REB review and approval
  • Review by institution data privacy committees where relevant
  • Access on need-to-know basis
  • Appropriate training
  • Undertaking of confidentiality by employees or research team
  • No direct access for researchers external to the research team, except for linkage purposes in exceptional circumstances (see 8.2)
  • Audit trails on access (where possible)
Not directly identifiable data (single or double coded; or without codes)
  • Research team
  • Collaborators at local sites of a multi-site study
  • External researchers, with limitations (see required safeguards).
  • REB-approved projects
  • Review by institution data privacy committees where relevant
  • Data-sharing agreement, including undertaking of confidentiality (see 8.3)
  • Disclosure of only enough data to answer the intended research question
Non-identifiable data in public use files (where data have been scrutinized and altered to protect against risks of inadvertent disclosure of individuals' identities).75
  • Scientific community
  • General public
  • Universities
  • There may be no restrictions on use, or there may be a basic form of data sharing agreement, requiring an undertaking, for example, to not attempt to re-identify the records so as to relate the information on the file to a particular person.76

8.2 Conducting data linkages

The most secure way of conducting data linkages requested by external researchers is for the data holder to conduct the linkage and provide linked datasets to the researcher without identifiers, and at the minimum level of identifiability required for the research purpose.77 If that is not practicable, a trusted third party may conduct the linkage or the researcher may conduct the linkage on the data holder's site. As a last option, a researcher may be permitted to conduct the linkage at a secure site but under strict controls, as specified in a data-sharing agreement.78

Ranked options for conducting data linkages

Who should conduct the linkage Conditions for REB consideration
A) Data holder (Preferred) The data holder performs the linkage(s) and subsequently removes all direct identifiers, or replaces direct identifiers with a code, prior to releasing the linked data set to the external researcher.

B) A trusted third party (e.g. a statistical agency) or

C) The researcher conducts the linkage on the data holder's site

When the original data holder does not have the technical capacity or resources to perform linkages in-house:

  • a trusted third party acting as an information manager may conduct the linkage off site; or
  • the researcher as a "deemed employee" (e.g. the Statistics Canada model) may conduct the linkage on the data holder's site.

The third party and the researchers should be bound by equivalent conditions of confidentiality and security as apply to the data holder and the data holder's employees.

D) The researcher conducts the linkage off site If Options A, B or C are demonstrably impracticable, the researcher may conduct the linkage in compliance with a data-sharing/confidentiality agreement with the data holder, setting out their respective and shared obligations, including restrictions on use and disclosure and appropriate security requirements (see 8.3 below). In this situation, any direct identifiers or other personal data not required to answer the research question should be destroyed or returned to the original data holder as soon as is practicable, and in compliance with the terms of the data-sharing agreement.

Following the linkage of datasets, the person doing the data linkage should reduce datasets to the lowest level of identifiability needed to accomplish the research objectives.

For example, direct identifiers (e.g. name or personal health number) or potentially identifying elements when combined (e.g. a full date of birth or full postal code) may be needed for data linkage but may not be needed to answer the research questions. In such cases, these identifiers should be destroyed as soon as is reasonably practicable or returned to the data holder, as per the terms of the data-sharing agreement.

Universities may have specified retention periods for research data. Researchers should either destroy the new linked dataset at the end of the specified period, or use enhanced security measures to store it as per the terms of the data-sharing agreement. Within some research or statistical agencies it may not be practicable to unlink datasets after each use. However these institutions should document a process to ensure that the linked datasets are used only for authorized purposes (e.g. for REB-approved projects).

8.3 Data-sharing agreements

Data-sharing agreements bind data providers and researchers to their respective responsibilities and obligations for protecting personal data.

