Government of Canada
Symbol of the Government of Canada

TCPS 2 - Chapter 5

PRIVACY AND CONFIDENTIALITY

Introduction
A. Key Concepts
B. The Ethical Duty of Confidentiality
C. Safeguarding Information
D. Consent and Secondary Use of Identifiable Information for Research Purposes
E. Data Linkage

Introduction

There is widespread agreement about the interests of participants in protection of privacy, and the corresponding duties of researchers to treat personal information in a confidential manner. Indeed, the respect for privacy in research is an internationally recognized norm and ethical standard. Fundamental rights and freedoms in the Canadian Constitution have been interpreted by the courts to include privacy protections. Privacy rights are protected in federal and provincial/territorial legislation. Model voluntary codes1 have also been adopted to govern access to, and the protection of, personal information. Some professional organizations have established codes that set out the conditions and obligations of their members regarding the collection, use and disclosure of personal information.

Privacy risks in research relate to the identifiability of participants, and the potential harms they, or groups to which they belong, may experience from the collection, use and disclosure of personal information. Privacy risks arise at all stages of the research life cycle, including initial collection of information, use and analysis to address research questions, dissemination of findings, storage and retention of information, and disposal of records or devices on which information is stored.

This Policy is based on a proportionate approach to the assessment of the ethical acceptability of research. Researchers and research ethics boards (REBs) are expected to identify and minimize privacy risks, keeping in mind that a matter that is not sensitive or embarrassing for the researcher may be so for the participant.

In addition to following the guidance provided in this Policy, researchers are responsible for compliance with all applicable legal and regulatory requirements with respect to protection of privacy, and consent for the collection, use or disclosure of information about participants. These requirements may vary by jurisdiction and, depending on who is funding or conducting the research, may include obligations under the Constitution (including the Canadian Charter of Rights and Freedoms), and federal or provincial privacy legislation, among other legal and regulatory requirements.

A.  Key Concepts

Privacy

Privacy refers to an individual’s right to be free from intrusion or interference by others. It is a fundamental right in a free and democratic society. Individuals have privacy interests in relation to their bodies, personal information, expressed thoughts and opinions, personal communications with others, and spaces they occupy. Research affects these various domains of privacy in different ways, depending on its objectives and methods. An important aspect of privacy is the right to control information about oneself. The concept of consent is related to the right to privacy. Privacy is respected if an individual has an opportunity to exercise control over personal information by consenting to, or withholding consent for, the collection, use and/or disclosure of information (see Chapter 3 for further discussion of consent).

Confidentiality

The ethical duty of confidentiality refers to the obligation of an individual or organization to safeguard entrusted information. The ethical duty of confidentiality includes obligations to protect information from unauthorized access, use, disclosure, modification, loss or theft. Fulfilling the ethical duty of confidentiality is essential to the trust relationship between researcher and participant, and to the integrity of the research project.

Security

Security refers to measures used to protect information. It includes physical, administrative and technical safeguards. An individual or organization fulfils its confidentiality duties, in part, by adopting and enforcing appropriate security measures. Physical safeguards include the use of locked filing cabinets, and the location of computers containing research data away from public areas. Administrative safeguards include the development and enforcement of organizational rules about who has access to personal information about participants. Technical safeguards include use of computer passwords, firewalls, anti-virus software, encryption and other measures that protect data from unauthorized access, loss or modification.

Identifiable Information

Information that may reasonably be expected to identify an individual, alone or in combination with other available information, is considered identifiable information (or information that is identifiable) for the purposes of this Policy. Where the term “personal information” appears in this Policy, it refers to identifiable information.

Types of Information

Researchers may seek to collect, use, share and access different types of information about participants. Such information may include personal characteristics or other information about which an individual has a reasonable expectation of privacy (e.g., age, ethnicity, educational background, employment history, health history, life experience, religion, social status).

