Go to content

Data Repository Requirements

How the ICES Data Repository addresses 15 essential requirements for responsible data stewardship.


ICES is an independent, incorporated not-for profit institute that receives core funding from the Ontario Ministry of Health. ICES conducts research and analytics aimed at translating data into evidence to improve the lives of people. The ICES Data Repository includes over 100 data assets in which direct personal identifiers, such as name and health card number, have been removed and replaced with a confidential code. Most of ICES’ data holdings are administrative data at the population-level, including decades of longitudinal health records for 21 million people who are, or have previously been, eligible for publicly funded healthcare services in Ontario, Canada.

This document summarizes how the ICES Data Repository addresses 15 essential requirements for data trusts, data repositories, and other data collaborations.1 The 15 requirements are the foundation for the Canadian national standard CAN/CIOSC 100-7:2022: Operating Principles for Responsible Data Stewardship.2 If you have any questions about this document, please contact [email protected].


Fulfills Legal Requirements

As a Prescribed Entity under Ontario’s Personal Health Information Protection Act (PHIPA) and the Coroner’s Act, ICES has the authority to collect and use personal health information for specific purposes. For example, PHIPA Section 45 provides Prescribed Entities with the authority to collect and use data to assist the government in the planning and management of the health system, and PHIPA section 44 provides Prescribed Entities with the authority to disclose data to third-party researchers. As a prescribed entity, ICES is subject to a formal review and approval of ICES’ practices and procedures by the Information and Privacy Commissioner of Ontario every three years. In addition, ICES is bound by contracts, data sharing agreements, and research ethics standards. For more information about legal requirements that apply to the ICES Data Repository see Privacy at ICES.


Stated Purpose

The purpose of ICES’ Data Repository is to help ICES achieve its mission of “translating data into trusted evidence that makes policy and healthcare better and people healthier.” More information about ICES’ purpose is at ICES’ Mission, Vision & Values.


Accountable Governance Bodies

As a not-for-profit corporation and registered charity, ICES’ governance includes an independent Board of Directors. Each Director is accountable in accordance with Ontario’s Not-For-Profit Corporations Act, and ICES’ by-laws and incorporating documents. ICES’ Chief Executive Officer (CEO) is responsible for ICES’ management and reports to the ICES Board of Directors. Two members of the ICES Executive Team, the CEO and Chief Privacy and Legal Officer (CPLO), are also Officers of the corporation and, like Directors, must discharge their fiduciary duties and act in the best interests of the corporation. As a prescribed entity under PHIPA and under the Coroners Act, ICES is subject to formal review and approval of its practices and procedures by the Information and Privacy Commissioner every three years to ensure ICES protects the privacy of individuals whose information it receives and ICES maintains the confidentiality of that information.



Transparency about the ICES Data Repository is achieved primarily through ICES’ public website which includes information about ICES’ purpose, governance body membership, data holdings, annual reports, and data access policies for scientists with ICES appointments, public-sector researchers without ICES appointments, and researchers employed by private sector organizations. People who have questions that are not answered by information on the ICES website, can email [email protected] or connect with key ICES contacts on specific topics.


Indigenous Data Sovereignty

In accordance with the rights set out in the United Nations Declaration on the Rights of Indigenous Peoples, ICES acknowledges and respects the principles of Indigenous data sovereignty. Read more about ICES’ work with First Nations, Inuit, and Métis Peoples at ICES Indigenous Portfolio.


Adaptive and Responsive

To ensure that new skills, competencies, and perspectives are continuously integrated into ICES’ governance, members of the ICES Board of Directors can serve a maximum of three consecutive two-year terms. In addition, ICES establishes Strategic Plans, developed by ICES’ management and approved by its Board of Directors, which are reviewed and refreshed every three years in response to new opportunities and threats. For example, the 2020/21-2022/23 ICES Strategic Plan included a new commitment to proactively identify how ICES’ data holdings can generate new and timely evidence for health system stakeholders and the 2017/18-2019/20 ICES Strategic Plan introduced public engagement and data science as ICES strategic priorities.


Policies, Processes, and Procedures Covering the Data Lifecycle

ICES has 96 policies and procedures related to the collection, use, protection, disclosure, and destruction of data, including Collection of ICES Data Policy, Execution of Data Sharing Agreement Standard, Secure Transfer of Personal Health Information (PHI) Procedure, Privacy Impact Assessment Policy, Use of ICES Data Policy, Third Party Research Data Disclosure Procedure, and Destruction of ICES Data Procedure. A list of ICES’ policies, procedures, and standards is available at ICES Privacy and Security Policies.