Data-sharing agreements should set out the terms and conditions under which data providers will allow researchers to access personal data for research purposes.79

Data-sharing agreements typically include the following information related to privacy concerns:

Basic information Explanation
1) Research purposes80
  • A meaningful description of the research objectives and methods.
2) Data elements and uses81
  • A meaningful explanation of why the research objectives cannot reasonably be accomplished without access to these personal data.
  • Identification of data sources for the project and any linkages to be conducted.
  • A statement that the researcher will not use the data for any other purpose without prior authorization by the data provider.
3) Informed consent materials and form82
  • Copies of the explanatory material and consent form to be provided to prospective participants, if appropriate (see #4 below).
4) Contact83
  • Statement that the researcher will not attempt to contact data subjects without prior authorization by the data provider, if appropriate.
5) Data access and disclosure
  • A listing of who will have access to personal data within the research team or the institution, and a requirement that each of these individuals have signed an undertaking of confidentiality.
  • A statement that the researcher will not disclose the data to other parties without prior authorization by the data provider.
6) Reporting results
  • A requirement that results and data not be released in a form that identifies individuals to whom the information relates.
7) Security84
  • A description of the physical, organizational and technological security measures in place to safeguard against risks of unauthorized use, disclosure, corruption or destruction.
8) Retention/ destruction of data85
  • The time period for data retention and conditions for the return or the destruction of direct identifiers at the earliest reasonable time consistent with the research objectives.
  • The possibility for the data provider to authorize an extended retention period.
  • Statement that the researcher will not attempt to re-identify the data subjects without prior authorization by the data provider, if appropriate.
9) Required approvals/ authorizations86
  • The requirement to have obtained REB approval and other relevant authorizations.
  • The duration of the agreement or a date designated for the parties to review the agreement.
10) Compliance with laws and policies87
  • Obligation of recipients to comply with applicable laws and any of the data holder's policies and procedures relating to the confidentiality of personal information.
11) Accountability88
  • The data provider reserves the right to conduct on-site visits, to monitor or audit data use or to respond to allegations of breach.
  • If the conditions of the data-sharing agreement are breached, penalties should be imposed, such as no further data to be provided by the data holder to the researcher(s) in question; legal recourse against the researcher for breach of contract; referral of matters to federal or provincial oversight or regulatory bodies for investigation and possible sanctions, and/or a report of the researcher's conduct to the relevant REB and/or federal research sponsor, where relevant and applicable (for example, where a breach of the data-sharing agreement also amounts to a breach of the TCPS).89

8.4 Controls over disclosure in public reports of research findings

Appropriate measures should be taken to avoid or minimize the identifiability of data in publications or public databases. Statistics Canada guidance in this area is available online.90

8.4.1 Reporting qualitative research results when concealing individuals' identities is not desired

In assessing the privacy aspects of research, researchers and REBs should also be aware of the possibility that in some instances individuals may want their identities to be known-for example, when individuals want their contribution to research as participants to be recognized, or where they want to help others afflicted with a similar condition. In some qualitative research, individual participants may understand and willingly accept the possibility that their identities may be revealed in the public reporting of research results.

LINK TO TRI-COUNCIL POLICY STATEMENT:

[Disclosure controls]

"Data released should not contain names, initials or other identifying information. While it may be important to preserve certain types of identifiers (e.g., region of residence), these should be masked as much as possible using a standardized protocol before the data are released for research purposes. However, legitimate circumstances may exist where such information is critical for the research project..." (pg. 3.4)

[Human genetic research]

Article 8.2 "The researchers and the REB shall ensure that the results of genetic testing and genetic counseling records are protected from access by third parties, unless free and informed consent is given by the subject. Family information in databanks shall be coded so as to remove the possibility of identification of subjects within the bank itself." (pg. 8.2)

[Secondary uses]

Article 3.3, 3.4 - See Element #3

[Data linkage]

Article 3.6 "The implications of approved data linkage in which research subjects may be identifiable shall be approved by the REB." Explanatory note: "...Only a restricted number of individuals should perform the function of merging databases; researchers should either destroy the merged file immediately after use, or use enhanced security measures to store it. Whether the data are to be used statistically or otherwise, confidentiality of the information must be maintained by all members of the research team." (pg. 3.6)

ELEMENT #9: Setting reasonable limits on retention of personal data

General statement

Personal data should be retained as long as is necessary to fulfill the research purposes.91 Personal data may then be destroyed or returned to the data provider, if appropriate, as set out in the terms of the original collection, data-sharing agreement, institutional policies and legal requirements.