For the purposes of this Policy, researchers and REBs shall consider whether information proposed for use in research is identifiable. The following categories provide guidance for assessing the extent to which information could be used to identify an individual:

  • Directly identifying information – the information identifies a specific individual through direct identifiers (e.g., name, social insurance number, personal health number).

  • Indirectly identifying information – the information can reasonably be expected to identify an individual through a combination of indirect identifiers (e.g., date of birth, place of residence or unique personal characteristic).

  • Coded information – direct identifiers are removed from the information and replaced with a code. Depending on access to the code, it may be possible to re-identify specific participants (e.g., the principal investigator retains a list that links the participants’ code names with their actual name so data can be re-linked if necessary).

  • Anonymized information – the information is irrevocably stripped of direct identifiers, a code is not kept to allow future re-linkage, and risk of re-identification of individuals from remaining indirect identifiers is low or very low.

  • Anonymous information – the information never had identifiers associated with it (e.g., anonymous surveys) and risk of identification of individuals is low or very low.

Ethical concerns regarding privacy decrease as it becomes more difficult (or impossible) to associate information with a particular individual. These concerns also vary with the sensitivity of the information and the extent to which access, use or disclosure may harm an individual or group.

The easiest way to protect participants is through the collection and use of anonymous or anonymized data, although this is not always possible or desirable. For example, after information is anonymized, it is not possible to link new information to individuals within a dataset, or to return results to participants. A “next best” alternative is to use de-identified data: the data are provided to the researcher in de-identified form and the existing key code is accessible only to a custodian or trusted third party who is independent of the researcher. The last alternative is for researchers to collect data in identifiable form and take measures to de-identify the data as soon as possible. Although these measures are effective ways to protect participants from identification, the use of indirectly identifying, coded or anonymized information for research may still present risks of re-identification.

Technological developments have increased the ability to access, store and analyze large volumes of data. These activities may heighten risks of re-identification, such as when researchers link datasets (see Section E, this chapter), or where a dataset contains information about a population in a small geographical area, or about individuals with unique characteristics (e.g., uncommon field of occupational specialization, diagnosis of a very rare disease). Various factors can affect the risks of re-identification, and researchers and REBs should be vigilant in their efforts to recognize and reduce these risks.Data linkage of two or more datasets of anonymous information may present risks of identification (see Article 2.4 or Article 9.22).

Where it is not feasible to use anonymous or anonymized data for research (and there are many reasons why data may need to be gathered and retained in an identifiable form), the ethical duty of confidentiality and the use of appropriate measures to safeguard information become paramount. This Policy generally requires more stringent protections in research involving identifiable information. Researchers are expected to consult their REB if they are uncertain about whether information proposed for use in research is identifiable (e.g., when proposing to link anonymized or coded datasets).

B. Ethical Duty of Confidentiality

Article 5.1  Researchers shall safeguard information entrusted to them and not misuse or wrongfully disclose it. Institutions shall support their researchers in maintaining promises of confidentiality.

Application   When researchers obtain information with a promise of confidentiality, they assume an ethical duty that is central to respect for participants and the integrity of the research project. Breaches of confidentiality may harm the participant, the trust relationship between the researcher and the participant, other individuals or groups, and/or the reputation of the research community. Research that probes sensitive topics (e.g., illegal activities) generally depends on strong promises of confidentiality to establish trust with participants.

The ethical duty of confidentiality applies to information obtained directly from participants, or from other researchers or organizations that have legal, professional or other obligations to maintain confidentiality.

The ethical duty of confidentiality must, at times, be balanced against competing ethical considerations or legal or professional requirements that call for disclosure of information obtained or created in a research context. For example, in exceptional and compelling circumstances, researchers may be subject to obligations to report information to authorities to protect the health, life or safety of a participant or a third party. Researchers are expected to be aware of ethical codes (such as professional codes of conduct) or laws (e.g., those requiring the reporting of children in need of protection) that may require disclosure of information they obtain in a research context. In other situations, a third party may seek access to information obtained and/or created in confidence in a research context. An access request may seek voluntary disclosure of information, or may seek to compel disclosure through force of law (e.g., by subpoena). Chapter 1, Section C, elaborates on the relationship between research ethics and law.

Certain areas of research (such as research involving children at risk of abuse or studies of criminal behaviour) are more likely to put researchers in positions where they may experience tension between the ethical duty of confidentiality and disclosure to third parties. Researchers shall maintain their promise of confidentiality to participants within the extent permitted by ethical principles and/or law. This may involve resisting requests for access, such as opposing court applications seeking disclosure. Researchers’ conduct in such situations should be assessed on a case-by-case basis and guided by consultation with colleagues, any relevant professional body, the REB and/or legal counsel.

In some instances, participants may waive anonymity (e.g., if they wish to be identified for their contributions to the research). Researchers should obtain the consent of these participants, and negotiate agreements with them that specify how they may be identified or recognized for their contribution. Where an individual participant waives anonymity but other members of the participant group object because identification may cause harm to the group, researchers shall maintain anonymity for all members of the participant group (see Article 3.2[f] and Article 10.4).

Article 5.2  Researchers shall describe measures for meeting confidentiality obligations and explain any reasonably foreseeable disclosure requirements:

(a)  in application materials they submit to the REB; and

(b)  during the consent process with prospective participants.

Application  This article recognizes that some research projects are more likely to put researchers in a position where they may have a requirement to disclose information to third parties. The reasonable foreseeability of disclosure requirements can be assessed by considering the nature and objectives of the research inquiry. For example, research that involves interviewing high-risk families about intergenerational violence raises a reasonably foreseeable prospect that researchers may acquire information that a child is being abused. Researchers who reasonably foresee that their inquiries may give rise to an ethical or legal reason to disclose information obtained in the research context shall advise the REB and prospective participants about the possibility of compelled disclosure. Advising participants of reasonably foreseeable disclosure requirements is an important aspect of the consent process.

Situations may arise where researchers unexpectedly acquire information that gives rise to a reason for disclosure to a third party, or researchers may receive a disclosure demand from a third party. In such cases, advising a participant about the disclosure may be important to respect the trust relationship with the participant, and to ensure the validity of the participant’s ongoing consent. Decisions about whether, how and when to advise a participant of disclosure should be guided by any applicable disciplinary standards and consultation with the REB, colleagues, relevant professional body and/or legal counsel.

Researchers shall also inform participants and seek their consent if their personal information may be shared with government departments or agencies, community partners in the research, personnel from an agency that monitors the research, a research sponsor (such as a pharmaceutical company), the REB or a regulatory agency.

Researchers shall avoid being put in a position of becoming informants for authorities or leaders of organizations. For example, when records of prisoners, employees, students or others are used for research purposes, the researcher shall not provide authorities with results that could identify individuals unless the prior written consent of the participants has been given. Researchers may, however, provide administrative bodies with aggregated data that cannot be linked to individuals for purposes such as policy-making or program evaluation. When seeking consent, researchers shall advise prospective participants if aggregated data from a project may be disclosed, particularly where such disclosure may pose a risk to the participants. For example, aggregate data provided to authorities about research on illicit drug use in a penitentiary may pose risks of reprisal to the prisoners, even though they are not identified individually.

When planning a study, researchers should incorporate any applicable statute-based or other legal principles that may afford protection for the privacy of participants and the confidentiality of research information.

C.  Safeguarding Information

Article 5.3  Researchers shall provide details to the REB regarding their proposed measures for safeguarding information, for the full life cycle of information: its collection, use, dissemination, retention and/or disposal.

