Information is the foundation of everything we do at ICES. It provides the evidence that guides health care. ICES relies on its ability to collect and use information that is subject to privacy laws and standards, and is deeply committed to its protection. At ICES, privacy matters.
ICES’ privacy obligations in context
ICES’ privacy obligations derive from several sources.
The first and most significant is law. In Canada, public institutions are required to protect the privacy of citizens whose information they collect. Typically, this is achieved through one or more overarching privacy law that governs the public service in a jurisdiction, sometimes in combination with other laws tailored to specific areas of activity, like health care. Most, if not all, recognize the public value of research and statistical activities and provide some mechanism for making information available for them. ICES collects information through these mechanisms in federal and provincial laws across Canada, most notably section 45 of Ontario’s Personal Health Information Protection Act (PHIPA).
Section 45 of PHIPA is designed to enable the work of organizations like ICES that conduct analysis and compile statistics about the management and effectiveness of health care. To be eligible to collect and use information under this authority, an organization must receive the approval of Ontario’s Information and Privacy Commissioner (the IPC), which must find that the organization is equipped to protect it. ICES has been approved by the IPC under section 45 of PHIPA since 2005. Although ICES also relies from time to time on the “research” provisions of PHIPA, our designation under section 45 is the principal legal authority for scientific activities at ICES.
Contracts and research ethics standards also inform our information handling practices. When ICES collects information, how we use and protect it is routinely governed by an agreement. And compliance with research ethics practices and standards, which address privacy, is required on multiple fronts — by those who employ ICES scientists, by funding agencies and publishers, too.
The information ICES collects
The vast majority of the information ICES collects originates in Ontario’s publicly funded health care system. Patient charts, medical images, laboratory results, and administrative systems that cross all areas and dimensions of our health care system — all provide vital evidence for ICES scientists. ICES collects this information through a variety of channels. We receive it from:
- Health care providers directly;
- The Ministry of Health and Long-Term Care; and
- Other organizations like ICES that have a mandate to enable health care monitoring and evaluation.
This is supplemented by surveys and other information that are compiled, by ICES or others, under the oversight of a research ethics board, and by information obtained from government departments and agencies and from organizations outside the health sector. This supplementary information is often critical to answering important questions about the social determinants of health. For example, an extract from a database of landed immigrants maintained by Citizenship and Immigration Canada allows ICES to evaluate the particular health care needs of new immigrants. To learn more about what ICES collects, please visit our data dictionary or contact us.
How ICES uses information
ICES uses the information it collects to answer important questions about the efficiency and effectiveness of Ontario’s health care system and more general questions about the social determinants of health. ICES activities in this regard include:
- Health system analysis and evaluation conducted by ICES, independently or on behalf of policy-makers, health care providers or other stakeholders;
- Health-related research conducted by ICES; and
- Augmenting information for research conducted by others outside ICES in accordance with applicable law and research ethics board approvals.
How ICES protects information
ICES is committed to protecting the information it collects. To achieve this, ICES implements the privacy policies and practices required by the IPC under section 45 of PHIPA. These include implementation of a range of physical and logical controls to control access to information, like use of secure zones within ICES facilities, complex passwords and encryption. In addition, ICES has adopted the following key principles to protect information:
- ICES limits the information it collects to what is necessary and lawful.
- ICES restricts access to information within ICES by role.
- ICES administers access to information on a project-by-project basis. Scientists must apply for and justify each element of information.
- ICES prohibits identification of individuals and uses techniques like coding and de-identification to prevent it. Direct personal identifiers, including names and health card numbers and other identifying numbers, are removed and replaced by a confidential code promptly after it is collected.
- ICES requires all employees and scientists to be trained in the privacy policies and procedures relevant to their role, and agree to uphold them.
ICES’ privacy policies and practices are described in greater detail in our 2017 report, which formed the basis of the IPC’s renewal of ICES’ designation as a prescribed entity.