Information is the foundation of everything we do at ICES. It provides the evidence that guides health care. ICES relies on its ability to collect and use information that is subject to privacy laws and standards, and we are deeply committed to its protection. At ICES, privacy matters.
ICES’ privacy obligations in context
ICES’ privacy obligations derive from several sources.
In Canada, public institutions are required to protect the privacy of individuals whose information they collect. Typically, this is achieved through one or more overarching privacy laws that govern the public service in a jurisdiction, sometimes in combination with other laws tailored to specific areas of activity, such as health care. Most, if not all, of these laws recognize the public value of analytics and research and provide some mechanism for making information available for its conduct. ICES collects information through these mechanisms in federal and provincial laws across Canada, most notably Ontario’s Personal Health Information Protection Act (PHIPA) and the Coroners Act.
Prescribed entity designations under PHIPA and the Coroners Act allow ICES to conduct analyses and compile statistical information about the management and effectiveness of the health system and the health or safety of the public. A prescribed entity is permitted to collect personally identifiable information for these purposes without individual consent or research ethics approval, which accordingly creates an enormous responsibility to safeguard the information held at ICES. Prescribed entities must receive approval every three years by the Information and Privacy Commissioner of Ontario (IPC) to operate as such. ICES has received approval from the IPC for its PHIPA designation since 2005, and its inaugural designation as a prescribed entity under the Coroners Act was received in 2022. While ICES does rely on certain legal provisions to conduct research, its prescribed entity designations are the principal bases under which its projects are conducted.
Contracts and research ethics standards also inform our information handling practices. When ICES collects information, how we use it and protect it is routinely governed by an agreement. And compliance with research ethics practices and standards that address privacy is required on multiple fronts — by those who employ ICES scientists, by funding agencies and by publishers of our research.
The information ICES collects
The vast majority of the information collected by ICES originates in Ontario’s publicly funded health care system. Patient charts, medical images, laboratory results and administrative systems that cross all areas and dimensions of our health care system provide vital evidence for ICES scientists. ICES collects this information through a variety of channels, including:
- Health care providers directly;
- The Ministry of Health and Long-Term Care; and
- Other organizations that have a mandate to enable health care monitoring and evaluation.
This is supplemented by surveys and other information compiled by ICES and others with the oversight of a research ethics board, and by information obtained from government departments and agencies, as well as from organizations outside the health sector. This supplementary information is often critical to answering important questions about the social determinants of health. For example, an extract from a database of landed immigrants maintained by Immigration, Refugees and Citizenship Canada allows ICES to evaluate the particular health care needs of recent immigrants. To learn more about what ICES collects, please visit our data dictionary or contact us.
How ICES uses information
ICES uses the information it collects to answer important questions about the efficiency and effectiveness of Ontario’s health care system, and more general questions about the social determinants of health for the public. ICES activities in this regard include:
- Health system analyses and evaluation conducted by ICES independently or on behalf of policy-makers, health care providers or other stakeholders;
- Health-related research conducted by ICES; and
- The augmentation of information for research conducted by others in accordance with applicable law and research ethics board approvals.
How ICES protects information
ICES is committed to protecting the information it collects and has implemented a wide range of physical and logical controls to govern access to information, such as secure zones within ICES facilities, complex passwords and encryption.
In addition, ICES has adopted the following key principles to protect information:
- ICES limits the information it collects to what is necessary, relevant and lawful.
- ICES restricts access to information within ICES by role.
- ICES administers access to information on a project-by-project basis. Scientists must apply for and justify each dataset requested.
- ICES requires all scientists and employees to be trained annually in privacy and security practices, as well as role-specific privacy and security training
ICES’ privacy policies and practices are described in detail in our 2020 report, which formed the basis of the IPC’s renewal of ICES’ designation as a prescribed entity, which is reviewed every three years as part of the IPC’s renewal.