TCPS 2 (2022) – Chapter 5: Privacy and Confidentiality
- A. Key Concepts
- B. Ethical Duty of Confidentiality
- C. Safeguarding Information
- D. Consent and Secondary Use of Information for Research Purposes
- E. Data Linkage
There is widespread agreement about the interests of participants in protection of privacy, and the corresponding duties of researchers to treat personal information in a confidential manner. Indeed, the respect for privacy in research is an internationally recognized norm and ethical standard. Fundamental rights and freedoms in the Canadian Constitution have been interpreted by the courts to include privacy protections. Privacy rights are protected in federal and provincial/territorial legislation. Model voluntary codes have also been adopted to govern access to, and the protection of, personal information. Some professional organizations have established codes that set out the conditions and obligations of their members regarding the collection, use and disclosure of personal information.
Privacy risks in research relate to the identifiability of participants, and the potential harms they, or groups to which they belong, may experience from the collection, use and disclosure of personal information. Privacy risks arise at all stages of the research life cycle, including initial collection of information, use and analysis to address research questions, dissemination of findings, storage and retention of information, and disposal of records or devices on which information is stored.
This Policy is based on a proportionate approach to the assessment of the ethical acceptability of research. Researchers and research ethics boards (REBs) are expected to identify and minimize privacy risks, keeping in mind that a matter that is not sensitive or embarrassing for the researcher may be so for the participant.
In addition to following the guidance provided in this Policy, researchers are responsible for compliance with all applicable legal and regulatory requirements with respect to protection of privacy, and consent for the collection, use or disclosure of information about participants. These requirements may vary by jurisdiction and, depending on who is funding or conducting the research, may include obligations under the Constitution (including the Canadian Charter of Rights and Freedoms), and federal or provincial privacy legislation, among other legal and regulatory requirements.
A. Key Concepts
Privacy refers to an individual's right to be free from intrusion or interference by others. It is a fundamental right in a free and democratic society. Individuals have privacy interests in relation to their bodies, personal information, expressed thoughts and opinions, personal communications with others, and spaces they occupy. Research affects these various domains of privacy in different ways, depending on its objectives and methods. An important aspect of privacy is the right to control information about oneself. The concept of consent is related to the right to privacy. Privacy is respected if an individual has an opportunity to exercise control over personal information by consenting to, or withholding consent for, the collection, use and/or disclosure of information (see Chapter 3 for further discussion of consent).
The ethical duty of confidentiality refers to the obligation of an individual or organization to safeguard entrusted information. The ethical duty of confidentiality includes obligations to protect information from unauthorized access, use, disclosure, modification, loss or theft. Fulfilling the ethical duty of confidentiality is essential to the trust relationship between researcher and participant, and to the integrity of the research project.
Security refers to measures used to protect information. It includes physical, administrative, and technical safeguards. An individual or organization fulfills its confidentiality duties, in part, by adopting and enforcing appropriate security measures. Physical safeguards include the use of locked filing cabinets, and the location of computers containing research data away from public areas. Administrative safeguards include the development and enforcement of organizational rules about who has access to personal information about participants. Technical safeguards include use of computer passwords, firewalls, anti-virus software, encryption and other measures that protect data from unauthorized access, loss or modification.
Where researchers seek to collect, use, share and access different types of information or data about participants, they are expected to determine whether the information or data proposed in research may reasonably be expected to identify an individual. For the purposes of this Policy, researchers and REBs shall consider whether information is identifiable or non-identifiable. Information is identifiable if it may reasonably be expected to identify an individual, when used alone or combined with other available information. Information is non-identifiable if it does not identify an individual, for all practical purposes, when used alone or combined with other available information. The term "personal information" generally denotes identifiable information about an individual. The assessment of whether information is identifiable is made in the context of a specific research project.
Types of Information
Researchers may seek to collect, use, share and access different types of information about participants. Such information may include personal characteristics or other information about which an individual has a reasonable expectation of privacy (e.g., age, ethnicity, educational background, employment history, health history, life experience, religion, social status).
For the purposes of this Policy, researchers and REBs shall consider whether information proposed for use in research is identifiable. The following categories provide guidance for assessing the extent to which information could be used to identify an individual:
- Directly identifying information – the information identifies a specific individual through direct identifiers (e.g., name, social insurance number, personal health number).