There is a tension between the privacy principle of limiting the retention of data and the scientific principle of preserving research data so that published research results can be replicated and verified, and opportunities for further investigation of valuable data are maximized. While this is a very complex area in need of further reflection and development, the default principle is to define retention periods for personal data, in writing. Researchers should be explicit about what they plan to do with the data they collect and have storage, management and access policies in place.

9.1 Retention of personal data

9.1.1 Specific research project

Where personal data are collected and used in the context of a specific research project, identifying personal data should be retained by the researcher as long as necessary to fulfill the original research objectives,92 including related purposes such as tracing, validating or auditing research results as may be required by regulators, study sponsors and/or publishers.93

9.1.2 Database for general health research purposes

When personal data are collected in a database to support general health research purposes in the future, personal data may be retained for the general purposes originally consented to, subject to security safeguards proportionate to the identifiability, sensitivity and amount of the data, as well as its format and method of storage.

Administrative databases such as hospital discharge records and vital statistics registries, which may be used to support health research, may retain personal data over the long term, provided that this is permitted according to legislation or the mandate of a public body such as a government health department.

Any long-term retention of personal data established for general health research purposes should be subject to periodic audits and effective oversight by independent third parties including REBs.

ELEMENT #10: Ensuring accountability and transparency in the management of personal data

General statement

Individuals and organizations engaged in health research involving personal data are accountable for the proper conduct of such research in accordance with applicable funding policies, privacy principles and/or legislation. Processes and practices must be clearly established and implemented in order to give meaningful effect to these policies, principles or laws. Proper accountability and transparency practices require adequate resources for such things as communication, education and training relating to privacy.

Roles and responsibilities of all those involved in the conduct and evaluation of research should be clearly defined and understood, including those of researchers, their employing institutions, REBs, any data stewardship committees, Privacy Commissioners and other legally-designated privacy oversight agencies. Their concerted efforts should aim to provide a coherent governance structure for effective and efficient data stewardship.94

10.1 Transparency

Recognizing that transparency may enhance public support for, and interest in, socially valuable research, individuals and organizations engaged in the conduct and evaluation of health research should:

  • be open to the public with respect to the objectives of the research;
  • be open about the policies and practices relating to the protection of personal data used in the research;
  • promote ongoing dialogue between the research community and privacy oversight agencies; and
  • promote ongoing dialogue between the research community and the community at large (the public).

10.2 Accountability

Key roles and responsibilities with respect to privacy concerns of those involved in designing, conducting and approving publicly-funded health research are outlined below.

10.2.1 Researchers (Principal investigator, researchers)

Privacy-related responsibilities include:

  • being aware of all applicable policies and laws in the jurisdictions in which the research is conducted and conducting their research in accordance with such requirements;
  • seeking REB and institutional approval and, where required or considered appropriate, the review or approval of other relevant legal privacy oversight bodies;
  • providing a mechanism to handle queries and complaints from participants about the privacy aspects of the research (e.g. REB contact information in the consent form); and
  • promoting openness and accountability through publicly available information which describes the purpose and conduct of the research project(s) and how privacy concerns are being managed.
10.2.2 Academic and other affiliated or hosting institutions

Privacy-related responsibilities include:

  • developing and applying institutional privacy policies and procedures for the conduct and review of research that meet, as a minimum, the requirements set out in the TCPS and other applicable funding policies and laws;
  • designating an individual who is accountable for the institution's compliance with those policies and procedures;
  • providing for the education and training of researchers and REB members on how to manage personal data in health research;
  • providing a mechanism for handling queries and complaints about the privacy and confidentiality aspects of research;
  • demonstrating impartial and accountable procedures to investigate allegations of individual non-compliance, with appropriate sanctions for non-compliance;
  • being open with the public about research supported by the institution; processes and practices for managing personal information; and procedures for receiving and handling complaints; and
  • fostering coordinated data stewardship and institutional review processes within and between institutions.
10.2.3 REBs

