Information is the foundation of everything we do at ICES. It provides the evidence that guides health care. ICES relies on its ability to collect and use information that is subject to privacy laws and standards, and we are deeply committed to its protection. At ICES, privacy matters.
ICES’ privacy obligations in context
ICES’ privacy obligations derive from several sources.
In Canada, public institutions are required to protect the privacy of citizens whose information they collect. Typically, this is achieved through one or more overarching privacy laws that govern the public service in a jurisdiction, sometimes in combination with other laws tailored to specific areas of activity, such as health care. Most, if not all, of these laws recognize the public value of research and provide some mechanism for making information available for its conduct. ICES collects information through these mechanisms in federal and provincial laws across Canada, most notably section 45 of Ontario’s Personal Health Information Protection Act (PHIPA).
Section 45 of PHIPA is designed to enable the work of organizations that conduct analyses and compile statistics about the management and effectiveness of health care. To be eligible to collect and use information under this authority, an organization must receive the approval of Ontario’s Information and Privacy Commissioner (IPC). ICES has received IPC approval under section 45 of PHIPA since 2005. Although ICES also relies from time to time on the research provisions of PHIPA, our designation under section 45 is the principal legal authority for scientific activities at ICES.
Contracts and research ethics standards also inform our information handling practices. When ICES collects information, how we use it and protect it is routinely governed by an agreement. And compliance with research ethics practices and standards that address privacy is required on multiple fronts — by those who employ ICES scientists, by funding agencies and by publishers of our research.
The information ICES collects
The vast majority of the information collected by ICES originates in Ontario’s publicly funded health care system. Patient charts, medical images, laboratory results and administrative systems that cross all areas and dimensions of our health care system provide vital evidence for ICES scientists. ICES collects this information through a variety of channels, including:
- Health care providers directly;
- The Ministry of Health and Long-Term Care; and
- Other organizations that have a mandate to enable health care monitoring and evaluation.
This is supplemented by surveys and other information compiled by ICES and others with the oversight of a research ethics board, and by information obtained from government departments and agencies and from organizations outside the health sector. This supplementary information is often critical to answering important questions about the social determinants of health. For example, an extract from a database of landed immigrants maintained by Immigration, Refugees and Citizenship Canada allows ICES to evaluate the particular health care needs of recent immigrants. To learn more about what ICES collects, please visit our data dictionary or contact us.
How ICES uses information
ICES uses the information it collects to answer important questions about the efficiency and effectiveness of Ontario’s health care system and more general questions about the social determinants of health. ICES activities in this regard include:
- Health system analyses and evaluation conducted by ICES independently or on behalf of policy-makers, health care providers or other stakeholders;
- Health-related research conducted by ICES; and
- The augmentation of information for research conducted by others in accordance with applicable law and research ethics board approvals.
How ICES protects information
ICES is committed to protecting the information it collects. To achieve this, ICES implements the privacy policies and practices required by the Information and Privacy Commissioner of Ontario under section 45 of PHIPA. These include implementation of a range of physical and logical controls to govern access to information, like the use of secure zones within ICES facilities, complex passwords and encryption.
In addition, ICES has adopted the following key principles to protect information:
- ICES limits the information it collects to what is necessary and lawful.
- ICES restricts access to information within ICES by role.
- ICES administers access to information on a project-by-project basis. Scientists must apply for and justify each element of information.
- ICES prohibits identification of individuals and uses techniques such as coding and de-identification to prevent it. Direct personal identifiers, including names and health card numbers and other identifying numbers, are removed and replaced by a confidential code promptly after they are collected.
- ICES requires all scientists and employees are trained in the privacy policies and procedures relevant to their role and agree to uphold them.
ICES’ privacy policies and practices are described in detail in our 2017 report, which formed the basis of the IPC’s renewal of ICES’ designation as a prescribed entity, which is reviewed every three years by the Information and Privacy Commissioner of Ontario.