- Indirectly identifying information – the information can reasonably be expected to identify an individual through a combination of indirect identifiers (e.g., date of birth, place of residence or unique personal characteristic).
- Coded information – direct identifiers are removed from the information and replaced with a code. Depending on access to the code, it may be possible to re-identify specific participants (e.g., the principal investigator retains a list that links the participants' code names with their actual names so data can be re-linked if necessary).
- Anonymized information – the information is irrevocably stripped of direct identifiers, a code is not kept to allow future re-linkage, and risk of re-identification of individuals from remaining indirect identifiers is low or very low.
- Anonymous information – the information never had identifiers associated with it (e.g., anonymous surveys) and risk of identification of individuals is low or very low.
Ethical concerns regarding privacy decrease as it becomes more difficult (or impossible) to associate information with a particular individual. These concerns also vary with the sensitivity of the information and the extent to which access, use or disclosure may harm an individual or group.
The easiest way to protect participants is through the collection and use of anonymous or anonymized data, although this is not always possible or desirable. For example, after information is anonymized, it is not possible to link new information to individuals within a data set, or to return results to participants. A "next best" alternative is to use de-identified data: the data are provided to the researcher in de-identified form and the existing key code is accessible only to a custodian or trusted third party who is independent of the researcher. The last alternative is for researchers to collect data in identifiable form and take measures to de-identify the data as soon as possible. Although these measures are effective ways to protect participants from identification, the use of indirectly identifying, coded, anonymized or anonymous information for research may still present risks of re-identification.
Technological developments have increased the ability to access, store and analyze large volumes of data. These activities may heighten risks of re-identification, such as when researchers link data sets (Section E of this chapter), or where a data set contains information about a population in a small geographical area, or about individuals with unique characteristics (e.g., uncommon field of occupational specialization, diagnosis of a very rare disease). Various factors can affect the risks of re-identification, and researchers and REBs should be vigilant in their efforts to recognize and reduce these risks. Data linkage of two or more data sets of anonymous information may present risks of identification (Article 2.4 or Article 9.22).
Where it is not feasible to use anonymous or anonymized data for research (and there are many reasons why data may need to be gathered and retained in an identifiable form), the ethical duty of confidentiality and the use of appropriate measures to safeguard information become paramount. This Policy generally requires more stringent protections in research involving identifiable information. Researchers are expected to consult their REBs if they are uncertain about whether information proposed for use in research is identifiable (e.g., when proposing to link anonymized or coded data sets).
B. Ethical Duty of Confidentiality
Researchers shall safeguard information entrusted to them and not misuse or wrongfully disclose it. Institutions shall support their researchers in maintaining promises of confidentiality.
When researchers obtain information with a promise of confidentiality, they assume an ethical duty that is central to respect for participants and the integrity of the research project. Breaches of confidentiality may harm the participant, the trust relationship between the researcher and the participant, other individuals or groups, and/or the reputation of the research community. Research that probes sensitive topics (e.g., illegal activities) generally depends on strong promises of confidentiality to establish trust with participants.
The ethical duty of confidentiality applies to information obtained directly from participants, or from other researchers or organizations that have legal, professional or other obligations to maintain confidentiality.
The ethical duty of confidentiality must, at times, be balanced against competing ethical considerations or legal or professional requirements that call for disclosure of information obtained or created in a research context. For example, in exceptional and compelling circumstances, researchers may be subject to obligations to report information to authorities to protect the health, life or safety of a participant or a third party, a community, or the general population. Researchers are expected to be aware of ethical codes (such as professional codes of conduct) or laws (e.g., those requiring the reporting of children in need of protection or the presence of reportable communicable diseases) that may require disclosure of information they obtain in a research context. In other situations, a third party may seek access to information obtained and/or created in confidence in a research context. An access request may seek voluntary disclosure of information or may seek to compel disclosure through force of law (e.g., by subpoena). Chapter 1, Section C, elaborates on the relationship between research ethics and law.