Privacy-related responsibilities include:

  • reviewing any proposed and ongoing research involving humans in accordance with the TCPS and its principles,95 as well as other applicable laws and policies, including:
    • the institution's own policies;
    • federal, provincial and territorial legislation; and
    • relevant laws, regulations, policies and/or research contexts of other countries, when research is to be conducted in those countries;
  • serving as a consultative body to the research community and thus contributing to education in research ethics;
  • fostering coordinated and consistent REB review processes, particularly with respect to multi-jurisdictional and multi-site research; and
  • undertaking regular monitoring of research and coordinating reviews of multi-centre research to ensure equivalencies in standards across jurisdictions, by conducting:
    • an annual review of the research (required under TCPS);
    • an audit of critical aspects of the research protocol including the consent process, safeguards and, where relevant, methods of reducing the identifiability of data prior to disclosure; and
    • other effective monitoring mechanisms, as appropriate.
10.2.4 Independent data stewardship committees

When a database is created for multiple research purposes, or across multiple sites or jurisdictions, researchers and institutional data holders should promote coordinated and streamlined approaches to data stewardship over the long term. A centralized data stewardship committee could be put in place to authorize future uses of the database in accordance with the research objectives, REB approval and, where applicable, within the parameters set by the consent obtained from participants.

The responsibilities of this advisory committee could include:

  • the review of data access requests;
  • long-term management of the database;
  • coordination of reviews by local REBs, for example, by means of agreements between REBs, institutions and researchers, as appropriate; and
  • provision of information to the public (e.g. on a web site).

The composition of the committee should include scientific experts in the field and representatives from the population being studied.

10.3 Legally-designated privacy oversight agencies

As specified in legislation, the responsibilities of privacy oversight agencies, such as the Office of the Privacy Commissioner or Ombudsman in each jurisdiction, may include all or any of the following:

  • monitoring and investigating compliance with legal requirements;
  • issuing findings and recommendations and/or adjudicating complaints from the public with regard to non-compliance;
  • initiating and/or participating in court action for breach of legal requirements for privacy protection;
  • conducting audits of organizations' information management practices;
  • reviewing privacy impact assessments for proposed research;
  • reviewing and/or approving the collection of personal information without consent;96
  • reporting publicly on matters of privacy compliance;
  • reviewing and providing comments or approvals on proposed laws or policies; and
  • promoting public education with respect to privacy issues.

LINK TO TRI-COUNCIL POLICY STATEMENT:

[Mandate of the three federal research granting agencies: CIHR, SSHRC and NSERC]

"The...Agencies have adopted this Policy as their standard of ethical conduct for research involving human subjects. As a condition of funding, the Agencies require, as a minimum, that researchers and their institutions apply the ethical principles and the articles of this policy." (pg. i.2)

Article 1.1 "(a) All research that involves living human subjects requires review and approval by an REB in accordance with their Policy Statement, before the research is started, except as stipulated.." (pg. 1.1)

[Review procedures for ongoing research]

Article 1.13 "(a) Ongoing research shall be subject to continuing ethics review. The rigour of the review should be in accordance with a proportionate approach to ethics assessment. (b) As part of each research proposal submitted for REB review, the researcher shall propose to the REB the continuing review process deemed appropriate for that project.(c) Normally, continuing review should consist of at least the submission of a succinct annual status report to the REB. The REB shall be promptly notified when the project concludes." (pg. 1.10)

"In accordance with the principle of proportionate review, research that exposes subjects to minimal risk or less requires only a minimal review process. The continuing review of research exceeding the threshold of minimal risk that is referred to in Article 1.13(b), in addition to annual review (Article 1.13 (c)) might include:

  • formal review of the process of free and informed consent
  • establishment of a safety monitoring committee
  • periodic review by a third party of the documents generated by the study
  • review of reports of adverse events
  • review of patients' charts or
  • a random audit of the process of free and informed consent.

Other models of a continuing ethics review may be designed by researchers and REBs to fit particular circumstances.