Cybersecurity and Data Protection

ICES has adopted the Cybersecurity National Institute of Standards and Technology (NIST) Framework to manage its security posture. Additionally, ICES deploys a variety of measures, controls, and tools to protect data including a combination of physical, technical, administrative requirements, as well as ongoing logging, monitoring, and auditing. More information about ICES’ data protection and cybersecurity is available in the ICES triennial submission to the Information and Privacy Commissioner of Ontario as part of the IPC’s review of ICES’ practices and procedures.


Risk Management

As a collective, the ICES Board of Directors responsibilities include overseeing enterprise risk management (ERM) and accountability controls. The Board’s Finance, Audit and Risk subcommittee oversees all material aspects of the organization’s financial reporting, risk management, audit, privacy and cybersecurity functions. ICES management reviews the ERM dashboards before they go to the Board. The ERM enables the identification, assessment, management (treatment), and mitigation of risk.


Data Documentation

The ICES website includes high-level information about types of ICES Data and a public ICES Data Dictionary. More detailed data documentation, including staff notes on datasets, macros and scripts, and information about ICES-derived cohorts, is available to ICES scientists, and staff on the ICES intranet. ICES staff support non-ICES scientists, i.e., public-sector researchers without ICES appointments and researchers employed by private sector organizations, in understanding which ICES data holdings are relevant for their research studies.

Data Users

Privacy and Security Training

ICES’ Privacy and Security Training and Awareness Policy and Privacy and Security Training and Awareness Procedure require all ICES scientists, trainees, and staff to be trained annually in privacy and security practices, as well as role-specific privacy and security training. ICES discloses data to third-party researchers (public and private sector) only if they have Research Ethics Board approval. This approval generally requires completion of online TCPS 2 training including a Privacy and Confidentiality module.

Data Users

Consequences for Non-Compliance

All users of ICES data are made aware of prohibited activities and penalties for non-compliance with ICES policies and procedures as described in ICES’ Discipline and Corrective Action in Relation to ICES Data Policy and Termination or Cessation of Employment or Contractual Relationship in Relation to ICES Data Policy. The penalties depend upon the nature and severity of non-compliance and can include coaching, verbal warning, written warning, limitation of privileges, suspension, or termination of employment contract or other contractual relationship.

Public & Stakeholder Engagement

Knowledge Users and Data Partners Engagement

ICES has long-standing mechanisms to involve and engage policy makers, Indigenous partners, and other stakeholders in its analytics, including staff dedicated to responding to Applied Health Research Questions (AHRQs) posed by knowledge users. ICES collaborates with data custodians including the Ontario Ministry of Health; the Canadian Institute for Health Information; Statistics Canada; Immigration, Refugees and Citizenship Canada, the Coroner’s Office (Ontario), Public Health Units, municipalities, government agencies, the Ontario Health Study, and others so that different types of data that can be used for research and analytics. Each year, ICES selects and publishes a subset of its highest impact work in the form of Impact Stories.

Public & Stakeholder Engagement

Involving Members of the Public

The ICES Public Engagement Strategy includes a Public Advisory Council, resources and supports for ICES scientists who want to do public engagement, and guidance for communicating with public audiences. Additional information about ICES’ public engagement is on the ICES Public Advisory Council webpage and in a peer-reviewed article co-authored by ICES staff and members of the ICES Public Advisory Council.

Public & Stakeholder Engagement

Tailored Approaches for Different Publics

ICES’ Public Engagement Strategy is based on the principles of inclusivity and collaboration. Depending on the sub-population or group, ICES considers whether different models of governance and access are needed and consults with community members to discuss the use of their data and the sharing of the findings. For example, the ICES Indigenous Portfolio was established to enable and support work for and by First Nations, Inuit, Métis, and urban Indigenous organizations and communities in Ontario, and ICES has initiated work on a framework around the use of race, ethnicity, and immigration data.

A second example is ICES’ Guidance Document and Framework for Anti-Racist Approaches to Research and Analytics published in 2023 which is intended to guide scientists, trainees, and staff on the appropriate use and governance of race and related data to ensure ethical and appropriate research and analytics.

1Paprica PA, Crichlow M, Curtis Maillet D, Kesselring S, Pow C, Scarnecchia T, Schull MJ, Cartagena RG, Cumyn A, Dostmohammad S, Elliston KO, Greiver M, Hawn Nelson A, Hill SL, Isaranuwatchai W, Loukidpoudis E, McDonald JT, McLaughlin J, Rabinowitz A, Razak F, Verhulst SG, Verma AA, Victor JC, Young A, Yu J, McGrail KM (2023). Essential requirements for the governance and management of data trusts, data repositories, and other data collaborations. International Journal of Population Data Science.

2CIO Strategy Council publishes National Standard for Responsible Data Stewardship. CIO Strategy Council. (2022, July 12). Retrieved December 15, 2022, from CIO Strategy Council Publishes Notional Standard for Responsible Data Stewardship