Certain areas of research (such as research involving children at risk of abuse or studies of criminal behaviour or research about reportable communicable diseases) are more likely to put researchers in positions where they may experience tension between the ethical duty of confidentiality and disclosure to third parties (Application of Article 5.2). Where possible, practicable, and appropriate, researchers should design their research to avoid or mitigate foreseeable conflicts, for instance, by collecting the minimal identifiable information that is necessary to answer the research question. Researchers shall maintain their promise of confidentiality to participants within the extent permitted by ethical principles and/or law. This may involve resisting requests for access, such as opposing court applications seeking disclosure. Researchers' conduct in such situations should be assessed on a case-by-case basis and guided by consultation with colleagues, any relevant professional body, the REB, legal counsel and/or persons knowledgeable about applicable laws and regulations in the relevant jurisdictions.
In some instances, participants may waive anonymity (e.g., if they wish to be identified for their contributions to the research). Researchers should obtain the consent of these participants and negotiate agreements with them that specify how they may be identified or recognized for their contribution. Where an individual participant waives anonymity but other members of the participant group object because identification may cause harm to the group, researchers shall maintain anonymity for all members of the participant group (Article 3.2[f] and Article 10.4).
Researchers, REBs and institutions share the responsibility for protecting participant confidentiality. Institutions are responsible for creating and maintaining a supportive research environment, establishing appropriate institutional security safeguards, training researchers and REBs regarding best privacy practices, and implementing processes and policies that guide and support researchers and REBs in protecting participant confidentiality. See Articles 5.4, 6.2, and 6.7 and the Agreement on the Administration of Agency Grants and Awards by Research Institutions.
In granting its approval for a study, the REB triggers the responsibility of the institution to support researchers in their commitment to protect participant confidentiality (Articles 6.1 and 6.2). Use of an alternative model of REB review (e.g., delegating review to an external REB) does not relieve the institution of this responsibility. Institutions that have adopted alternative review models remain responsible for the ethical acceptability and ethical conduct of research undertaken within their jurisdictions or under their auspices (Article 8.1).
In situations where there is an attempt by legal means (e.g., warrant, subpoena) to compel disclosure of confidential participant information, institutions are required to provide researchers with financial and other support to obtain independent legal advice or to ensure that such support is provided. For the purposes of this Policy, "legal advice" includes all legal services that a researcher in this situation may require, including representation. The purpose of independent legal advice is to permit the researcher to make an informed decision as to whether to disclose or to resist disclosure of confidential participant information. Researchers who are considering resisting disclosure must be aware of the personal consequences of choosing to respect ethical principles rather than legal obligations where the two cannot be reconciled. Such legal advice should be independent of any advice to the institution.
Institutions should consider whether research being conducted under its auspices or within its jurisdiction is likely to put researchers in positions where they may experience tension between the ethical duty of participant confidentiality and the legal obligation of disclosure of confidential participant information or attempts to compel disclosure of confidential participant information to third parties. Where that likelihood exists, the institution should establish policies, procedures or guidelines that explain how it will fulfill its responsibilities to support its researchers. They should include an explanation of the nature and the scope of the support, a mechanism to determine the level of support in individual cases, the source of funding (e.g., dedicated fund, insurance, agreement with professional association) and any other relevant criteria. The institution should establish such policies, procedures or guidelines in collaboration with its researchers.
Researchers shall describe measures for meeting confidentiality obligations and explain any reasonably foreseeable disclosure requirements:
- in application materials they submit to the REB; and
- during the consent process with prospective participants.
This article recognizes that some research projects and some areas of research are more likely to put researchers in a position where they may have a requirement to disclose information to third parties. The reasonable foreseeability of disclosure requirements can be assessed by considering the nature and objectives of the research inquiry. For example, research that involves interviewing high risk families about intergenerational violence raises a reasonably foreseeable prospect that researchers may acquire information that a child is being abused. Another example is community health research where researchers may be required to notify public health authorities of participants who have contracted a reportable communicable disease. Researchers who reasonably foresee that their inquiries may give rise to an ethical or legal obligation to disclose information obtained in the research context shall advise the REB and prospective participants about the possibility of compelled disclosure. Advising participants of reasonably foreseeable disclosure requirements is an important aspect of the consent process.