The process of a continuing ethics review should be understood as a collective responsibility, to be carried out with a common interest in maintaining the highest ethical and scientific standards. Research institutions should strive to educate researchers on the process of a continuing ethics review through workshops, seminars and other educational opportunities." (pg. 1.10- 1.11)

[Review of multi-centered research]

"Principles of institutional accountability require each local REB to be responsible for the ethical acceptability of research undertaken within its institution. However, in multi-centred research, when several REBs consider the same proposal from the perspectives of their respective institutions, they may reach different conclusions on one or more aspects of the proposed research. To facilitate coordination of ethics review, when submitting a proposal for multi-centered research, the researcher may wish to distinguish between core elements of the research-which cannot be altered without invalidating the pooling of data from the participating institutions-and those elements that can be altered to comply with local requirements without invalidating the research project. REBs may also wish to coordinate their review of multi-centred projects, and to communicate any concerns that they may have with other REBs reviewing the same project. The needed communication would be facilitated if the researcher provides information on the institutional REBs that will consider the project." (pg. 1.11)

[Equivalence level of protection in multi-jurisdictional research]

Article 1.14 "Research to be performed outside the jurisdiction or country of the institution that employs the researcher shall undergo prospective ethics review both (a) by the REB within the researcher's institution; and (b) by the REB, where such exists, with the legal responsibility and equivalent ethical and procedural safeguards in the country or jurisdiction where the research is to be done." (pg. 1.12)

LINK TO: Memorandum of Understanding on the Roles and Responsibilities in the Management of Federal Grants and Awards (MOU). Schedule 2- Ethics Review of Research Involving Humans.

1.0 Policy "The Agencies developed, approved and implemented a joint policy statement topromote the ethical conduct of research involving human subjects - the Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS). The Agencies will only fund researchers, Institutions or partnering organizations that comply with the ethical principles and articles of the TCPS. In addition CIHR will only fund human pluripotent stem cells research that adheres to its recently published guidelines.

In addition to the TCPS, the ethics review of research involving humans may, where appropriate, be subject to other legislation and policies, such as:

  • the Institution's own policy on research involving human subjects;
  • the Québec Civil Code;
  • provincial and federal legislation on privacy, con0dentiality, intellectual property, competence and other areas;
  • Canada Food and Drug Act and Regulations;
  • guidelines and policies of the Therapeutic Products Directorate of Health Canada;
  • relevant laws, regulations and/or policies of other countries, when research is to be conducted in those countries;
  • Good Clinical Practices: Consolidated Guidelines for clinical trials sponsored by industry, published by the International Conference on Harmonization.

Researchers, Institutions and research ethics boards (REBs) should be aware of all applicable policies, regulations and guidelines. In some cases, it may be necessary for Institutions to have recourse to speci0c expertise to identify legal and other issues in the ethics review process..."

Updates.


1 Privacy Advisory Committee members are listed in Appendix A-1.

2 Under section 301(d) of the U.S. Public Health Service Act (42 U.S.C. 241(d)) the Secretary of Health and Human Services may authorize persons engaged in biomedical, behavioral, clinical, or other research to protect the privacy of individuals who are the subjects of that research. This authority has been delegated to the National Institutes of Health (NIH) and other Health and Human Services Agencies. Certificates of Confidentiality may be granted for studies collecting information that, if disclosed, could have adverse consequences for research participants, such as damage to their financial standing, employability, insurability, or reputation. A Certificate allows the investigator and others who have access to research records to refuse to disclose identifying information on research participants in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level. See U.S. Office of Human Subject Protection- Guidance.

3 The World Health Organization defines "health" as "a state of complete physical, mental and social well-being and not merely the absence of disease or infirmity". From Preamble to the Constitution of the World Health Organization as adopted by the International Health Conference, New York, 19-22 June, 1946; signed on 22 July 1946 by the representatives of 61 States (Official Records of the World Health Organization, no. 2, p. 100) and entered into force on 7 April 1948).

