Questions and Answers about PIPEDA and OHIPA for Researchers
Question: What are PIPEDA and OHIPA?
Answer: PIPEDA stands for the “Personal Information Protection
and Electronic Documents Act”. It is federal legislation that protects
personal information, including health information. It has been in effect
and applicable to Federal government entities since 2001. Its impact was
broadened on January 1st, 2004, when it became applicable to the commercial
private sector. PIPEDA’s primary purpose is to govern the collection,
use and disclosure of personal information in recognition of the realities
of electronic commerce. It was not developed to specifically deal with
OHIPA stands for the Ontario “Health Information Protection Act”. It is provincial legislation which is currently in Draft Bill format (Bill C-31). It is currently in the committee hearings process, subsequent to its first reading in the House. OHIPA will provide, for the first time ever in Ontario, consistent comprehensive rules governing the collection, use and disclosure of personal health information and it will codify many of the current practices and codes of conduct of health care providers in Ontario. The legislation applies to health information custodians (e.g. Health care practitioners, public and private hospitals, pharmacies etc.) It also applies to non-health information custodians (e.g. researchers, students, private individuals or companies who receive personal health information from a health information custodian.
Underlying both pieces of legislation are 10 “fair information” principles. These principles are set out in the Canadian Standards Association Model Code for the Protection of Personal Information, and they include:
Question: Does PIPEDA apply to research in the hospital and university setting?
Answer: The answer is very unclear. The Act applies only to collection, use and disclosure of information in the course of commercial activities. Principles of statutory interpretation indicate that unless the paramount purpose of the research is profit-related, that it is not commercial in character. That would exclude a large amount of research being conducted by the University and the affiliated hospitals.
HOWEVER, the guidance from the Privacy Commissioner’s Office is very ambiguous, and it is very difficult, to determine whether or not research is “commercial in character”, given the inter-relations between academia, government and industry.
Question: If PIPEDA does apply to research, what implications does that have for the research and the researcher?
Answer: It means that:
i) The purposes for which personal information (i.e. information about an identifiable individual) is being collected will need to be disclosed to the data subject prior to or at the time it is being collected;
ii) Express or implied consent of the individual to the collection will have to be obtained;
iii) Unless certain criteria (for research) are met, the consent of the individual to the use and disclosure of the information will have to be obtained;
iv) The collection of the information will need to be limited to that which is essential for the disclosed purposes
v) the use and disclosure of the information will need to be limited to the purposes for which is was collected, unless additional consent is obtained, or certain criteria (for research) are met;
vi) the information should be as accurate as possible, it should be protected by security safeguards appropriate to the sensitivity of the information, care should be used in disposal of the information; and
vi) the individual should be able to access the information or if that is not possible due to the nature of the information and the research, the exceptions to access should be specific, limited and explained to the individual. As noted in the Canadian Standards Model Code, exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security or other reasons or information that is subject to solicitor-client or litigation privilege.
Question: If PIPEDA does apply to my research, can I collect personal information (i.e. information about an identifiable individual) without consent?
Question: If PIPEDA does apply to my research, can I use or disclose the personal information that I have collected without the knowledge or consent of the individual?
Answer: Yes. If the following criteria are met:
• the research purposes cannot be achieved without the information
Question: If PIPEDA does apply to my research, what implications does that have for the Institution?
Answer: Institutions need to ensure that researchers are aware of their
The (former) Privacy Commissioner has stated (November 2002) that he
Question: If PIPEDA does apply to my research, what implications does
that have for the
Answer: Firstly, independent of PIPEDA, the Research Ethics Board needs to ensure that the privacy and confidentiality provisions of the TCPS are being met. (Section 3)
Secondly, the Research Ethics Board needs to ensure that the provisions of PIPEDA are being met. That is, they should be ensuring that items i) through (vi) in Question Three above are addressed in the research plan, in the consent, in the approval and in monitoring.
Thirdly, Research Ethics Boards need to be aware that PIPEDA, if it applies, is paramount. Accordingly, despite the provisions of the TCPS on Secondary Use, (C, Articles 3.3 and 3.4), consent for secondary use of (identifiable) personal information cannot be waived unless the criteria outlined in Question five are met, including ensuring that the Privacy Commissioner has been made aware of the circumstances (presumably by having had the Institution make the Privacy Office aware of the policies and procedures respecting privacy and confidentiality in research.)
Question: Does OHIPA apply to research in the Hospital and University Setting?
Answer: The legislation as it stands is in draft format only, so it doesn’t
apply to any
Question: If OHIPA is passed as it is currently proposed, will it apply
to research in the
Answer: OHIPA applies only to personal health information collected, used, or disclosed by a health information custodian. OHIPA is focused on who collects the information, conversely, PIPEDA is focused on the context in which the information is being collected – i.e. commercial use.
A health information custodian includes health care practitioners, public and private hospitals, psychiatric facilities, long-term care facilities, community health centres, program and services, etc. Included within the definition of health care practitioner is anyone who is regulated by the Regulated Health Professions Act, or the Drugless Practitioners Act, a person who is a member of the Ontario College of Social Workers or Social Service Workers who provides health care and any one else whose primary function is to provide health care for payment.
Therefore, OHIPA applies to research being conducted at either of the affiliated Hospitals or their various health centres, as well as to research being conducted by anyone at the University who is a health care practitioner as defined by the Act.
OHIPA applies to all personal health information (including mixed information)
collected, used or disclosed by a health information custodian, or by
a non-health custodian who obtains the information from the health custodian.Personal
health information means identifying health information about an individual.
So for example, OHIPA would apply to a survey conducted by a non-health-care
practitioner that contains identifying personal health information, It
would not apply to a survey conducted by a non-health-care practitioner
that contained only aggegate or anonymous (non-personal) health information.
Question: If OHIPA applies to me and/or my institution, what implications does that have for research being conducted in my institution or by me, as a health care practitioner?
Answer: As a health information custodian, you and your institution are
subject to certain
These requirements are generally the 10 principles enunciated in the Canadian Standards model code set out above in Question One.
Question: If OHIPA comes into force, will I or my institution be able to collect personal health information about an individual (in relation to research or otherwise) without consent?
Answer: No. Although, consent may be express (orally or in writing), or implied, with some exceptions.
Question: If OHIPA comes into force, and I am a researcher, but not a health information practitioner or institution, will I be able to access personal health information for the purposes of research without the consent of the individual?
Answer: Yes, provided you get the approval of a research ethics board, and enter into an agreement with the health information custodian, pertaining to both the use of and the disclosure of the information. The same applies if you are a health care practitioner or a health care institution which wishes to use or disclose personal health information for research purposes without consent of the individual. (Except that in that case you don’t have to enter into an agreement with the health information custodian, if you are the custodian.)
Answer: If the institution is a healthcare custodian, it must comply with all of the provisions of the Act, respecting record keeping and management, access, accountability, description of policies etc.
The Institutions or healthcare practitioners must obtain the consent of their individual patients to release personal healthcare information to non-health care providers or for non-health care purposes, unless the REB has waived the requirement for a specific protocol.
Institutions which are health care custodians must also ensure that the researcher has research ethics board approval for his/her research and that the researcher has entered into an agreement with them, respecting the use, security, disclosure return or disposal of the information, consistent with the 10 fair information principles discussed above.
If the institution is not a healthcare custodian, but its researchers are, the institution should ensure that its health-care practitioner researchers comply with all of the provisions of the Act respecting record keeping and management, access, accountability, description of policies etc., in the context of their provision of health care to individuals and the collection and safeguarding of personal health care information.
Question: If OHIPA comes into force, what implications does that have for the research ethics board?
Answer: FIRST: Regardless of whether a protocol involves access to personal health information or not, in the review process, the provisions of the TCPS on privacy/confidentiality should be complied with. (Articles 3.2 – 3.6, pp 3.3 – 3.6)
SECOND: If the research is “commercial in character”, then PIPEDA potentially applies, and the REB should ensure that the provisions of PIPEDA are being met (see Question Seven above).
If the research is commercial in character and involves personal health information, and if OHIPA is recognized by the Governor in Council as being substantially similar to PIPEDA (the likelihood of which is a matter of debate), then PIPEDA does not have to be complied with, and the REB can omit this step.
THIRD: If the research involves “personal health information” then regardless of whether or not PIPEDA applies (i.e. even if it is not commercial in character), then the provisions of OHIPA will also have to be met.
Question: What does OHIPA require of the research ethics board in research where personal health information is involved?
Answer: Section 43 of OHIPA requires that if personal health information is being used or disclosed, then
(2) a written research plan must be submitted to the REB and it must set out
(a) the affiliation of each person involved in the research
Section 43 (3) outlines the matters that the research ethics board should consider, including matters that it considers relevant and
(a) whether the objectives of the research could be accomplished without using personal health information (e.g. by using either anonymized or aggregated data);
(b) whether at the time the research is conducted adequate safeguards will be in place to protect the privacy and preserve the confidentiality of the individual;
(c) the public interest in conducting the research and the public interest in protecting the privacy of the individuals whose personal health information is being disclosed; and
(d) whether obtaining the consent of the individuals would be impracticable.
Further, the REB must provide its decision to the researcher in writing,
with reasons, setting out the approval of the plan and whether or not
it is subject to
Question: Now I am really confused. Is there any simple solution?
Answer: Fortunately, there probably is. CIHR is developing a best practices document respecting the protection of privacy in the design, conduct and evaluation of health research. The provisions of that document are now publicly available < HERE > Researchers, REBs and institutions are also advised to review the Principles set out in the Canadian Standards Association Model Code for the Protection of Personal Information, and regardless of the provisions of any legislation and/or the applicability of any legislation, to bring their policies and procedures into line with the principles set out in the model code. Since these principles underlie the Federal and the provincial legislation (in Ontario and other provinces), then complying with the Model Code should ensure that researchers, REBs and Institutions are being “duly diligent” in respecting the collection, use and disclosure of personal information in research.