Situations may arise where researchers unexpectedly acquire information that gives rise to a reason for disclosure to a third party, or researchers may receive a disclosure demand from a third party. In such cases, advising a participant about the disclosure may be important to respect the trust relationship with the participant and to ensure the validity of the participant's ongoing consent. Decisions about whether, how and when to advise a participant of disclosure should be guided by any applicable disciplinary standards and consultation with colleagues, any relevant professional body, the REB, legal counsel, and/or persons knowledgeable about applicable laws and regulations in the relevant jurisdiction(s) (e.g., public health).
Researchers shall also inform participants and seek their consent if their personal information may be shared with mandated government departments or agencies (such as local public health authorities), community partners in the research, a research sponsor (such as a pharmaceutical company), the REB or a regulatory agency.
Researchers shall avoid being put in a position of becoming informants for authorities or leaders of organizations. For example, when records of prisoners, employees, students or others are used for research purposes, the researcher shall not provide authorities with results that could identify individuals unless the prior written consent of the participants has been given. Researchers may, however, provide administrative bodies with aggregated data that cannot be linked to individuals for purposes such as policy making or program evaluation. When seeking consent, researchers shall advise prospective participants if aggregated data from a project may be disclosed, particularly where such disclosure may pose a risk to the participants. For example, aggregate data provided to authorities about research on illicit drug use in a penitentiary may pose risks of reprisal to the prisoners even though they are not identified individually.
When planning a study, researchers should incorporate any applicable statute-based or other legal principles that may afford protection for the privacy of participants and the confidentiality of research information.
C. Safeguarding Information
Researchers shall provide details to the REB regarding their proposed measures for safeguarding information, for the full life cycle of information: its collection, use, dissemination, retention and/or disposal.
Researchers shall assess privacy risks and threats to the security of information for all stages of the research life cycle and implement appropriate measures to protect information. Safeguarding information helps respect the privacy of participants and helps researchers fulfill their confidentiality obligations. In adopting measures to safeguard information, researchers should follow disciplinary standards and practices for the collection and protection of information gathered for research purposes. Formal privacy impact assessments are required in some institutions and may also be required under legislation or policy in some jurisdictions. Security measures should take into account the nature, type and state of data: the data's form (e.g., paper or electronic records); content (e.g., presence of direct or indirect identifiers); mobility (e.g., kept in one location or subject to physical or electronic transport); and vulnerability to unauthorized access (e.g., use of encryption or password protection). Measures for safeguarding information apply both to original documents and copies of information.
Factors relevant to the REB's assessment of the adequacy of the researchers' proposed measures for safeguarding information include:
- the type of information to be collected;
- the purpose for which the information will be used, and the purpose of any secondary use of identifiable information;
- limits on the use, disclosure, and retention of the information;
- risks to participants should the security of the data be breached, including risks of re-identification of individuals;
- appropriate security safeguards for the full life cycle of information;
- any recording of observations (e.g., photographs, videos, sound recordings) in the research that may allow identification of particular participants;
- any anticipated uses of personal information from the research; and
- any anticipated linkage of data gathered in the research with other data about participants, whether those data are contained in public or personal records (see also Section E of this chapter).
In considering the adequacy of proposed measures for safeguarding information during its full life cycle, REBs should not automatically impose a requirement that researchers destroy the research data. Stored information may be useful for a variety of future purposes. Appropriate data retention periods vary depending on the research discipline, research purpose and the kind of data involved. In some situations, formal data sharing with participants may occur, for example, by giving individual participants copies of a recording or transcript as a gift for personal, family or other archival use. Similarly, some funding bodies, such as the Social Sciences and Humanities Research Council of Canada and the Canadian Institutes of Health Research, have specific policies on data archiving and sharing.Footnote 1 Researchers should address how participants' information will be handled if participants choose to withdraw from the research.
In disseminating findings, researchers shall not disclose identifiable information without the consent of participants. In the case of critical inquiry research, identifiable information may be revealed about any objects of the inquiry as they are usually not regarded as participants (Article 3.6). Researchers shall take reasonable measures to avoid inadvertent identification of individuals or groups in publications or other means of dissemination – and they must address this issue to the satisfaction of the REB.
Consideration of future uses of personal information refers not just to research, but also to other purposes, such as the future use of research materials for educational purposes.
Research data sent over the Internet may require encryption or use of special denominalization software to prevent interception by unauthorized individuals, or other risks to data security. In general, identifiable data obtained through research that is kept on a computer and connected to the Internet should be encrypted.