4 The TCPS can be accessed on the Interagency Advisory Panel for Research Ethics website.

5 TCPS, pg. i.4.

6 TCPS, Context of an Ethics Framework, Section C, pg. i.5.

7 TCPS, Section 3- Privacy and Confidentiality, pg. 3.1.

8 The core principles and associated sub-principles of the CSA Model Code were incorporated into the Personal Information Protection and Electronic Documents Act (PIPEDA), Schedule 1, accessible on the Department of Justice website.

9 Research is defined in the TCPS as "a systematic investigation designed to develop or establish principles, facts or generalizable knowledge" (TCPS, pg. 1.1). The range of research requiring ethics review in the TCPS is listed in Appendix 1 (TCPS, pg. A.1).

10 "Identifiable personal information" is defined in TCPS as: "information relating to a reasonably identifiable person who has a reasonable expectation of privacy. It includes information about personal characteristics such as culture, age, religion and social status, as well as their life experiences and educational, medical or employment histories." TCPS, Section 3, pg. 3.2.

11 The current version of the TCPS and information about its further evolution are accessible on the Interagency Advisory Panel on Research Ethics (PRE) website.

12 International Conference on Harmonization of Technical Requirements of the Registration of Pharmaceuticals for Human Use.

13 These documents are accessible on the Health Canada Therapeutic Products Directorate website. The Food and Drug Regulations, ICH GCP and further Health Canada guidance documents cover such privacy-related topics as the roles of investigators, industry sponsors and ethics review committees; informed consent of trial subjects; information to be collected from subjects; information to be included in the study protocol; access to trial records and data for quality assurance purposes; and record retention periods. The ICH GCP is also referenced in the TCPS- Section 7- Clinical Trials, pg. 7.3.

14 A data stewardship committee could be established to oversee and authorize future uses of the database in accordance with the research objectives. This committee could also assist in coordinating reviews by local REBs, in the case of multi-site studies. See Element #10, 10.2.4.

15 See the table of concordance for Element #2 in Appendix A-7 referring to the statutory provisions regarding the general requirement to collect a limited amount of personal information.

16 See TCPS excerpt (Article 3.3, explanatory note) at the end of Element #2.

17 See also Element #8, 8.2.

18 See the legal concordance table for Element #2 in Appendix A-7 regarding the collection of health numbers under Ontario's health privacy legislation.

19 See TCPS excerpts at the end of Element #3 regarding the definition of "competence" in the research context. See also the legal concordance table for Element #4-Part 2, Consent by Substitute Decision Makers, in Appendix A-7.

20 For a definition of minimal risk, the TCPS states: "if potential subjects can reasonably be expected to regard the probability and magnitude of possible harms implied by participation in the research to be no greater that those encountered by the subject in those aspects of his or her everyday life that relate to the research then the research can be regarded as within the range of minimal risk" (TCPS Section 1, C1, pg. 1.5). For secondary use of information, the researcher must, among other conditions, have appropriate measures "to minimize harms to subjects" (TCPS Article 3.3 (b)).

21 See the legal concordance table for Element #3 in Appendix A-7.

22 As required under the Food and Drug Regulations-Clinical Trials and ICH GCP.

23 For conditions in privacy legislation under which a waiver of the consent requirement may be permitted see the legal concordance table for Element #3 in Appendix A-7.

24 See Element #2, 2.1.

25 The REB should review and approve the researcher's proposed measures for safeguarding personal data. See also Element #7, Element #8, and Element #10, 10.2.3.

26 See Element #2, 2.2.

27 Note that the TCPS (Article 1.5 and explanatory text) states that REBs are normally to avoid duplicating previous professional peer-review assessments of the scientific merit of a research proposal unless there is a good and specified reason to do so. REBs may have specific criteria, set out in legislation, to take into account in assessing the potential benefits of research proposing to use health sector data without consent (e.g. the requirements set out in Alberta's Health Information Act, referenced in the legal concordance table for Element #3, in Appendix A-7.)

28 See real world examples summarized in Appendix A-3, from CIHR Secondary Use of Personal Information in Health Research: Case Studies (November 2002).

