Privacy
Privacy refers to an individual’s right to be free from intrusion or interference by others. It is a fundamental right in a free and democratic society. Individuals have privacy interests in relation to their bodies, personal information, expressed thoughts and opinions, personal communications with others, and spaces they occupy. Research affects these various domains of privacy in different ways, depending on its objectives and methods. An important aspect of privacy is the right to
con-trol information about oneself. The concept of consent is related to the right to privacy. Privacy is respected if an individual has an opportunity to exercise control over personal information by con-senting to, or withholding consent for, the collection, use and/or disclosure of information (see Chapter 3 for further discussion of consent).
Confidentiality
The ethical duty of confidentiality refers to the obligation of an individual or organization to safe-guard entrusted information. The ethical duty of confidentiality includes obligations to protect information from unauthorized access, use, disclosure, modification, loss or theft. Fulfilling the ethical duty of confidentiality is essential to the trust relationship between researcher and partici-pant, and to the integrity of the research project.
Security
Security refers to measures used to protect information. It includes physical, administrative and technical safeguards. An individual or organization fulfils its confidentiality duties, in part, by adopting and enforcing appropriate security measures. Physical safeguards include the use of locked filing cabinets, and the location of computers containing research data away from public areas. Administrative safeguards include the development and enforcement of organizational rules about who has access to personal information about participants. Technical safeguards include use of computer passwords, firewalls, anti-virus software, encryption and other measures that protect data from unauthorized access, loss or modification.
Identifiable Information
Information that may reasonably be expected to identify an individual, alone or in combination with other available information, is considered identifiable information (or information that is identifiable) for the purposes of this Policy. Where the term “personal information” appears in this Policy, it refers to identifiable information.
Types of Information
Researchers may seek to collect, use, share and access different types of information about par-ticipants. Such information may include personal characteristics or other information about which an individual has a reasonable expectation of privacy (e.g., age, ethnicity, educational background, employment history, health history, life experience, religion, social status).
For the purposes of this Policy, researchers and REBs shall consider whether information proposed for use in research is identifiable. The following categories provide guidance for assessing the ex-tent to which information could be used to identify an individual:
• Directly identifying information – the information identifies a specific individual through direct identifiers (e.g., name, social insurance number, personal health number).
• Indirectly identifying information – the information can reasonably be expected to iden-tify an individual through a combination of indirect identifiers (e.g., date of birth, place of residence or unique personal characteristic).
56 TCPS 2
Chapter 5 – Privacy and Confidentiality
• Coded information – direct identifiers are removed from the information and replaced with a code. Depending on access to the code, it may be possible to re-identify specific participants (e.g., the principal investigator retains a list that links the participants’ code names with their actual name so data can be re-linked if necessary).
• Anonymized information – the information is irrevocably stripped of direct identifiers, a code is not kept to allow future re-linkage, and risk of re-identification of individuals from remaining indirect identifiers is low or very low.
• Anonymous information – the information never had identifiers associated with it (e.g., anonymous surveys) and risk of identification of individuals is low or very low.
Ethical concerns regarding privacy decrease as it becomes more difficult (or impossible) to asso-ciate information with a particular individual. These concerns also vary with the sensitivity of the information and the extent to which access, use or disclosure may harm an individual or group.
The easiest way to protect participants is through the collection and use of anonymous or anonymized data, although this is not always possible or desirable. For example, after information is anonymized, it is not possible to link new information to individuals within a dataset, or to return results to participants. A “next best” alternative is to use de-identified data: the data are pro-vided to the researcher in de-identified form and the existing key code is accessible only to a custodian or trusted third party who is independent of the researcher. The last alternative is for re-searchers to collect data in identifiable form and take measures to de-identify the data as soon as possible. Although these measures are effective ways to protect participants from identification, the use of indirectly identifying, coded or anonymized information for research may still present risks of re-identification.
Technological developments have increased the ability to access, store and analyze large volumes of data. These activities may heighten risks of re-identification, such as when researchers link datasets (see Section E, this chapter), or where a dataset contains information about a population in a small geographical area, or about individuals with unique characteristics (e.g., uncommon field of occupational specialization, diagnosis of a very rare disease). Various factors can affect the risks of re-identification, and researchers and REBs should be vigilant in their efforts to rec-ognize and reduce these risks. Data linkage of two or more datasets of anonymous information may present risks of identification (see Article 2.4 or Article 9.22).
Where it is not feasible to use anonymous or anonymized data for research (and there are many reasons why data may need to be gathered and retained in an identifiable form), the ethical duty of confidentiality and the use of appropriate measures to safeguard information become para-mount. This Policy generally requires more stringent protections in research involving identifiable information. Researchers are expected to consult their REB if they are uncertain about whether information proposed for use in research is identifiable (e.g., when proposing to link anonymized or coded datasets).
Chapter 5 – Privacy and Confidentiality