Institutions or organizations where research data are held have a responsibility to establish appropriate institutional security safeguards.
In addition to the security measures researchers implement to protect data, safeguards put in place at the institutional or organizational level also provide important protection. These data security safeguards should include adequate physical, administrative, and technical measures and should address the full life cycle of information. This includes institutional or organizational safeguards for information while it is currently in use by researchers, and for any long-term retention of information.
D. Consent and Secondary Use of Information for Research Purposes
Secondary use refers to the use in research of information originally collected for a purpose other than the current research purpose. Common examples are social science or health survey data sets that are collected for specific research or statistical purposes but then re-used to answer other research questions. Information initially collected for program evaluation may be useful for subsequent research. Other examples include health care records, school records, biological specimens, vital statistics registries or unemployment records, all of which are originally created or collected for therapeutic, educational or administrative purposes, but which may be sought later for use in research. Chapter 12 provides further guidance on research involving secondary use of previously collected biological materials.
Reasons to conduct secondary analyses of data include: avoidance of duplication in primary collection and the associated reduction of burdens on participants; corroboration or criticism of the conclusions of the original project; comparison of change in a research sample over time; application of new tests of hypotheses that were not available at the time of original data collection; and confirmation that the data are authentic. Privacy concerns and questions about the need to seek consent arise, however, when information provided for secondary use in research can be linked to individuals, and when the possibility exists that individuals can be identified in published reports, or through data linkage (Article 5.7). Privacy legislation recognizes these concerns and permits secondary use of identifiable information under certain circumstances.
Researchers who have not obtained consent from participants for secondary use of identifiable information shall only use such information for these purposes if they have satisfied the REB that:
- identifiable information is essential to the research;
- the use of identifiable information without the participants' consent is unlikely to adversely affect the welfare of individuals to whom the information relates;
- the researchers will take appropriate measures to protect the privacy of individuals and to safeguard the identifiable information;
- the researchers will comply with any known preferences previously expressed by individuals about any use of their information;
- it is impossible or impracticable (see Glossary) to seek consent from individuals to whom the information relates; and
- the researchers have obtained any other necessary permission for secondary use of information for research purposes.
If a researcher satisfies all the conditions in Article 5.5A(a) to (f), the REB may approve the research without requiring consent from the individuals to whom the information relates.
In the case of secondary use of identifiable information, researchers must obtain consent unless the researcher satisfies all the requirements in Article 5.5A.
The exception to the requirement to seek consent in this article is specific to secondary use of identifiable information. The terms of Article 3.7A address alteration of consent in other circumstances and do not apply here.
Secondary use of information identifiable as originating from a specific First Nations, Inuit or Métis community, or a segment of the Indigenous community at large, is addressed in Articles 9.20 to 9.22.Footnote 2
"Impracticable" refers to undue hardship or onerousness that jeopardizes the conduct of the research; it does not mean mere inconvenience (see Glossary). Consent may be impossible or impracticable when the group is very large or when its members are likely to be deceased, geographically dispersed, or difficult to track. Attempting to track and contact members of the group may raise additional privacy concerns. Financial, human, and other resources required to contact individuals and seek consent may impose undue hardship on the researcher. In some jurisdictions, privacy laws may preclude researchers from using personal information to contact individuals to seek their consent for secondary use of information.Footnote 3
The researcher must respect relevant privacy laws, regulations and institutional policies and may be required to consult with or obtain approval from appropriate data stewards. Privacy laws may impose specific rules regarding disclosure of information for secondary use in research. These laws may require the individual or organization that has custody or control of requested personal information to obtain approval from a privacy commissioner or other body before disclosing information to researchers. They may also impose additional requirements such as information-sharing agreements that describe disclosure conditions. These requirements may include the stipulation that the researcher not publish identifiable information or contact individuals to whom the information relates.
At the time of initial collection, individuals may have had an opportunity to express preferences about future uses of information, including research uses. See Article 3.2(d). Data stewards have an obligation to respect the individual's expressed preferences. For example, where an individual does not want information used for future research, data stewards shall remove this information from any data sets used or made available for research.