29 For legal prohibitions against contacting individuals see the legal concordance table for Element #6 in Appendix A-7. For an example of prohibitions against contact in policy, see CIHR Secondary Use of Personal Information in Health Research: Case studies (November 2002), Case Study #10, in which researchers investigating cancer screening services were unable to institute a consent process in part because of an existing policy which prevented physicians (who were the data holders) from contacting patients.

30 These conditions are characteristic of much health services and population and public health research where whole populations (not specific individuals) are being studied.

31 See TCPS Chapter 6-Research Involving Aboriginal Peoples (under review).

32 See TCPS Article 8.1 for more on this topic.

33 See Element #8; and the legal concordance table for Element #8, Part 2, in Appendix A-7 for legal references to data-sharing agreements for research purposes.

34 As above.

35 See the legal concordance table for Element #6 in Appendix A-7 for statutory prohibitions to contacting individuals.

36 See also Element #10.

37 See table of concordance for Element#4, Part 1, in Appendix A-7 for statutory references to the general consent requirement. Part 2 of the concordance table sets out the statutory references to consent by substitute decision-makers.

38 Note that participants should understand what withdrawal of consent will mean to the use of their previously collected information, and that non-identifiable data cannot be retrieved and withdrawn from the database.

39 See Element #5, 5.4.

40 See Element #3.

41 See table of concordance for Element #5 in Appendix A-7 for cross-reference to statutory provisions regarding notice/information requirements.

42 According to the results of the international Adult Literacy and Life Skills Survey (2003), a joint project of the Government of Canada, the U.S. National Center for Education Statistics and the Organization for Economic Cooperation and Development, some 15% of Canadians, about one out of every seven, have problems dealing with printed materials and score at the lowest performance level in reading prose. From Statistics Canada, The Daily, Wednesday, May 11, 2005, Learning a Living: First Results of the Adult Literacy and Life Skills Survey, 2003 (89-603-XWE, free), available online.

43 When results of research tests are determined to be scientifically valid, have significant implications for the health of the participant, and prevention or treatment is available, these results should be communicated to the participant through his or her treating physician, unless the participant has chosen not to receive any results. In communicating results to the participant, particularly with respect to genetic research, the choices of each participant, the extent of available clinical services, the availability of counselling, and the implications for family members, should be taken into account (based on Quebec's Network of Applied Genetic Medicine (RMGA) Statement of Principles: Human Genome Research Version 2000, part IV Professionalism, part 3 Communication of Specific Results, pg. 12).

44 Based on Quebec Network of Applied Genetic Medicine (RMGA) Statement of Principles on the Ethical Conduct of Human Genetic Research Involving Populations (2002), Section 6, Communication of Research Results, pg. 3.

45 As above.

46 See also Element #1.

47 See also Element #2. We recognize that certain types of research may not be compatible with full disclosure of data to be collected, for example in some psychology research. This is an area that requires further reflection, and CIHR welcomes suggestions from those for whom these exceptions may apply.

48 See also Element #4.

49 TCPS states that " undue influence may take the form of inducement, deprivation or the exercise of control or authority over prospective subjects." (TCPS Article 2.2, pg. 2.4)

50 See also Element #7.

51 See Element #2, 2.3.2 and Box- Definition of terms.

52 See also Element #8.

53 See also Element #8.

54 See also Element #9.

55 See also Element #10.

56 See Box- Definition of terms: Individual Identifiability of Data, in Element #2.

57 See Element #10, 10.2.1

58 See also Element #4 regarding managing and documenting the consent process.

59 See the legal concordance table for Element #6 in Appendix A-7.

60 See Element #3 regarding determining if consent is required.

61 See the legal concordance table for Element #6 in Appendix A-7.

62 See also TCPS Article 4.1 and Section 4-A Conflicts of Interest Involving Researchers (pg. 4.1); TCPS Section 7-Clinical Trials; and TCPS Articles 7.1, 7.2 and explanatory text regarding recruitment and informed consent (pg. 7.2).

63 TCPS Section 6 (Research Involving Aboriginal Peoples) is currently under review, coordinated by the Interagency Advisory Panel on Research Ethics and including CIHR Aboriginal health research guidelines (in development). See also the articulation of First Nations' principles: Ownership, Control, Access and Possession (OCAP) or Self-determination Applied to Research [ PDF | Help ].

