Workshop: Harmonizing Research And Privacy: Standards For A Collaborative Future

Executive Summary
Introduction
Outline of the Workshop Proceedings
Day One: Presentations
Day Two: Roundtable Discussions
Workshops: Phase Two

Phase II Workshop: Day One
International Perspectives
Record Linkage: Public Good or Invasion of Privacy:
An Australian Perspective
Health Services Research and Privacy: Lessons from theUS Regulatory System

Phase II Workshop: Day Two
Integrating the Knowledge for Both Phases
Roundtable I: Defining our terms
Roundtable II: Privacy - Who Gets It? Care and Maintenance in HSPR
Roundtable III: Accountability
Roundtable IV: The Fuzzy Box - Data Stewardship and Management
Integrating the Knowledge: Recommendations
Voluntary Standard of Privacy Protections for Health Services & Policy Research

Summary

Appendix I: Funding Partners
Appendix 2: List of Workshop Invitee/Participants
Appendix 3: Agendas - Phase I and Phase II
Appendix 4: Shared CD Table of Contents

Executive Summary

The goal of this two-phase workshop was to start collaborative work on developing recommendations for a privacy "best practices" standard by Canadian health services and policy researchers (HSPR) when using health data found in large administrative databases. Invited participants agreed that a collaborative voluntary standard for HSPR could result in multiple benefits for the research community. Attendees at this series of meetings included a wide and diverse range of backgrounds and interest areas (including health services and policy researchers, administrative data providers/ stewards/trustees, data custodians and medical record managers, provincial privacy Ombudsman/Commissioners, and health law specialists).

Over a combined period of three and one-half days, this goal was reached through a number of strategies: by participants' sharing of their approaches to privacy policies and procedures, roundtable discussions of key issues, and incorporation of the perspectives of two international experts.

The specific objectives of this workshop were:

Presentation and discussion of currently utilized privacy standards by HSPR in their various provincial jurisdictions in order to familiarize participants with best practices as well as concordant/discordant areas.
Sharing of privacy codes, policies and procedures to facilitate intra-organizational standards for privacy.
Creation of a networking opportunity for researchers with similar goals and potentially disparate rules of operation.
Consolidation of needs/knowledge, development of recommendations for harmonized privacy "best practices" standards for HSPR that have the potential to meet the intent of both federal and provincial legislation, which will foster inter-jurisdictional, intra-provincial and national research opportunities.
Presentation and discussion of international standards for HSPR by invited international experts to familiarize participants with concordant/discordant areas.

The workshops were a positive experience for participants. We surprised each other with similarities (rather than differences) of experience and needs, and affirmed that we are all interested in moving in the same direction. The workshops generated direction, providing an unusual networking opportunity for the HSPR community, a collegial forum for discussion of what might be the basis of a voluntary privacy "best practices" standard for Canadian HSPR researchers, and an opportunity as a group to make collective recommendations and decisions on next steps.

Prior to the first workshop, each participant was asked to provide electronically the various documents that comprise their institutions' privacy tools, i.e., privacy code, pledge of privacy/confidentiality agreement, organizational Privacy Impact Assessment (PIA), vulnerability assessment, template for project PIA, privacy policies and procedures, researcher agreements, security methodologies, data encryption standards for data collection in the field, and manuals. These documents were collated and burned onto a single CD, a copy of which was provided to each participant at the workshop. By collecting a "toolkit" of privacy/data security practices, policies and procedures from participants' organizations across Canada and bringing these together on a shared CD, we were able to provide templates that could potentially save our organizations time and expense. Sharing information in the toolkit facilitates better use of resources by not having to "reinvent the wheel", as well as providing the opportunity to standardize the approach to privacy practices and policies. The workshop participants provided general principles and best practices that can be tailored to the individual needs and legislative requirements of other research groups, as well as contacts for further consultation. Additionally, CIHRs' keen interest in a compendium of knowledge translation activities that are of practical use to the research community at large should be well served through this shared Privacy Tool Kit CD.

The first workshop was broken into distinct activities: didactic sessions and discussions. A series of nineteen short participant presentations - a snapshot of privacy interests from the perspective of participant organizations across Canada provided a brief look at issues such as consent, transparency, data access, approval processes and data security - clearly demonstrated the commonality of interests and needs. Four roundtable discussions were spread over more than a day: Developing Working Definitions: Defining Our Terms; Privacy: Who Gets It? Care and Maintenance in HSPR; Accountability; and The Fuzzy Box - Data Stewardship and Management. The professionally-prepared transcripts of these discussions were analyzed by the research team members for key discussion outcomes and key discussion points. These findings were drawn together in an extremely rich draft report Harmonizing Research & Privacy: Standards for a Collaborative Future - Working Document on Phase I Meeting. This document, intended as a review for the returning workshop participants, was distributed electronically prior to the second workshop session, held February 22/23, 2004. Additionally, a separate section on collaborative research with First Nations communities, prepared by the staff of the National Aboriginal Health Organization (NAHO), was included in the draft working document. This section of the document was complemented by NAHO-produced documents for the Privacy Tool Kit: e-files on ethics, privacy concerns and collaborative frameworks for research with First Nations communities.

Additional copies of the Draft Working Document (Phase I) and the Privacy Tool Kit CD can be obtained by contacting info@ices.on.ca or reports@cpe.umanitoba.ca.

At the second workshop, participants also had the opportunity to hear a presentation on a draft Privacy "Best Practices" Guideline, developed by CIHR staff under the direction of Patricia Kosseim and with the assistance of their Privacy Advisory Committee. This group had extensively surveyed/consulted with the research community to begin development of this Guideline, and workshop participants agreed to provide complementary material to supplement the guideline's information for publicly-funded research institutes and HSPR.

Also at the second workshop, invited international speakers expanded our view of privacy issues in HSPR, and articulated the tradeoffs between privacy concerns and public benefits from population based research. The creation of a standard of privacy "best practices" upon which HSPR researchers could agree and to which they would voluntarily subscribe should strategically improve intra - and inter-provincial research opportunities, as well as favourably position Canadian health services and policy researchers for both national and international research collaborative efforts.

The call to describe the current status of population-based health and health services databases and their potential for use in innovative, important health research in Canada will require tools, such as those proposed by this workshop, to navigate and create opportunities for national collaboration; tools that will be essential for planning strategic investments in population health and HSPR.

The International Perspective

The International Perspectives were provided by Dr. Fiona Stanley, Director of the Telethon Institute for Children Health Research and CEO of the Australian Research Alliance for Children and Youth, and Dr. Eric Meslin, Director of the Indiana University Center for Bioethics, Assistant Dean for Bioethics and Professor of Medicine, and of Medical and Molecular Genetics, Indiana University School of Medicine, and Professor of Philosophy, School of Liberal Arts.

Dr Stanley spoke about the advantages of anonymous population record linkages in Western Australia including: 1) the data obtained is complete and thus not biased, with no one excluded; 2) results apply and are useful for the whole population and complete subsets (e.g.: rural groups, indigenous populations, teenage mothers); 3) the research is more cost-effective compared with large scale studies where contact and consent from participants needs to be sought; 4) data that are often difficult or impossible to obtain directly from individuals are valid and reliable (e.g. psychiatric illness, abortion, drug use, etc); and 5) data collection processes reduce burden on population from surveys (many unreliable.)