In cases where the proposed research involves information of greater sensitivity (e.g., genetic information, information about individuals who seek help through domestic violence shelters, information about sexual practices), the REB may require that researchers engage in discussion with people whose perspectives can help identify the ethical implications of the research, and suggest ways to minimize any associated risks. Discussion is not intended to serve as proxy consent. Rather, a goal of discussion is to seek input regarding the proposed research, such as the design of the research, measures for privacy protection, and potential uses of findings. Discussion may also be useful to determine whether the research will adversely affect the welfare of individuals to whom the information relates. Researchers shall advise the REB of the outcome of such discussions. The REB may require modifications to the research proposal based on these discussions.
Researchers shall seek REB review, but are not required to seek participant consent, for research that relies exclusively on the secondary use of non-identifiable information.
The onus will be on the researcher to establish to the satisfaction of the REB that, in the context of the proposed research, the information to be used can be considered non-identifiable for all practical purposes. For example, the secondary use of coded information may identify individuals in research projects where the researcher has access to the key that links the participants' codes with their names. Consent would be required in this situation. However, the same coded information may be assessed as non-identifiable in research projects where the researcher does not have access to the key. Consent would not be required in this situation.
When secondary use of identifiable information without the requirement to seek consent has been approved under Article 5.5A, researchers who propose to contact individuals for additional information or for reasons related to the welfare of the participant shall, prior to contact, seek REB approval of the plan for making contact.
In certain cases, a research goal may be achieved only through follow-up contact with individuals to collect additional information. In rare cases, during the course of analysis, a researcher may discover a finding that has a potential impact on an individual's welfare. If the researcher suspects that welfare implications to the participant may be significant, the researcher and REB should refer to the guidance in Article 3.4, which addresses material incidental findings. Under Article 5.5A, the REB may have approved secondary use without the requirement to seek consent, based, in part, on the impossibility or impracticability of seeking consent from all individuals whose information is proposed for use in research. Where contact with a subgroup is feasible, researchers may subsequently wish to attempt to make contact with some individuals to obtain additional information. Contact with individuals whose previously collected information has been approved for secondary use in research raises privacy concerns. Individuals might not want to be contacted by researchers or might be upset that identifiable information was disclosed to researchers without their consent. The potential benefits of follow-up contact must clearly outweigh the risks to individuals of follow-up contact, and the REB must be satisfied that the proposed manner of follow-up contact minimizes risks to individuals. The proposed plan shall explain who will contact individuals to invite their participation in the research (e.g., a representative of the organization that holds the individual's information) and the nature of his or her relationship with those individuals. Researchers shall also ensure that a plan for follow-up contact complies with applicable privacy legislation. For example, some privacy laws prohibit researchers from contacting individuals unless the custodian of the information has first sought and obtained individuals' consent to be contacted. Whenever possible, it is preferable that re-contact with participants be carried out by the custodian of the original data set. Researchers will need to seek consent from individual participants for any new data collection. Article 3.1 provides further guidance on consent and approaches to recruitment.
E. Data Linkage
Researchers who propose to engage in data linkage shall obtain REB approval prior to carrying out the data linkage. The application for approval shall describe the data that will be linked and the likelihood that identifiable information will be created through the data linkage.
Where data linkage involves or is likely to produce identifiable information, researchers shall satisfy the REB that:
- the data linkage is essential to the research; and
- appropriate security measures will be implemented to safeguard information.
Growing numbers of databases and advancing technological capacity to link databases create new research opportunities, but also new privacy risks. In particular, linkage of de-identified or anonymized databases may permit re-identification of individuals. This article provides guidance for researchers who propose to carry out data linkage and requires that they assess and minimize risks of re-identification. Only a restricted number of individuals should perform the function of merging databases. Researchers should use enhanced security measures to store the merged file.
Where researchers seek access to data sets held by another organization, it may be preferable for the data holder to carry out the data linkage and remove identifiers before disclosing the merged data set.
Legislation and organizational policies may regulate data linkage in specific circumstances. For example, some personal information protection legislation requires data-sharing agreements that regulate conditions under which data linkage may be carried out. Data holders, such as statistics agencies, may also have policies on data linkage.Footnote 4
Where researchers propose to access and link data sets of identifiable information for the secondary purpose of research, the requirements of Section D of this chapter apply.
- Date modified: