Striking the balance: protecting data privacy in research
Author: Rachel Ward, JD, BCom
Online publication date: August 2019
Target audience: health-care professionals and academics conducting research projects involving human participants.
This article provides health-care professionals and researchers with an overview of the frameworks that help protect individuals’ privacy in the context of research, a topic that is particularly relevant in a time of big data, artificial intelligence and significant advances in technologies that are reliant on data inputs.
“Artificial intelligence”, “big data” and “data analytics” – some of the hottest buzz words in business, technology and research in the last few years – are now becoming more and more mainstream. While the use of big data may create exciting business and research opportunities, it also raises privacy and security challenges. Given the complexity and size of the data sets involved, big data analytics can result in an increased potential for biased results or unauthorized secondary uses of personal information1. Furthermore, governments, regulators and security experts continue to warn of the risks of security breaches and cyber assaults on data custodians, often pointing out that it is not a matter of “if” a security breach will occur, but “when”.
To counter these risks, regulators have mandated more stringent privacy protections. For instance, in May 2018, Europe introduced a new privacy regime through the General Data Protection Regulation2, which protects the rights of data subjects and imposes obligations on controllers and processors of personal data, with associated (and potentially hefty) fines for non-compliance. Canada has also imposed greater requirements on data custodians. For example, provinces such as Alberta and Ontario have implemented mandatory reporting for certain privacy breaches such as those that may pose a significant risk of harm to individuals.
Protecting privacy in research in Canada
So how is the balance between fostering innovation and protecting individuals’ privacy maintained in research? Some key ways are through legal and regulatory frameworks, ethical oversight and organizational policies and processes.
Legal and regulatory frameworks
In Canada, federal, provincial and territorial privacy legislation has been enacted to help protect individuals’ privacy rights by establishing rules around the collection, use and disclosure of their personal information by institutions.
Canadian privacy legislation generally permits the collection, use and disclosure of personal information— information that identifies or can be used to identify an individual, including an individual’s name, address, telephone number or health information— for a specific, primary purpose with express, or in some cases, implied consent from the individual to whom the information relates. However, that information may also be useful for secondary purposes such as research. The legislation considers such cases and outlines mechanisms to protect individuals’ personal information, while permitting disclosure for research purposes.
For instance, data custodians can typically only disclose personal information for research (a) with the consent of the individual or (b) if a research ethics board (REB) has granted approval for the research project and if there is an agreement in place between the researcher and the custodian to protect the confidentiality and security of the data3.
These mechanisms, which are defined in legislation, are monitored and enforced by regulators and ombudsmen who are empowered by the legislation to provide oversight-- some with binding authority and others with the authority to make recommendations to ensure compliance with the statute. These regulators also develop guidelines for best practice in this area.
In addition to compliance with legal and regulatory requirements, research involving personal information must follow the ethical guidelines outlined in the Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS2)4. TCPS2 outlines fundamental principles concerning the protection of privacy and confidentiality in research. REBs, independent committees established by institutions (e.g. a university, hospital or organization) to review the ethical acceptability of research proposals, consider these principles when reviewing applications for research studies involving humans.
For example, researchers needing personal information for the purpose of a study must describe for the REB the type of information that they wish to access, use or disclose, as well as how they will maintain confidentiality obligations. Following REB review and approval of a proposed research study, researchers are also responsible for safeguarding the information entrusted to them throughout the life cycle of the research (i.e., collection, use, dissemination, retention and/or disposal of information) and may do so by implementing physical and cyber security measures to protect from unauthorized access to the data, taking reasonable measures to avoid identification of individuals and/or determining appropriate data retention periods, among other things.
REBs play a critical role in ensuring ethical principles are met and that the rights of research participants are considered and upheld, including their right to privacy.
Organizational policies and processes
Organizations and institutions also have a responsibility to safeguard personal information in their custody and control. Privacy legislation imposes requirements on data custodians to have policies, information practices and security mechanisms in place to protect personal information in their custody. Furthermore, TCPS2 provides that institutions have a responsibility to establish appropriate security safeguards and train researchers and REBs in protecting participant confidentiality. Therefore, researchers, REBs and institutions all play important roles in protecting individuals’ privacy in research5.
Supporting research and protecting privacy at Canadian Blood Services
Canadian Blood Services is committed to protecting the privacy and security of the personal information in its custody by following applicable laws and best practices6. Canadian Blood Services is also committed to supporting research to improve the health of Canadians. Through its Centre for Innovation, Canadian Blood Services, supports research by providing internal and external researchers with access to blood components (e.g. red blood cells, plasma, platelets), cord blood and unique sets of data7.
Canadian Blood Services gives effect to the obligations and best practices outlined above by implementing processes to protect data and biological materials requested for use in research, including:
- Internal reviews – Requests for data or biological materials for use in research undergo internal review by subject-matter experts in areas such as research and ethics, blood, stem cells, organs and tissues, legal and privacy, and IT security. As part of the review, researchers may be asked to clarify or provide additional information and researchers may be required to enter into a data use agreement or material transfer agreement with Canadian Blood Services.
- Canadian Blood Services’ REB review process – Research involving human participants conducted by or on behalf of Canadian Blood Services or involving personal information or biologic materials collected by Canadian Blood Services that has been approved internally, is sent to the Canadian Blood Services REB for review and approval. The Canadian Blood Services REB is an arms-length board established in 2001 that reports to the Canadian Blood Services board of directors. It is a multidisciplinary group established to review all research conducted by or on behalf of Canadian Blood Services and to enable Canadian Blood Services to act in accordance with the highest ethical standards. Should the REB decide not to approve a project, the decision is final and cannot be revoked by Canadian Blood Services. You can learn more about the Canadian Blood Services’ REB on Canadian Blood Services’ Research.Education.Discovery blog here.
- Continuous improvement projects – Canadian Blood Services reviews and, as appropriate, updates and implements new processes to support the release of data and samples for research, while providing appropriate oversight and controls. For example, in 2014, Canadian Blood Services established a Cord Blood for Research Program to facilitate the distribution of cord blood products that do not meet the criteria for storage to researchers according to an ethical and legal framework. More recently, in 2018, Canadian Blood Services implemented a new standard operating procedure guiding its review process for release of data for research.
If you are a researcher or a health-care professional and want to learn more about Canadian Blood Services’ REB processes and requirements, please visit https://blood.ca/en/research/products-and-services-researchers/research-ethics-board.
If you are a donor, a research participant or a member of the public and wish to learn more about Canadian Blood Services’ commitment to data privacy, please visit https://blood.ca/en/about-us/notice-blood-donors.
The author acknowledges Elaine Ashfield, Dr. Sophie Chargé, Sylvia Torrance, Dr. Geraldine Walsh and Dr. Michael McDonald for their contributions and editorial support during the writing of this article.
1. Big Data and Your Privacy Rights. Information Privacy Commissioner of Ontario, January 25, 2017. https://www.ipc.on.ca/wp-content/uploads/2017/01/fact-sheet-big-data-with-links.pdf.
2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679.
3. For example:
- Personal Health Information Protection Act, 2004, SO 2004, c 3, section 44.
- The Personal Health Information Act, CCSM c P33.5, section 24.
- Personal Health Information Act, SNS 2010, c 41, section 52-60.
- Personal Health Information Privacy and Access Act, SNB 2009, c P-7.05, section 43.
4. Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans. Canadian Institutes of Health Research, Natural Sciences and Engineering Research Council of Canada, and Social Sciences and Humanities Research Council of Canada, December 2018. http://www.pre.ethics.gc.ca/eng/documents/tcps2-2018-en-interactive-final.pdf.
5. TCPS2 Interpretations. Interagency Advisory Panel on Research Ethics. http://www.pre.ethics.gc.ca/eng/policy-politique/interpretations/privacy-privee/.
6. Canadian Blood Services website. https://blood.ca/en/about-us/privacy-and-confidentiality.
7. Canadian Blood Services website. https://blood.ca/en/research/our-research-activities.