Application   Researchers shall assess privacy risks and threats to the security of information for all stages of the research life cycle, and implement appropriate measures to protect information. Safeguarding information helps respect the privacy of participants and helps researchers fulfil their confidentiality obligations. In adopting measures to safeguard information, researchers should follow disciplinary standards and practices for the collection and protection of information gathered for research purposes. Formal privacy impact assessments are required in some institutions and may also be required under legislation or policy in some jurisdictions. Security measures should take into account the nature, type and state of data: the data’s form (e.g., paper or electronic records); content (e.g., presence of direct or indirect identifiers); mobility (e.g., kept in one location or subject to physical or electronic transport); and vulnerability to unauthorized access (e.g., use of encryption or password protection). Measures for safeguarding information apply both to original documents and copies of information.

Factors relevant to the REB’s assessment of the adequacy of the researchers’ proposed measures for safeguarding information include:

(a) the type of information to be collected;

(b) the purpose for which the information will be used, and the purpose of any secondary use of identifiable information;

(c) limits on the use, disclosure and retention of the information;

(d) risks to participants should the security of the data be breached, including risks of re-identification of individuals;

(e) appropriate security safeguards for the full life cycle of information;

(f) any recording of observations(e.g., photographs, videos, sound recordings) in the research that may allow identification of particular participants;

(g) any anticipated uses of personal information from the research; and

(h) any anticipated linkage of data gathered in the research with other data about participants, whether those data are contained in public or personal records (see also Section E of this chapter).

In considering the adequacy of proposed measures for safeguarding information during its full life cycle, REBs should not automatically impose a requirement that researchers destroy the research data. Stored information may be useful for a variety of future purposes. Appropriate data retention periods vary depending on the research discipline, research purpose and the kind of data involved. In some situations, formal data sharing with participants may occur, for example, by giving individual participants copies of a recording or transcript as a gift for personal, family or other archival use. Similarly, some funding bodies, such as the Social Sciences and Humanities Research Council and the Canadian Institutes of Health Research, have specific policies on data archiving and sharing.2 Researchers should address how participants’ information will be handled if participants choose to withdraw from the research.

In disseminating findings, researchers shall not disclose identifiable information without the consent of participants. In the case of critical inquiry research, identifiable information may be revealed about any objects of the inquiry as they are usually not regarded as participants (see Article 3.6). Researchers shall take reasonable measures to avoid inadvertent identification of individuals or group sin publications or other means of dissemination – and they must address this issue to the satisfaction of the REB.

Consideration of future uses of personal information refers not just to research, but also to other purposes, such as the future use of research materials for educational purposes.
Research data sent over the Internet may require encryption or use of special denominalization software to prevent interception by unauthorized individuals, or other risks to data security. In general, identifiable data obtained through research that is kept on a computer and connected to the Internet should be encrypted.

Article 5.4 Institutions or organizations where research data are held have a responsibility to establish appropriate institutional security safeguards.

Application   In addition to the security measures researchers implement to protect data, safeguards put in place at the institutional or organizational level also provide important protection. These data security safeguards should include adequate physical, administrative and technical measures, and should address the full life cycle of information. This includes institutional or organizational safeguards for information while it is currently in use by researchers, and for any long-term retention of information.

D. Consent and Secondary Use of Identifiable Information for Research Purposes

Secondary use refers to the use in research of information originally collected for a purpose other than the current research purpose. Common examples are social science or health survey datasets that are collected for specific research or statistical purposes, but then re-used to answer other research questions. Information initially collected for program evaluation may be useful for subsequent research. Other examples include health care records, school records, biological specimens, vital statistics registries or unemployment records, all of which are originally created or collected for therapeutic, educational or administrative purposes, but which may be sought later for use in research. Chapter 12 provides further guidance on research involving secondary use of previously collected biological materials.

Reasons to conduct secondary analyses of data include: avoidance of duplication in primary collection and the associated reduction of burdens on participants;corroboration or criticism of the conclusions of the original project; comparison of change in a research sample over time; application of new tests of hypotheses that were not available at the time of original data collection; and confirmation that the data are authentic. Privacy concerns and questions about the need to seek consent arise, however, when information provided for secondary use in research can be linked to individuals, and when the possibility exists that individuals can be identified in published reports, or through data linkage. Privacy legislation recognizes these concerns and permits secondary use of identifiable information under certain circumstances.

