Go to content

Data Privacy and Security at ICES

At ICES, data is the foundation for everything we do. It allows us to provide timely and accurate analytics and research on healthcare practices and the health system itself. To do our work, we must be trusted data stewards. This means that we are deeply committed to maintaining the privacy, security and confidentiality of the individuals who use our healthcare system.

ICES’ Privacy Obligations in Context

ICES’ privacy obligations derive from several sources.

 

Law

In Canada, public institutions are required to protect the privacy of individuals whose information they collect. Typically, this is achieved through one or more overarching privacy laws that govern the public service in a jurisdiction, sometimes in combination with other laws tailored to specific areas of activity, such as healthcare. Most, if not all, of these laws recognize the public value of analytics and research and provide some mechanism for making information available for its conduct. ICES collects information through these mechanisms in federal and provincial laws across Canada, most notably Ontario’s Personal Health Information Protection Act (PHIPA) and the Coroners Act.

Prescribed entity

Prescribed entity designations under PHIPA and the Coroners Act allow ICES to conduct analyses and compile statistical information about the management and effectiveness of the health system and the health or safety of the public. Prescribed entities must have their practices and procedures reviewed and approved every three years by the Information and Privacy Commissioner of Ontario (IPC) to ensure they protect the privacy of individuals whose information they receive and maintain the confidentiality of that information.

As a prescribed entity, ICES has received approval of its practices and procedures from the IPC since 2005 under PHIPA and since 2022 under the Coroners Act. ICES’ practices and procedures were most recently approved by the IPC in 2023.

Documentation for every review and approval of ICES is publicly available on the IPC’s website.

Contracts & standards

Contracts and research ethics standards also inform our information handling practices. When ICES collects information, how we use it and protect it is routinely governed by an agreement. And compliance with research ethics practices and standards that address privacy is required on multiple fronts — by those who employ ICES scientists, by funding agencies and by publishers of our research.

How ICES Uses Information

ICES uses the information it collects to answer important questions about the efficiency and effectiveness of Ontario’s healthcare system, and more general questions about the social determinants of health for the public. ICES activities in this regard include:

  • Health system analyses and evaluation conducted by ICES independently or on behalf of policy-makers, healthcare providers or other stakeholders;
  • Health-related research conducted by ICES; and
  • The augmentation of information for research conducted by others in accordance with applicable law and research ethics board approvals.

How ICES Protects Information

ICES is committed to protecting the information it collects and has implemented a wide range of physical and logical controls to govern access to information, such as secure zones within ICES facilities, complex passwords and encryption.

In addition, ICES has adopted the following key principles to protect information:

  • ICES limits the information it collects to what is necessary, relevant and lawful.
  • ICES restricts access to information within ICES by role.
  • ICES administers access to information on a project-by-project basis. Scientists must apply for and justify each dataset requested.
  • ICES requires all scientists and employees to be trained annually in privacy and security practices, as well as role-specific privacy and security training.