Dr Stanley closed her presentation by posing the question whether or not it is "morally reprehensible to fail to use available data to improve the health and well being of the population"

Dr Meslin spoke on the US Regulatory System and presented an overview of privacy and ethics in the climate of the Health Insurance Portability and Accountability Act (HIPPA). He put forward the McDonald/Meslin Proposal for Canada/US harmonization of privacy requirements. Both countries should: examine their respective oversight systems, filling in obvious gaps and weaknesses internal to the systems themselves; examine existing privacy protections for human subjects research and identify regulatory reform opportunities; and make use of the "equivalent protection" provision found in U.S. regulations for research that crosses the Canada - U.S. border

Using the "equivalent protection" provision would apply to any NIH-funded research conducted in Canada, and would require attention to developing shared standards and methods for quality assessment for human research protection. "Equivalent protection" does not mean "homogenization". Rather, both countries could learn from each other's experiences in human research protection; CIHR and NIH should fund comparative research projects in this area; we should begin to collect case examples of best practices from both countries and do some serious analytic work on them; and an Intergovernmental agreement allowing for a period of 3 to5 years during which protocols carried out in either country would follow local regulations or guidelines.

Dr Meslin highlighted the "common rule". "When research covered by [the Common Rule] takes place in foreign countries, procedures normally followed in foreign countries to protect human subjects may differ from those set forth in this policy. In these circumstances, if a Department or Agency head determines that the procedures prescribed by the institutions afford protections that are at least equivalent to those provided in this policy, the Department or Agency head may approve the substitution of the foreign procedures in lieu of the procedural requirements provided in this policy". [45 CFR 46.101(h)]

Outcomes of the Workshop

A. Suggested Inclusions to a Voluntary Privacy "Best Practices" Standard

A standardized template research agreement that addresses the key issues in the use of administrative data, i.e., data transfer activities, purpose for use, required reviews and/or approvals required for use, oversight and documentation mechanisms, data protections, wide dissemination of outcomes plan that includes feeding the results back to the 'owner' (data provider).
A glossary that articulates local definitions or frames of reference against a background of core definitions from an identified statistical agency.
The standard should include a Privacy Code, common privacy impact assessment (PIA), and confidentiality agreement.
Circumstances for use of health data without consent. Specific examples of wording around need for consent or not, and why distinctions are made that would stand up to concerns of privacy advocates and legislators when reviewing legislation.
A transparent organizational process available to researchers on access and use of data which highlights privacy issues, and includes an arbitration process with oversight from research ethics boards (REBs) and the Privacy Commissioners/Ombudsman if access is denied.
Work to use the least data possible with the highest level of aggregation.
Define roles for data custodians, stewards and privacy officers.
Chain of approvals for HSPR should include: peer review of proposal, REB review, privacy review (external to the organization, for example, a process approved by Privacy Commissioners/Ombudsman).

B. Potential Uses of a Voluntary Privacy "Best Practices" Standard

This type of voluntary standard could serve for a few years until PIPEDA is reviewed (projected for 2006), but also serve as help for the amending process for PIPEDA.
The standard could provide guidance in decision-making - be an "authoritative statement" - if there are any court challenges in HSPR.
REBs to evaluate HSPR research proposals.
The use of the standard could certify that there is due diligence at a research "site" - i.e., that there is agreement with local legislation and good internal-to-site standards (policies, procedures, security etc). Additionally, this could be the basis of 'certification' for the granting agencies.

C. Possible next steps for developing a voluntary standard of privacy "best practices"

Name a group or body to develop the standards as well as the process. The group should include Privacy Commissioners/Ombudsman, data custodians, data stewards, researchers, health records specialists, health law specialists and the public. This group must be credible and representative to ensure the standard's legitimacy, relevance, acceptability and uptake.
The initial process may include a systematic review of all current standards (i.e., CIHI, BC Health Information Standards Council, CIHR, Tri-Council Policy Statement) to develop the framework that complements and builds upon the standards already in place.
Previous work by other groups can become the basis of the templates that are adapted to local circumstances, which may be made as specific as necessary to local practices and legislation. Starting with templates is cost effective and will help build commonality across all jurisdictions.

D. Other Important Issues To Consider

Capitalize on the undeveloped unique opportunity in this country - to exploit the "Pan-Canadian natural experiment in health" that is going on every day. This will require much more focus on data flow across provincial boundaries, which PIPEDA makes difficult. This area needs much more attention.
HSPR should participate actively in facilitating the collection of information to lead to possible PIPEDA revisions.
Where do the funds come from to resolve these issues and the research costs of implementing/maintaining privacy due diligence?
Develop training materials for REBs about the conduct of HSPR.
Promote capacity building in research ethics with explicit expertise in privacy, confidentiality and data management.
Encourage Privacy Commissioners to gather systematic data (qualitative and quantitative) about the problems arising for HSR researchers trying to comply with privacy requirements in respective provinces
Encourage Privacy Commissioners and oversight bodies to extend equivalent protection strategy to other countries with comparable oversight systems such as Australia, New Zealand, Denmark and the United Kingdom as well as economically-developing countries for whom HSR will be a major route to health.

E. Recommendations to CIHR

1. “Take up” the voluntary standard into the CIHR Draft Best Practices document in a separate HSPR section, to be positioned with that document for incorporation into the reviewed/revised Tri-Council Policy Statement (TCPS).

2. Develop a table of “equivalencies” for definitions of terms that would reflect differences in local usage, to facilitate effective communication within HSPR collaborations and make it available to all HSPR organizations and researchers.

3. Develop a model that operationalizes the conditions under which access to data is being requested in the absence of consent. This should be reviewed by privacy officers, data stewards/custodians and the research community to ensure that it meets the needs of HSPR and the public.

4. Develop a model of accountability - organizations would be accountable for ensuring compliance with all principles and ensuring there are audit and monitoring functions in place; REBs would be accountable for identifying the purpose, consent issues, security safeguards and transparency of these within each research project; data stewards would be accountable for limiting use, accuracy of data, safeguard and security of data and transparency of its policies and procedures.

5. The monitoring function should accrue to Ombudsman/PCs office, to help keep the organization in balance by offering guidance, creating backup and depth. These offices might also provide an arbitration mechanism when privacy and research are at odds. These systems of accountability and oversight have to be able to stand up to external scrutiny.

6. Co-Sponsor a workshop with media organizations to facilitate communication of why it is important to conduct population based research using secondary data without consent.

7. Develop an affirming research communication strategy for public dissemination of HSPR study results, which includes strong statements about the use of anonymized administrative data enabling the results achieved in each study which benefit the health of the population.

Introduction

Over the last five years, in response to either provincial privacy legislation or the January 1, 2004 deadline for full implementation of the federal Personal Information Protection and Electronic Documents Act (PIDEDA), some Canadian health services and policy research organizations have developed privacy codes, confidentiality and research agreement templates, data security policies, access guidelines. These documents constitute policies and procedures pertaining to privacy and data security issues for secondary use of personal health information in large administrative and survey databases.

Through these processes, these organizations have developed insights into a variety of data issues and have received mutual benefits by sharing their approaches to privacy policies and procedures. This sharing between organizations enabled the successful resolution of several data issues in their home jurisdictions. However, it has become apparent that facilitation of comparative analysis and collaborative research among Canadian investigators across Canada requires development of harmonized standards, policies and best practices for the protection of personal health information.

It is also clear that specific knowledge about how privacy issues are handled by other organizations and shared practical experiences will facilitate the development of harmonized privacy standards across organizations facing similar issues. This knowledge exchange will also go a long way to stimulate and encourage ongoing collaborative research activity in health services and policy research (HSPR).

The HSPR community in Canada recognized the utility in considering development of harmonized privacy standards by agreeing to participate in an initiative proposed by the Institute for Clinical Evaluative Sciences (ICES) and the Manitoba Centre for Health Policy (MCHP). The initiative was funded by a multi-institute grant from the Canadian Institutes for Health Research (CIHR), under the aegis of the Institute for Health Services and Policy Research (IHSPR), and the Canadian Institute for Health Information (CIHI) Canadian Population Health Initiative (for complete list of funding agencies, please see Appendix 1).

This two-phase workshop, entitled Harmonizing Research and Privacy: Standards for a Collaborative Future, focused on the requirements of health services and policy researchers, the data providers/ stewards/trustees, data custodians and medical record managers, with additional input from the provincial privacy oversight bodies and health law specialists.

Outline of the Workshop Proceedings

Phase One of the workshop was held at the Eaton Centre Marriott Hotel on October 27-28, 2003 in Toronto, Ontario. Representation from across Canada was sought from the following agencies:

BC Centre for Health Services and Policy Research;
Canadian Institute for Health Information - Canadian Population Health Initiative;
Cancer Care Ontario;
Centre for Evaluation of Medicines - McMaster University, Hamilton, ON;
Centre for Health and Policy Studies - University of Calgary;
Centre for Health Services and Policy Research - Queens University, Kingston, ON;
CHEPA, McMaster University, Hamilton, ON;
CIHR-IHSPR;
Government of Nunavut;
Health Canada;
Health Law Institute, University of Alberta, Edmonton, AB;
Health Law faculty, Dalhousie University, Halifax, NS;
Health Records Services, St Paul's Hospital, Vancouver BC;
Institute for Clinical Evaluative Sciences (ICES), Toronto, ON;
Institute for Work and Health - Toronto, ON;
Manitoba Centre for Health Policy (MCHP), Winnipeg, MB;
Manitoba Health;
Manitoba Provincial Ombudsman Office;
McGill University, Montreal QC;
National Aboriginal Health Organization, Ottawa, ON;
Newfoundland & Labrador Centre for Health;
Office of the Information and Privacy Commissioner of Ontario;
Ontario Ministry of Health and Long-term Care;
PEI Department of Health and Social Services;
Population Health Research Unit (PHRU), Dalhousie University, Halifax, NS;
Statistics Canada.

The workshop organizers believed it was important to obtain representation from across the provinces and territories. To secure participation, an invitation letter was emailed to numerous health services and policy researchers, data custodians, privacy officers, health law specialists, offices of provincial Privacy Commissioners, data stewards and health records experts across Canada, asking if they would be interested in working on the problem of harmonizing privacy standards for health services and policy research, should funding be secured. The invitation also requested names and contact information for others who may be interested in this pursuit. The positive respondents became the participants in this workshop and reflected a nation-wide scope (see Appendix 2 for a complete list of participants).

In the summer months of 2003 (immediately before the first workshop), a project coordinator familiar with privacy law and issues pertaining to HSPR was enlisted to call each participant and dialogue about some of the challenges and "burning issues" that are currently being faced by individual researchers, their organization, and their research or professional community. Also discussed was their existing or developing approaches to address the identified challenges. The key question all participants were asked was "what burning issues might you identify or like to discuss at the workshop roundtables?" The information received through these dialogues was reviewed, summarized and collated into major themes by the project coordinator and workshop organizers, which were then developed into the roundtable discussion items.

Additionally, to initiate and stimulate discussions on the use of administrative, registry and abstracted data in health services and policy research, participants were offered the opportunity to make a short presentation (10-15 minutes) on Day I of the workshop about their organization's best practices - including operating standards, policies and procedures - or areas of concern to the organizations (see Appendix 3 for Workshop I agenda).

Each participant was asked to provide (electronically) the various documents that comprise their privacy tool box, i.e., privacy code, pledge of privacy/confidentiality agreement, organizational Privacy Impact Assessment (PIA), vulnerability assessment, template for project PIA, privacy policies and procedures, researcher agreements, security methodologies, data encryption standards for data collection in the field, and manuals. Prior to the workshop, the information received from participants was collated and put onto a single CD, a copy of which was provided to each participant at the workshop for their use (see Appendix 4 for list of documents).

To ensure consistency of focus, each participant was also asked to provide (electronically) their working definition/understanding of the following terms: identifiable data, indirectly identifiable data, impracticability of obtaining consent, individual level data, aggregate data, anonymized data, pseudonymized data, residual disclosure, as well as what statistical disclosure control methods used by the organization (i.e., if cell size is less than five then data not included or suppressed).

There were four roundtable discussion themes planned for the workshop (see Appendix 3: Day II). Participants were assigned to a roundtable group for discussion of each theme by the workshop organizers. The group composition changed for each theme, and each group was assigned a facilitator and a scribe. Each roundtable discussion was also audio-taped, and the tapes were professionally transcribed following the meeting. Hard copies of the notes and tapes were made available for all participants for review at the Phase II meetings.

The first roundtable theme was Developing Working Definitions: Defining Our Terms. Each group was provided the same five terms to define, as well as some current definitions from a variety of sources. The intent was to reach consensus on the definitions that would then be used by the participants in their discussions of the remaining three roundtables, to ensure consistency in meaning and usage.

For the remaining three roundtables, Privacy: Who Gets It? Care and Maintenance in HSPR, Accountability, and The Fuzzy Box - Data Stewardship and Management, two to four questions were constructed from the burning issues discussions to initiate the discussion at the workshop. These were provided to the participants as part of the agenda (Appendix 3).

Day One: Presentations

On Day One, there were a total of nineteen short presentations (Appendix 3). The day began with presentations by the privacy oversight bodies from Ontario and Manitoba, both principals stressing the importance of transparency in HSPR research and its methodology, and offering support and direction. A snapshot of privacy interests from the perspective of participant organizations across Canada followed, providing a brief look at perspectives on issues such as consent, transparency, data access, approval processes and data security. Copies of available PowerPoint presentations were provided to each participant in the workshop binder (or by email for those received at the time of the meeting).

The last session of Day One was spent in discussion on the working definitions of the terms that the participants provided prior to the workshop. All of the information disseminated during Day One provided the groundwork for the roundtable discussions on the major themes for Day Two.

Day Two: Roundtable Discussions

The themes chosen for discussion at the roundtables were derived from the 'burning issues' discussions that each participant had with the project coordinator, thus ensuring that the themes were relevant to current concerns.

The professionally-prepared transcriptions of the roundtable discussions were then analyzed for important themes by the project coordinator and research team members for key discussion outcomes and key discussion points in preparation for review by the workshop participants prior to the Phase II meeting. These findings were assembled in a Draft Working Document, which was distributed electronically to participants to review prior to the second workshop session, held February 22/23, 2004. Additionally, a separate section on collaborative research with First Nations communities, prepared by the staff of the National Aboriginal Health Organization (NAHO), was included in the draft working document. This section of the document was complemented by NAHO-produced documents for the Privacy Tool Kit: e-files on ethics, privacy concerns and collaborative frameworks for research with First Nations communities.

Workshops: Phase Two

Phase Two of the workshops was held at the Eaton Centre Marriott Hotel on February 22 and 23, 2004, in Toronto, Ontario. Attendees from workshop I or their designates were invited to attend the second phase (see Appendix 3 for agenda).

On Day One of this workshop, participants heard keynote speakers Dr. Fiona Stanley (Australia) and Dr. Eric Meslin (USA) discuss perspectives on the international privacy climate and the influence on HSPR, as well as offer opportunities and encourage collaborative HSPR research.

On Day Two, participants heard a presentation by CIHR's Patricia Kosseim and Sheila Chapman on the draft Guideline "Protecting Privacy and Confidentiality in the Design, Conduct and Evaluation of Health Research:Best Practices."

Following these presentations, participants were asked through further discussion and debate to integrate information from the international perspective and from the CIHR presentation into consideration of what a baseline for a voluntary privacy standard for HSPR might be.

This integrative final summary reflects the knowledge gained and discussions that took place at these two workshops, and has been assembled for review by the participants and the funding agency.

Additional copies of the Draft Working Document (Phase I) and the Privacy Tool Kit CD can be obtained by contacting info@ices.on.ca.

Phase II Workshop: Day One

The International Perspective

Record Linkage: Public Good or Invasion of Privacy? An Australian Perspective.

Dr. Fiona Stanley is the Director of the Telethon Institute for Children Health Research and CEO of the Australian Research Alliance for Children & Youth. Dr. Stanley presented a talk to workshop participants about the benefits of research using population data and linkage in Western Australia.