Article 5.5  Researchers who have not obtained consent from participants for secondary use of identifiable information shall only use such information for these purposes if the REB is satisfied that:

(a) identifiable information is essential to the research;

(b) the use of identifiable information without the participants’ consent is unlikely to adversely affect the welfare of individuals to whom the information relates;

(c) the researchers will take appropriate measures to protect the privacy of individuals, and to safeguard the identifiable information;

(d) the researchers will comply with any known preferences previously expressed by individuals about any use of their information;

(e) it is impossible or impracticable to seek consent from individuals to whom the information relates; and

(f) the researchers have obtained any other necessary permission for secondary use of information for research purposes.

If a researcher satisfies all the conditions in Article 5.5(a) to (f), the REB may approve the research without requiring consent from the individuals to whom the information relates.

Application   This Policy does not require that researchers seek consent from individuals for the secondary use of non-identifiable information. In the case of secondary use of identifiable information, researchers must obtain consent in accordance with applicable laws, unless the researcher satisfies all the requirements in Article 5.5.

The exception to the requirement to seek consent in this article is specific to secondary use of identifiable information. The terms of Article 3.7 address alteration of consent in other circumstances and do not apply here.

Secondary use of information identifiable as originating from a specific Aboriginal community, or a segment of the Aboriginal community at large, is addressed in Articles 9.20 to 9.22.3

“Impracticable” refers to undue hardship or onerousness that jeopardizes the conduct of the research; it does not mean mere inconvenience. Consent may be impossible or impracticable when the group is very large or its members are likely to be deceased, geographically dispersed or difficult to track. Attempting to track and contact members of the group may raise additional privacy concerns. Financial, human and other resources required to contact individuals and seek consent may impose undue hardship on the researcher. In some jurisdictions, privacy laws may preclude researchers from using personal information to contact individuals to seek their consent for secondary use of information.4

Privacy laws may also impose specific rules regarding disclosure of information for secondary use in research. These laws may require the individual or organization that has custody or control of requested personal information to obtain approval from a privacy commissioner or other body before disclosing information to researchers. They may also impose additional requirements such as information-sharing agreements that describe disclosure conditions. These requirements may include the stipulation that the researcher not publish identifiable information or contact individuals to whom the information relates.

At the time of initial collection, individuals may have had an opportunity to express preferences about future uses of information, including research uses (see paragraph [d] in the Application of Article 3.2). Data custodians have an obligation to respect the individual’s expressed preferences. For example, where an individual does not want information used for future research, data custodians shall remove this information from any datasets used or made available for research.

In cases where the proposed research involves information of greater sensitivity (e.g., genetic information, information about individuals who seek help through domestic violence shelters, information about sexual practices), the REB may require that researchers engage in discussion with people whose perspectives can help identify the ethical implications of the research, and suggest ways to minimize any associated risks. Discussion is not intended to serve as proxy consent. Rather, a goal of discussion is to seek input regarding the proposed research, such as the design of the research, measures for privacy protection, and potential uses of findings. Discussion may also be useful to determine whether or not the research will adversely affect the welfare of individuals to whom the information relates. Researchers shall advise the REB of the outcome of such discussions. The REB may require modifications to the research proposal based on these discussions.

Article 5.6  When secondary use of identifiable information without the requirement to seek consent has been approved under Article 5.5, researchers who propose to contact individuals for additional information shall, prior to contact, seek REB approval of the plan for making contact.

Application  In certain cases, a research goal may be achieved only through follow up contact with individuals to collect additional information. Under Article 5.5, the REB may have approved secondary use without the requirement to seek consent, based, in part, on the impossibility or impracticability of seeking consent from all individuals whose information is proposed for use in research. Where contact with a sub-group is feasible, researchers may subsequently wish to attempt to make contact with some individuals to obtain additional information. Contact with individuals whose previously collected information has been approved for secondary use in research raises privacy concerns. Individuals might not want to be contacted by researchers or might be upset that identifiable information was disclosed to researchers without their consent. The potential benefits of follow-up contact must clearly outweigh the risks to individuals of follow-up contact, and the REB must be satisfied that the proposed manner of follow-up contact minimizes risks to individuals. The proposed plan shall explain who will contact individuals to invite their participation in the research (e.g., a representative of the organization that holds the individual’s information) and the nature of their relationship with those individuals. Researchers shall also ensure that a plan for follow-up contact complies with applicable privacy legislation. For example, some privacy laws prohibit researchers from contacting individuals unless the custodian of the information has first sought and obtained individuals’ consent to be contacted. Whenever possible, it is preferable that re-contact with participants be carried out by the custodian of the original data set. Researchers will need to seek consent from individual participants for any new data collection. Article 3.1 provides further guidance on consent and approaches to recruitment.

E. Data Linkage

Article 5.7   Researchers who propose to engage in data linkage shall obtain REB approval prior to carrying out the data linkage, unless the research relies exclusively on publicly available information as discussed in Article 2.2. The application for approval shall describe the data that will be linked and the likelihood that identifiable information will be created through the data linkage.

Where data linkage involves or is likely to produce identifiable information, researchers shall satisfy the REB that:

(a) the data linkage is essential to the research; and

(b) appropriate security measures will be implemented to safeguard information.

Application   Growing numbers of databases and advancing technological capacity to link databases create new research opportunities, but also new privacy risks. In particular, linkage of de-identified or anonymized databases may permit re-identification of individuals. This article provides guidance for researchers who propose to carry out data linkage and requires that they assess and minimize risks of re-identification. Only a restricted number of individuals should perform the function of merging databases. Researchers should use enhanced security measures to store the merged file.

Where researchers seek access to datasets held by another organization, it may be preferable for the data holder to carry out the data linkage and remove identifiers before disclosing the merged dataset.

Legislation and organizational policies may regulate data linkage in specific circumstances. For example, some personal information protection legislation requires data-sharing agreements that regulate conditions under which data linkage may be carried out. Data holders, such as statistics agencies, may also have policies on data linkage.5

Where researchers propose to access and link datasets of identifiable information for the secondary purpose of research, the requirements of Section D apply.

Endnotes

[1] See, for example, Canadian Standards Association, Model Code for the Protection of Personal Information (1996). [Back]

[2] See the Social Sciences and Humanities Research Council, “Research Data Archiving Policy” www.sshrc-crsh.gc.ca/site/apply-demande/policies-politiques/edata-donnees_electroniques-eng.aspx; and the Canadian Institutes of Health Research, “Open Access Policy” (January 2013). www.cihr-irsc.gc.ca/e/46068.html; and the Canadian Institutes of Health Research, Natural Sciences and Engineering Research Council of Canada, Social Sciences and Humanities Research Council of Canada, Access to Research Results: Guiding Principles.
www.science.gc.ca/default.asp?Lang=En&n=9990CB6B-1 [Back]

[3] See also the Canadian Institutes of Health Research, CIHR Guidelines for Health Research Involving Aboriginal People (May 2007). www.cihr-irsc.gc.ca/e/29134.html [Back]

[4] For discussion of factors relevant to assessing impracticability of consent, see, for example, the Canadian Institutes of Health Research, CIHR Best Practices for Protecting Privacy in Health Research, Section 3.3, Secondary Use (September 2005).
www.cihr-irsc.gc.ca/e/29072.html#Element3 [Back]

[5] See, for example, Statistics Canada, “Policy on Record Linkage.” www.statcan.gc.ca/record-enregistrement/policy4-1-politique4-1-eng.htm [Back]

< Contents | Next >