Data Privacy and Security at ICES

ICES’ privacy obligations derive from several sources.

Law

In Canada, public institutions are required to protect the privacy of individuals whose information they collect. Typically, this is achieved through one or more overarching privacy laws that govern the public service in a jurisdiction, sometimes in combination with other laws tailored to specific areas of activity, such as healthcare. Most, if not all, of these laws recognize the public value of analytics and research and provide some mechanism for making information available for its conduct. ICES collects information through these mechanisms in federal and provincial laws across Canada, most notably Ontario’s Personal Health Information Protection Act (PHIPA) and the Coroners Act.

Prescribed entity

Prescribed entity designations under PHIPA and the Coroners Act allow ICES to conduct analyses and compile statistical information about the management and effectiveness of the health system and the health or safety of the public. A prescribed entity is permitted to collect personal information for these purposes without individual consent or research ethics approval, which accordingly creates an enormous responsibility to safeguard the information held at ICES. Prescribed entities must receive approval every three years by the Information and Privacy Commissioner of Ontario (IPC) to operate as such. ICES has received approval from the IPC for its PHIPA designation since 2005, and its inaugural designation as a prescribed entity under the Coroners Act was received in 2022. While ICES does rely on certain legal provisions to conduct research, its prescribed entity designations are the principal bases under which its projects are conducted.

Contracts & standards

Contracts and research ethics standards also inform our information handling practices. When ICES collects information, how we use it and protect it is routinely governed by an agreement. And compliance with research ethics practices and standards that address privacy is required on multiple fronts — by those who employ ICES scientists, by funding agencies and by publishers of our research.

ICES uses the information it collects to answer important questions about the efficiency and effectiveness of Ontario’s health care system, and more general questions about the social determinants of health for the public. ICES activities in this regard include:

• Health system analyses and evaluation conducted by ICES independently or on behalf of policy-makers, healthcare providers or other stakeholders;
• Health-related research conducted by ICES; and
• The augmentation of information for research conducted by others in accordance with applicable law and research ethics board approvals.

ICES is committed to protecting the information it collects and has implemented a wide range of physical and logical controls to govern access to information, such as secure zones within ICES facilities, complex passwords and encryption.

In addition, ICES has adopted the following key principles to protect information:

• ICES limits the information it collects to what is necessary, relevant and lawful.
• ICES restricts access to information within ICES by role.
• ICES administers access to information on a project-by-project basis. Scientists must apply for and justify each dataset requested.
• ICES requires all scientists and employees to be trained annually in privacy and security practices, as well as role-specific privacy and security training.

ICES’ privacy policies and practices are described in detail in our 2020 report, which formed the basis of the IPC’s renewal of ICES’ designation as a prescribed entity, which is reviewed every three years as part of the IPC’s renewal.