64 Based on Quebec Network of Applied Genetic Medicine (RMGA) Statement of Principles: Human Genome Research Version 2000- Section 3 (pg. 7).

65 Where this access would be a secondary use of data, see 6.1. The data holder's access to data for recruitment purposes must be in accordance with applicable legislation. See the legal concordance table for Element #6, Appendix A-7.

66 See also Element #8.

67 See the legal concordance table for Element #6, Appendix A-7.

68 For example, see Case Study #10 in CIHR's Secondary Use of Personal Information in Health Research: Case Studies, November 2002 in which initial contact by physicians of "hard-to-reach" patients would have confounded the results of the study which was investigating effective strategies for contacting patients. Also, because this study involved contacting patients about visiting their physicians for cancer screening services, physicians' involvement in the research was limited by a policy that existed at that time which prevented them from soliciting patients to come in for services.

69 The REB should weigh the benefits of the research and the potential for a perceived invasion of privacy and any legal prohibitions against researchers' contacting individuals. See Element #3, 3.3.2 (b). See also the legal concordance table for Element #6, in Appendix A-7.

70 See references to Camouflage techniques in the following: Scenario 6.3.5 (b); Element #7, 7.2.2 4th bullet; and the Glossary, Appendix A-6.

71 See the table of concordance for Element #7, Part 1, in Appendix A-7, for statutory references to general safeguarding obligations.

72 See the legal concordance table for Element #7, Part 2, in Appendix A-7.

73 Adapted from RCMP Security Information Publication 5, Guide to Threat and Risk Assessment for Information Technology [ PDF | Help ], November 1994.

74 See the Glossary in Appendix A-6 for the definition of Camouflaged Contacting.

75 For more information on disclosure control, refer to Statistics Canada Research Data Centres (RDCs) Guide for Researchers Under Agreement with Statistics Canada, July 2004.

76 See, for example, the data acquisition and use agreement for Statistics Canada public use microdata files under the Data Liberation Initiative.

77 The linked dataset may have direct identifiers removed or coded, or be made non-identifiable, depending on the needs of the research. See Element #2, 2.2.2, 2.3, and Summary Guide in that section.

78 Refer to table of concordance for Element #8, Part 1, in Appendix A-7, for statutory cross-references to data matching/linking provisions.

79 Refer to the table of concordance for Element #8, Part 2, in Appendix A-7, for statutory provisions for research data-sharing agreements.

80 See also Element #1.

81 See also Element #2.

82 See also Element #4 and #5.

83 See also Element #3 (3.3) and #6; and the legal concordance table for Element #6 in Appendix A-7 for restrictions on contact.

84 See also Element #7

85 See also Element #9.

86 See also Element #10.

87 See also Element #10.

88 See also Element #10.

89 For example, see CIHR's Procedure for Addressing Allegations of Non-compliance with Research Policies.

90 See Statistics Canada Quality Guidelines (4th Edition- Oct 2003), pg. 61-66, on line. Also, see Statistics Canada's Guide for Researchers under Agreement with Statistics Canada (May, 2002), Appendix 2- More on Disclosure and Disclosure Risk.

91 Note that under the Food and Drug Regulations- Division 5- C.05.012 (4) records for clinical trials must be retained for 25 years. Universities may have specified retention periods for research data.

92 See Element #1.

93 See the legal concordance table for Element #9 in Appendix A-7 for general obligations in privacy legislation with respect to retention of personal information.

94 See the table of concordance for Element #10, Part 1, in Appendix A-7, for general statutory accountability and transparency obligations as well as Part 2 for statutory references to research ethics boards.

95 The TCPS ethical framework includes a general principle that the more potentially invasive or harmful the research, particularly from the individual participants' perspective, the greater should be the REB's care in assessing the research. This is the concept of proportionate review.

96 See the legal concordance table for Element #3 in Appendix A-7, in particular Quebec privacy laws.