1. The Power of Population Data and Linkage for Public Good

Stanley began by illustrating the power of population health data and linkage with regard to public health. She described the process of records linkage, which brings together records from different sources relating to the same individual. The data resulting from linkage may be used for administration, case management and for population-based research and policy development. Stanley's own research is focused on issues related to improving outcomes for children and youth, using the Western Australia Maternal & Child Health Research (MCHR) Database, which was established 30 years when privacy issues were not so obvious, and contains data on all birth cohorts from 1980 onwards. Using the MCHR Database as an example, Stanley illustrated how record linkage of population data benefits society. It allows researchers to describe the total burden of problems in children and young people, including risks and protective factors. It offers the opportunity to sample unbiased groups for epidemiological studies, perform randomized control trials and evaluate the impact of interventions such as public health programs or clinical services. Because the MCHR database contains data on all children in relation to all major outcomes causing death, developmental defects and diseases, it can be used to investigate a variety of causes. This includes social causes, environmental causes and family risks, as well as for monitoring the impact of health policies since 1980.

The MCHR database illustrates the advantage of population record linkage from an epidemiological perspective, when the available data is not biased and no one is excluded. Having information on the whole population (rather than smaller sub-sets) means research findings can be generalized to the whole population, but allows important sub-sets to be examined, such as rural and indigenous people. In addition, the resulting record linkage is extraordinarily cost-effective and leads to valid and reliable data on issues that would otherwise be difficult and highly costly to obtain directly from individuals.

Stanley described other specific examples of the benefits of linkage using population data of the same degree of completeness, which has revealed new and important information about many different health issues, including the following:

Occurrence of birth defects in infants conceived in new reproductive technology programs;
Risks of suicide associated with cannabis use in adolescents;
Failures in the application of programs - especially among Aboriginal mothers - (i.e., increasing maternal intake of folic acid to reduce incidence of spina bifida); and
The need for change in a program aimed at reducing the incidence of Sudden Infant Death Syndrome (SIDS).

Stanley then summarized the advantages of using linked population data:

Linked population data is inclusive, representative and accurate. This means better data for policy, planning, improving data quality in administrative and research data sets;
Researchers have responsibilities to provide the public with the most accurate, reliable and unbiased information possible to guide public policy, health policy, practices and the way information is given to the public. Population data allows them to make the best and most efficient use of existing data;
Using population data means less reporting burden on the community;
Complete population data permits researchers to avoid conducting research that could result in biased information or information that excludes certain groups, especially marginalized groups that do not typically respond in studies (ie, women, children, teenagers, indigenous peoples and the disadvantaged). Marginalized people are further marginalized by not having information collected about them. Population data is particularly advantageous in sensitive research.

2. Privacy & Consent Issues

Stanley went on to discuss issues related to privacy and consent in Western Australia. She addressed the common perception that record linkage in the absence of consent results in an invasion of privacy. But privacy can be protected if researchers link and use population data in appropriate ways. In Western Australia, there are existing and emerging mechanisms for balancing the public good from record linkage against the perception that any linkage of population data without consent is an unacceptable invasion of privacy. These mechanisms include the following:

Australia's Privacy Act 2001 includes Information Privacy Principles (IPPs) relating to personal health information in any Commonwealth agency, as well as National Privacy Principles (NPPs), which cover all personal information held in the private sector. Some Australian states have legislation specific to health information privacy. While it does not have a health privacy statute, it is anticipated that Western Australia will adopt the National Health Privacy Code, currently under development. The Code will supply an integrated framework for privacy protection for personal health information that will create consistency across public and private sectors.
Guidelines from the National Health and Medical Research Council (NHMRC) include criteria that research ethics committees follow in order to satisfy themselves that access to identifiable or potentially identifiable data without consent is acceptable. In addition, researchers must also receive approval from a second ethics committee for population data and from a third committee for use of linked data.
The office of the Federal Privacy Commissioner has guidelines relating to privacy in the private health sector, covering use and disclosure necessary for research and statistics relevant to public health and safety. In limited circumstances-that is, when research is about public health or safety-health information may be used or disclosed for research without consent.

The bottom line is that privacy can be protected if researchers link and use population data in appropriate ways. Guidelines help, as do new and emerging technologies and methods for linkage.

3. Future Challenges

Finally, Stanley spoke of the challenges facing the health sector in terms of maintaining and improving the health of children and youth, including mental health, obesity, learning and education problems and substance abuse. This requires complex information to monitor, study and prevent disease, including information about socio-economic factors. The causal pathways to these problems are complex. Most research in these areas is inadequate and fragmented. However, a healthy balance can be maintained between using population data and linkage for research and following guidelines aimed at protecting privacy, along with new technologies and methodologies for linkage, if the focus remains of protecting and promoting the interests of children and youth.

Health Services Research and Privacy: Lessons from the US Regulatory System (with particular comments on HIPAA).

Dr. Eric Meslin is Director of the Indiana University Center for Bioethics, Professor of Medicine, and of Medical and Molecular Genetics in the Indiana University School of Medicine, and Professor of Philosophy in the School of Liberal Arts. He is also Assistant Dean for Bioethics at the Indiana University School of Medicine. He came to Indiana University in July 2001 from the National Bioethics Advisory Commission (NBAC), where he had been Executive Director since 1998. NBAC was appointed by President Bill Clinton in 1995, and was charged with advising the White House and the federal government on a range of bioethics issues including cloning, stem cell research, international clinical trials, and genetics studies. The highlights of his presentation follow.

1. Oversight of US Federally-funded research involving human subjects: a quick primer

In 1991, the US Department of Health and Human Services (DHHS) formally defined a "common rule" (45 CFR 46: Subpart A) for the protection of human subjects. The rule describes common procedural requirements for REBs, informed consent, and institutional assurance. This "common rule" describes criteria for compliance to which institutions much commit themselves. If institutions are not in compliance, research is stopped and funds withheld. REBs have the authority to approve, disapprove, or require protocol modification, have the authority to suspend/terminate approval, and approve consent forms. Local REB review is the standard. The rule applies to both domestic and foreign institutions.

Common Rule creates problems because:

Federalist perspective doesn't work well to preserve local autonomy, which contradicts the perspective that REB decisions reflect local values and sensitivities.
The rule doesn't apply to biobanks.
It doesn't handle privacy well. The REB has discretion to determine whether and to what extent privacy is protected. Operationally, privacy and confidentiality are conflated within the medical record.
The oversight system is based on a "clinical trials paradigm", which doesn't lend itself to HSPR, qualitative studies, or social science methodology because it is geared to medical intervention comparisons where the risks of physical harm are paramount.
The common rule applies to only 16/64 US federal agencies and FDA regulations not similar to Subpart A.
There is no harmonized regulatory mechanism for domestic research oversight.

2. Privacy protections in the common rule

Definitions

"Human subject means a living individual about whom an investigator (whether professional or student) conducting research obtains

data through intervention or interaction with the individual, or
identifiable private information."

"Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects." 45 CFR 46.102(f)

Research exemption

"Research involving the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens, if these sources are publicly available or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects" 45 CFR 46.101(b)(4)

"In order to approve research covered by this policy, the IRB shall determine that…[w]hen appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data." 45 CFR 46.111(a)(7)

"The following information shall be provided to each subject…a statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained." 45 CFR 46.116(a)(5).

3. The common rule and HSPR

The current research ethics paradigm does not work for HSR because:

HSR rarely involves clinical interventions;
Principal harms are non-physical (to privacy, confidentiality, reputation);
Harms are difficult to quantify;
Generally involves access to data about people, rather than people themselves;
"Dead or alive";
Do not require the person be present to participate (geographically or temporally).

4. The impact of HIPAA (Health Insurance Portability and Accountability Act, 1996) on research

Intended to allow portability of health insurance between employers;
The accountability requirements were included to ensure confidentiality of electronically processed health data.

HIPAA describes four Standards, or areas of regulation: security, identifiers, transactions and privacy (Privacy Rule). The rule sets standards for "protected health information." These were intended to build on existing regulatory structure, supplementing the common rule and providing additional procedural protections for personal health information (PHI) intended for use in research (defined as any systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge).

Key features:
- Institutions must give patients notice of the institution's privacy practices.
- Patients must sign an additional "authorization" for research use of PHI.

Covered entities (institutions that uses PHI) must generally inform an individual and obtain authorization for use of PHI. Research use of personally identifiable health information requires a specific, separate, written "authorization" with the following exemptions:

"health care operations";
Quality assessment and improvement;
Outcomes evaluation;
Development of clinical guidelines.

In a survey done over a six-year period in 2003, the American Association of Medical Colleges (AAMC) found that there were a number of perceived problems for research. The survey documented research that was "affected, delayed, hindered, benefited, abandoned, or forgone." Important findings included:

Types of research affected by HIPAA - clinical (72%), health services (32%), epidemiological (36%), behavioural (29%), basic biomedical (19%), health economics (18%), outcomes (29%), other (4%).
Research functions affected by HIPAA - patient recruitment (74%), data access (76%), data acquisition (68%), data retention (51%), oral communication (47%), written publication (34%), other (8%).

Canada's guidelines are not harmonized with U.S regulations; there are multiple guidelines and regulatory requirements. For example: a University of Montreal investigator collaborating with an investigator at a U.S. institution with NIH funding must comply with:

Canadian Tri Council Policy; CIHR, Health Canada; Quebec Civil Code
45 CFR 46 (The Common Rule); 21 CFR 50/56 (FDA Rules); The Privacy Rule (HIPAA)

HIPAA does not apply if data is being collected outside the US, but when identifiable health information is exported to the US (ie, imported from Canada) and is housed in a covered entity, HIPAA does apply.

Canada has its own harmonization difficulties: federal/provincial governance issues, PIPEDA, TCPS, CIHR, Health Canada to contend with as well. These discrepancies lead to difficulty for both Canadian and American researchers trying to comply with several different sets of regulations and guidelines, and Canadian and American REBs struggle with different interpretations of requirements - leading to confusion and possibly stagnation in research.

5. The McDonald/Meslin Proposal

For Canada/US harmonization:

Both countries should examine their respective oversight systems; filling in obvious gaps and weaknesses internal to the systems themselves.
Both countries should examine existing privacy protections for human subjects research and identify regulatory reform opportunities.
Make use of the “equivalent protection” provision found in U.S. regulations for research that crosses the Canada - U.S. border.

"When research covered by [the Common Rule] takes place in foreign countries, procedures normally followed in foreign countries to protect human subjects may differ from those set forth in this policy. In these circumstances, if a Department or Agency head determines that the procedures prescribed by the institutions afford protections that are at least equivalent to those provided in this policy, the Department or Agency head may approve the substitution of the foreign procedures in lieu of the procedural requirements provided in this policy." [45 CFR 46.101(h)]

Equivalent protection does not mean "homogenization."

Both countries could learn from each other's experiences in human research protection.
CIHR and NIH should fund comparative research projects in this area;
Begin to collect case examples of best practices from both countries and do some serious analytic work on them.
Intergovernmental agreement allowing for a period of 3-5 years during which protocols carried out in either country would follow local regulations or guidelines.

Phase II Workshop: Day Two

Integrating the Knowledge from Both Phases

Roundtable I: Defining our terms

This discussion did not result in consensus on definitions that were brought forward during the roundtable. Listed below are the “best efforts” of the roundtable groups. This lack of consensus probably reflects differences in local usage of these terms and may not be completely resolvable. Therefore, we suggest that a table of “equivalencies” should be developed to facilitate effective communication in Health Services and Policy Research (HSPR) collaborations. All documents should contain glossaries that articulate local definitions or frames of reference against a background of core definitions from statistical agencies.

de-identified information is personal health information that (a) has been modified, and (b) is controlled in particular ways such that there is no reasonable basis to believe that an individual will be identified.
pseudonomized information has an unique number or equivalent substituted for personal identifiers.
anonymizing information is the process of protecting the information in the individual record. There are two aspects to anonymizing data: information coming in (i.e., information going into an analysis), and information going out (i.e., resulting from an analysis). It is easier to anonymize information going out, as results can be reported in aggregate form. Different organizations use different approaches to anonymizing data. The goal is to decide on an acceptable degree of protection, given the benefits of the analysis.
linkage builds a longitudinal record of exposure and health care experience by generating or creating a new record about an individual through linkage of two or more records which refer to the same individual. There are always two things to consider in linkage: that the records being linked refer to the same encounter for the same individual (that is, it is not enough to ensure that the linked records refer to the same person; they must also refer to the same instance of care.) Deterministic linkage is possible when all the key variables exist in both of the files to be joined. Probabilistic linkage, lacking all key variables, uses a weighting scheme to determine when a match is "good enough." Generally, linkage is deterministic whereas matching is probabilistic.
residual disclosure: small cell sizes leading to the unintentional disclosure of information about individuals. Typically defined with a prohibition on publishing cells containing five or fewer observations and applies to both the numerator and the denominator of a rate, the identity of an individual could be determined by reasonably foreseeable methods from personal health information, including when the data have been aggregated or have had direct identifiers stripped, encrypted or masked. Risk is further mitigated because of the large population samples. There is sometimes a scientific justification for reporting small cells, however; this aspect should be clarified because there should be a way to discuss important rare diseases or rare events such as adverse drug effects without disclosure. The cell size rule should be waived only on a case-by-case basis.
population health research is concerned with broadly representative populations rather than special groups, and is the analysis of health outcomes of groups of individuals in society and the patterns of interactions that determine the health of those individuals over time. Population health research does one or any combination of the following: generates new knowledge on determinants of health and the functioning of healthcare systems, supports policy analysis, synthesis of evidence, and/or transfers new knowledge to decision-makers and the public. This type of research shows an openness to heterogeneity rather than use of randomization to remove it.
- Side to Side - focus on whole populations and heterogeneities (gradient a special case)
- End to End - include entire life cycle ==> longitudinal data
- Top to Bottom - entire population <--> community <--> social network <--> family <--> individual <--> organ systems <--> molecules -- Clyde Hertzman, UBC
“in the public good” is generally assessed in relation to risks and benefits. One of the benefits that should be incorporated in decision-making is the presence of privacy protections, and whether or not there is a social benefit to the advancement of knowledge itself. The public is made up of people with competing interests, so rather than assessing what the public good might be, perhaps decisions should be based on distributive justice – how best to distribute risks and benefits in the population. REBs require an operating definition for these estimations.

Suggested Inclusions for a Voluntary Standard and Recommendations

All documents should contain a glossary that articulates local definitions or frames of reference against a background of core definitions from an identified statistical agency.

Recommendations

Develop a table of “equivalencies” to facilitate effective communication within Health Services and Policy Research (HSPR) collaborations and make is available to all HSPR organizations and researchers.

Roundtable II: Privacy – Who Gets It? Care and Maintenance in HSPR

Question 1. The ambiguity of legislation is inviting researchers to look for coherence. Best practice standards/guidelines should be developed for consistency in HSPR evaluation. What should these standards be and where should they come from – researchers, government organizations, granting agencies?

Discussions in this area over the two meetings favoured the development of best practice standards or a voluntary standard for HSPR for the following reasons:

Standards could actually facilitate HSPR across Canada, both in local jurisdictions and in collaborative provincial and national frameworks:
- by meeting those legislative standards that exist;
- by being acceptable to provincial Privacy Commissioners, data stewards, and Research Ethics Boards (REBs);
- as research organizations and granting agencies are advocates of and for research, the adherence of research organizations to voluntary standards would produce broader support for this research to continue.
When research groups start working on privacy and data issues, there is interest in utilizing work in progress or completed by other groups as templates that can be adapted to their local circumstances. The template may be modified specifically for local practices and legislation as necessary. However, starting with templates will help build increasingly more commonality across all jurisdictions within a limited financial resource environment.
HSP Researchers who conform to this voluntary standard could be more likely to have expedited project approval based on alignment with best practices - the up-front provision of data security and privacy protections, balancing of risk and benefit, transparency of purpose, use, retention, and accountability.
They could also be "pre-certified" for submissions to granting agency competition for funding.
By making the input group multidisciplinary and making the work transparent to the public, the public will better understand how these data are used and the importance and benefits accruing. Getting the HSPR research house in order will go along way to gaining public acceptance and support.

Participant Privacy Commissioners/Ombudsman comments affirmed that although these offices would not create the standard for HSPR research, they would review and provide feedback into the frameworks as they are being developed.

Key Discussion Outcomes

Despite initial concern about 1) the need for broader group consultation, and 2) the impracticability of standards coming from the various granting agencies, over the course of the two meetings this opinion was revised. Repositories/custodians/stewards have different sets of issues that need to be incorporated into standards, including estimates of risk, some sort of arms-length review process, types of data released, and articulation of who may have access to the data. Standardizing these across the provinces, while making for more formal processes, would provide uniformity and objectivity at a national scope. Local differences would be augmentive rather than discordant. At a minimum, a standard might certify due diligence at a research "site", providing concordance with local legislation and good internal-to-site standards (policies, procedures, security). The standard could be the basis of 'certification' for the granting agencies, reducing time and expense in compliance evaluation. There was also agreement that it is crucial that the body that produces the standard be credible because of the impact on the standard's legitimacy, relevance, acceptability, and uptake.

Therefore, the intent is that these standards be "taken up" into the CIHR Draft Best Practices document in a separate HSPR section and be positioned for incorporation into the reviewed/revised Tri-Council Policy Statement (TCPS), which at present is not very useful in the area of HPSR. In this context, therefore, the standard could become part of the mandatory funding criteria.

Suggested Inclusions for a Voluntary Standard

Policy, procedures or processes of estimates of risk, arms-length review process, types of data released, and articulation of who may have access to the data that will address the diverse issues of repositories, custodians and stewards across provinces.
Certification that there is due diligence at a research “site” – that there is concordance with local legislation and good internal-to-site standards (policies, procedures, security). This could be the basis of ‘certification’ for the granting agencies.
The standard should include a Privacy Code, standardized information-sharing agreement, common privacy impact assessment, and confidentiality agreement (for faculty and staff).
Privacy legislation at the provincial levels is generally perceived as enabling research use of personal health information in the absence of consent, but most provincial legislation does not specify how that will take place. Defining this standard would be useful in that it would enable research while providing specification.

Recommendations

Develop a model that operationalizes the conditions under which access to data is being requested in the absence of consent. This should be reviewed by POs, data stewards, PCs as well as repositories and the research community to ensure that it meets the needs of HSPR.
The voluntary standard be ‘taken up’ into the CIHR Draft Best Practices document in a separate HSPR section, and be positioned with that document for incorporation into the reviewed/revised Tri-Council Policy Statement (TCPS)

Question 2. REBs and Researchers: the interface. Should privacy safeguards be incorporated into the existing REB review process? Should research be subject to review by an arm of the provincial Privacy Commissioners, alternate arms-length organizations, or part of the granting agency process?

In legislation such as that recently proposed in Ontario in the Personal Health Information Protection Act 2003 (PHIPA), Research Ethics Boards (REBs) will be vetting HSPR projects for privacy, data-sharing, and data security issues. The assessment of threat to privacy balanced against potential societal benefits of HSPR becomes difficult for these bodies without standards (the question becomes whether to recommend the placement of Privacy Officers onto REBs, or to provide REBs with a standard against which they can measure the attention paid to these issues).

Key Discussion Outcomes

There is a real desire to see REBs standardized across the country, including requirements regarding panel membership and numbers, qualifications, expertise, length of service, incorporating the “local view” into decision making, methods for maintaining logs of decisions with reasons for acceptance/rejection of proposals, and mechanisms for accountability to the community. REBs need standardized definitions, lists of key things they should be looking for, guidelines from learned bodies. REBS are also under-resourced, so providing them with quality information about types of projects, methodologies, principles of use and criteria for risk assessment will be invaluable for making determinations about whether the intrusion on the autonomy principle is balanced by potential benefits. The data stewards would then work on minimizing the intrusion on privacy through efforts to reduce the amount of identifiable information and ensuring that the researcher’s qualifications and data security practices are acceptable.

There was discussion about the development (and potential cost-effectiveness) of specialized HSPR REBs, or a national board that looks at these types of proposals, as many REBs don’t always have the expertise to understand processes around major database issues. The TCPS (Tri-Council Policy Statement) explicitly allows for responsibility to be delegated by one REB to another, so if there could be a national REB that examines data linkage protocols, the smaller REBS without the expertise could legitimately accept that approval, although the practical issue of funding limits this possibility.

Suggested Inclusions for a Voluntary Standard

A standardized REB check-list format for privacy/data sharing issues
REB accountability needs to be more transparent for the public and made, in some way, externally accountable (? standardized Annual Report of decisions).

Recommendations

There is need for three phases of review: peer review (methodology and clinical importance); REB review (ethics and protections); and data steward/PO review (data linkage/balancing benefit versus harms). These groups report the need for separation of these functions into discreet and distinct roles.
Standards for REBs should be revised to reflect changes in research models.
Standards for REBs to use to evaluate HSPR research proposals should be developed.

Question 3. Resourcing Due Diligence. Doing due diligence on privacy, confidentiality, data security, record keeping, audit functions, training of staff and quality control for security. These activities need constant vigilance for ensuring due diligence. Are there standard processes in place at organizations across the country? Where do the resources come from?

There is interest in the provincial privacy commissioners or equivalent offices playing a role in review as part of a due diligence process. There is also agreement that the public needs to be engaged so that researchers, privacy officers (POs), PCs, REBs understand their concerns and issues.

Key Discussion Outcomes

The issue around due diligence and completing reviews and audits basically comes down to two issues:

Costs (including time and human resources). The costs of due diligence do not seem to be something that can be included as a line item in grants, but this diligence is expected (it is also the first type of expense to be cut if a grant is reduced). It costs money to train/sensitize staff and put policies and procedures in place, and to maintain training/educational programs for staff. Funding for privacy diligence has to be built into the costs of running research organizations. This needs to become part of overhead or organizational infrastructure and needs to be included when negotiating contracts or submitting grants.
Manpower issues. It is difficult to find privacy-knowledgeable staff; additionally, it's hard finding qualified individuals/groups to do privacy impact assessments.

Key Action Points

It is crucial that the standard be developed by a credible and representative body. This will ensure the uptake of a legitimate, relevant and acceptable standard. This standard should certify due diligence at a research site, and should be acceptable to hospitals, REBs, PCs, POs, provincial authorities, and will allow "local flex."

One of the most important outcomes of a voluntary standard is the fact that sharing of policies/ procedures templates, privacy codes, data-sharing and research agreements, and confidentiality agreements provides templates for local modification, thereby reducing costs. A common privacy impact assessment will also help ensure some standardization in the research community and help reduce costs.

Suggested Inclusions for a Voluntary Standard

Develop a standard that allows "local flex" to legislation and PC interpretation. Specify circumstances of use of health data without consent that will satisfy hospitals, REBs, PCs, POs, provincial authorities.
This standard should certify due diligence at a research site and standards acceptable to PCs (and others).
The Standards should include process for:
- the needs around facilitating access in the public interest - the interest is NOT the individual but the patterns in the whole population;
- estimates of risk;
- arms-length review process;
- types of data released (accessed);
- who has access;
- the conditions under which access to data is being requested without consent;
- a common Privacy Impact Assessment for projects and for organizations;
- recommendations for agreements around data transfer activities (articulating who is responsible, who is custodian, what are the end responsibilities for all parties.
Focusing on enabling data flow across provincial boundaries is imperative, to facilitate collaborative research as described in recent national health reform reports, but also to capitalize on the Pan-Canadian natural experiment in health.

Recommendations

It is crucial that the body developing the standard be credible and representative to ensure the standard’s legitimacy, relevance, acceptability and uptake, i.e., CIHI, CIHR, Statistics Canada and HSPR researchers, data stewards/custodians, privacy officers, PCs, provincial repository officers, work collaboratively to craft a mutually acceptable voluntary standard.
At a minimum, the standard could certify that there is due diligence at a research “site” – that there is agreement with local legislation and good internal-to-site standards (policies, procedures, security. etc.) Additionally, this could be the basis of ‘certification’ for the granting agencies.
REBs balance individual interests with the potential societal benefits of an HSPR proposal; data institutions balance threat to privacy versus societal benefits. Consideration of processes of peer review, REB review and custodian/steward review as well as clarification of roles and standards seems needed.
REBs will need standards by which to measure proposals.

Roundtable III: Accountability

Question 1. How do we communicate effectively with the public about what we're doing in HSPR?

There was a general sense among the participants that there is significant room for improvement in effective communication by the health services and policy research community. Two broad areas that require attention surfaced through the discussions:

Championing the cause for HSPR - increasing public awareness of the benefits of this research through presentations in public fora, placing educational materials in public health institutions such as hospitals, and using websites to present HSPR information;
Being transparent and accountable - transparency requires laying out organizational data security/ privacy policies and project-specific policies/procedures outlining the types and uses of anonymized personal health information on institute websites. Accountability requires actively tackling the risks and benefits of use to improve the health of the population.

Key Discussion Outcomes

The HSPR community should advocate actively for HSPR
The HSPR community needs to communicate effectively with the media about HSPR data uses. Key statements to the public should be
- that the interest of HSPR is not focused on the individual but rather on health and disease patterns in the population;
- the use of the public's data is necessary to ensure the ongoing improvement of the health care system;
- HSPR is NOT a commercial activity; and
- accountability oversight procedures are in place.
The public needs more active information, in simple language, regarding what and how their information is collected, used, accessed and linked. This information should highlight - the public benefit of the research and the protections in place to ensure privacy protection.
In order to create effective communication strategies, there are significant resource implications.

Key Action Points

Data custodians/researchers need to develop relationships with health reporters (print, radio and television) to teach them how best to interpret and present HSPR.
Data custodians/researchers should cultivate these relationships so that they can routinely advise/update the media on reportable research outcomes.
Publicize organizational documents detailing privacy policies as well as project-specific processes for access, use, linkage and disclosure, via web and printed format.
Create Frequently Asked Questions (FAQ's) that present the issues, including the public risks and benefits to the uses of anonymized administrative data that are publicly available, including printed media, web sites.
Brochures should be available at routine data collection points (birth registration, driver's license bureau, hospitals, etc) outlining the uses of the types of data collected at the site. The organization's privacy documents (including web address to access these documents) should be available for interested members of the public, such as postings of statements/signage that data will be used in an anonymized fashion for planning, projections, evaluations, and research. This could also be a collection point for consent for these uses where necessary.
Develop a strategic plan for communicating privacy requirements and how this will be financed.

Suggested Inclusions for a Voluntary Standard

A Best Practices Standard that states that the research will be disseminated (made available) in two ways,
- scientific format/abstract,
- public format in simple, easily-understood language.
List of key points for inclusion in public dissemination of results, i.e., what the public benefit of this research will be, what is to be done with the data (methodology), how data is safeguarded, accountable oversight procedures, accountability structures, available public recourse, etc.
Articulation of the process for decision-making about data access requests.
Standardized templates with consistent messages for use by all HSPR researchers for effective communication of HSPR results with the media.

Recommendations

Co-Sponsored workshop (possibly CIHR and media organizations specializing in communicating health research) to facilitate:
- HSPR researchers and health reporters (print, radio and television) need to develop supportive relationships and learn how to communicate effectively with regional media/journalists about the important outcomes of research projects.
- HSPR researchers need to teach health reporters how to interpret and present HSPR results.

Question 2: Who owns the database developed in conducting longitudinal research, linkage studies and registries?

Discussion of this topic lead to the conclusion that the question shouldn't focus on who owns the data, but rather what are the rights and responsibilities for use of the data that the custodian or steward maintains.

Key Discussion Outcomes

There should be "ownership" of the intellectual property accrued through use of the data; not the information itself - the software, technologies, concepts, algorithms developed as the data is used.
Custodianship or stewardship has many implied costs, such as purchase and maintenance of equipment (servers, pc's), maintenance and cleaning of data, administration of policies and procedures, etc.
Providing or denying access to data: what should an appeal process be?
Health Infoway should be developed in a way that does not impede non-profit statistical and research uses of the data (i.e. that vendors not be in position to charge on a per record basis coming out of the system).

Suggested Inclusions for a Voluntary Standard

Develop a model for a chain of best practices for the custodianship/stewardship of the data.
A standardized template research agreement that addresses the key issues, i.e., data transfer activities, purpose for use, required reviews and/or approvals required for use, oversight and documentation mechanisms, data protections, wide dissemination of outcomes plan which includes feeding the results back to the ‘owner’ (data provider).

Recommendations

Develop questions for consideration by authorities about liability of the research institute, the university and/or the researcher and staff.

Question 3: Chart review in HSPR vs. chart review in QA: what’s the difference? What’s the downstream accountability?

There was consensus that chart review in HSPR seeks generalizable knowledge, whereas chart review in QA is a necessary part of the process to manage care.

Key Discussion Outcomes

Concern was expressed about a possible double standard as QA/QI in hospitals seems to lack focus and standards, to the extent that these exercises seem at times to go further and contact is made with patients for them to comment on their quality of care.
The question was discussed, "Why is the tolerance of the public and privacy advocates different for these activities?" In HSPR, the data is also anonymized.
When electronic health records are commonplace, there will be a blur between what is research and what is QA, such as when looking at changing physician behaviours. We should be asking ourselves if anything we do within the system is over and above regular care, and these areas should be reviewed for the implications for patients and the risk/harms potential - including doings things to change behaviours in test ordering or drug prescription.
When the research community adopts "best practices", these may also be applicable to QA/QI to help improve methodologic rigour. To reduce costs, insure quality and provide transparency of proposals and approvals of QA/QI, successful programs could be placed on a website (like CIHR, OHA, other regional health authorities) as demonstration projects for other hospitals to use.

Recommendations

When the research community adopts “best practices”, these may also be applicable to QA/QI to help improve methodologic rigour. To reduce costs, insure quality and provide transparency of proposals and approvals of QA/QI, successful programs could be placed on a website (like CIHR ,OHA, other regional health authorities) as demonstration projects for other hospitals to use.

Question 4: Registries and consent in HSPR. Is there need for consent in registries when the data use planned is HSPR?

Consent and the need for consent in HSPR is a major issue. It was suggested that specific examples of wording addressing the distinctions between when consent is required and when it is not would be useful.

Key Discussion Outcomes

Approaches suggested: 1) the individual researcher work with provincial guidelines and whatever approach they develop; 2) the Statistics Canada type model where researchers come to an agency that has legislation or clear guidelines understood for accessing data in a registry - where under some circumstances it can be done without consent; 3) use the BC distinctions re: type of challenge the research poses to privacy in terms of type of consent required - with key distinction being whether or not you are going to re-contact the individuals. Another important distinction would exist if the data was going to be used to target an individual, in which case it would not be then it is not HSPR, and would require consent.
More complex situations discussed included ones in which the same electronic record is used for commercial (vendor is supporting registry), administrative, research purposes. An REBs general assumption for research is that consent is required.
Concern was expressed that registries are broad, general-purpose databases used for hundreds of studies. To achieve true informed consent would mean explaining to each individual the risk/benefits and consequences for them as individuals, which is impossible and impracticable.
Consent is just one of many privacy protections that are in place.
The concept of impracticability cannot be evaluated in isolation. Considerations of benefit and cost from getting the wrong answer are additional considerations - if one gets the "wrong" answer, there is potential harm. As such, the notion of impracticability has to be weighed in terms of benefits and risks.
The issue of selection bias in study cohorts is strongly associated with obtaining individual consent.
Informed consent for registries should be more about process, standards and governance. Once a registry is begun, there should be mandatory standards for researchers to follow.
There is over-concern about consent, and the focus should be more on protecting people's interests and not allowing them to be exploited.

Suggested Inclusions for a Voluntary Standard

Specific examples of wording around need for consent or not, and why distinctions are made – something that would stand up to concerns of privacy advocates and when legislators are reviewing legislation.
Best practice standards for researchers to use disease registry information, such as a diabetes registry.
Best practice standards should retain a focus on protecting the public privacy interest.

Recommendations

Develop an affirming research communication strategy for public dissemination of study results, which includes a statement that the availability and use of the data enabled the development of conclusion “x.”

Roundtable IV: The Fuzzy Box— Data Stewardship and Management

Question 1: Stewardship offices have to be able to serve both privacy and research interests simultaneously but impartially. Research needs champions. This should be a designated person who can solve problems and arbitrate in the privacy process. Who would that be?

Impartial management and service to both privacy interests and research interests is difficult. Discussion took place of the need for an individual/group who can problem-solve and arbitrate in the process. In other contexts there has been discussion of the REB providing privacy input, Privacy Commissioners (PCs) in another. Neither is entirely satisfactory but each have their advantages.

Participants discussed the advantage of having a stewardship office, where individuals, acting as stewards with no vested interest in the projects, reviewed and "triaged" both privacy and research interests together. There was animated discussion as to whether all of the tasks and responsibilities can be bundled into one person. There are issues around Privacy Officer (PO) roles, stewardship roles, data security/management roles. Certain principles (CSA standards) may align with certain roles better than others. Researchers or statisticians combining decisions on whether a record linkage project is a worthy one in the public interest (taking on a REB role) may combine too many roles in one body. Most institutions that are data holders are usually affiliated with teaching institutions and, as a mission, have a significant research function. HSPR are research advocates - accountable to principals with data use restrictions - but don't want to be barriers to legitimate research.

Key Discussion Outcomes

Administrative data institutes in Canada seem to fall into three categories:

Those who act as data stewards, where researchers make requests and are provided with data (Sask and NS);
Those who do both functions - research and provide data (CHSPR in BC); and
Shops that are "closed" and weighed towards the research function. They don't truly act as data custodians (ICES and MCHP).

Stewardship, management and organization should be considered in the context of these different research settings - custodianship and stewardship of registries, administrative databases and multi-purpose databases. Stewards are decision-makers regarding use of data for benefit, and are accountable for allowable and proper use of data; data security is the concern of custodians, but this can include activities where other associated individuals make decisions about appropriate use.

Many organizations spoke of providing two functions - privacy review as well as reviewing complex, sensitive and precedent-setting projects (involves complex data linkage or national, multi-site studies) - creating a pressure between research needs and privacy needs. The usual rules include:

Use the least data possible with the highest level of aggregation.
Have a process of multiple reviewers with each signing off.
Have an internal process for access of use, privacy concerns and an arbitration process with oversight from REBs and the PC.
Trickling privacy concerns into the REB or PC: decisions about worthiness of a project and/or balancing benefits and risks against privacy. This varies between organizations. Some have approvals for programs of research as compared to having each project approved by a REB. Some require that the proposed research must first meet a mandate of the organization. Discussion of trying to disentangle privacy from the role of facilitating research, separating these roles into research advocate and someone who protects the privacy interests - leading to good research, appropriate use, benefit to public, low risk from manpower, capacity and knowledge/familiarity perspectives. A system that separates all these functions may be "purer", but not practical.
How best to set up these responsibilities? Some chose to focus as an organization under the role of due diligence to responsibilities as custodians, stewards and researchers: making everything transparent as possible, following a mandate, peer review of projects, setting up appropriate accountability mechanisms, working with the REBs so they review policies/procedures and make recommendations to help as well as reviewing all projects, establishing relationship with the PCs office and involving them in reviewing practices, policies/procedures.

Suggested Inclusions for a Voluntary Standard

Most organizations deal with data access, privacy, and related concerns, but everyone has a different process – looking with a broad lens, they all basically have the same procedures in place.
Have an internal process for access, use, and addressing privacy concerns – and an arbitration process with oversight from REBs and the PC.
Use the least data possible with the highest level of aggregation.

Recommendations

Model of:

POs having accountability for all principles, plus, depending on how the organization is set up, some kind of audit function and monitoring that the institution pays attention to all the principles;
REBs will assess identifying purpose, consent issues, security safeguards and transparency;
Data stewards will assess limiting use, accuracy, safeguard security, transparency. Both the REB and the data stewards would assess compliance. Principles seem to align with functions of these different roles.

Question 2: How would the process work? When there are problems and inquiries about stewardship, there needs to be proof of due diligence and oversight mechanisms that will stand up to scrutiny. There should be standardized processes for ensuring accountability among HSPR researchers. Consistent rules and mechanisms would ensure this. Where do these processes come from and who should develop them?

Key Discussion Outcomes

HSPR research should work with other appropriate groups to help REBs become sufficiently educated about HSPR privacy issues. This will help REB members make informed decisions around these issues rather than issues around human subjects and risk/benefit. Privacy in HSPR is also evolving, not static. REBs do pay attention to some security issues (files password-protected, locked storage etc), but the data stewards (and Privacy Officers) are the ones that actually implement. Consider drafting a guideline to help with this important issue.

In large organizations, roles can be distinct enough that there is a sufficiently dynamic and respected process looking at privacy and ethical issues, as long as there is external audit (PIA). Importantly, this is not always possible in smaller organizations. There are many strategies for establishing good accountability and for doing due diligence, but the principal is more that there should be appropriate oversight: proposal review, REBs, privacy oversight. The tasks and responsibilities identified for inclusion in a review process are: appropriate use of data; worthiness of research project/program; balancing benefits and risks to the public against individual privacy; the research meets the mandate of the organization, which must be a socially worthy one.
A Health Canada –Tri Council committee is augmenting the Tri-Council Policy Statement (TCPS) and developing guidelines/standards for REBs. Additionally, REBs need training in the differences between large administrative database use versus clinical trials because the standards are not very portable between the two. TCPS says that properly constituted REBs must make decisions on what is approvable research. However, the TCPS provides the opportunity for an institution to turn down research even if it’s REB-approved; a population health research institute could do the same thing if it felt that standards of data security were not high enough. When research is turned down in this scenario, it’s justified by the TCPS, which says that the REB has to have someone knowledgeable about that area of research in order to help guide approval. Lacking expertise, they should not review/approve these types of projects. Importantly, REBs need resources, standards, guidance and tools to help them make better decisions with better consistency.
One answer might be to have specialized REBs. All institutions don’t have to deal with HSPR issues around large database use, and to help keep costs down, it might be reasonable to consider that route (perhaps a national REB for database access requests). However, adherence to Tri Council guidelines is necessary to hold funds from Canadian granting agencies.
There needs to be further discussion about privacy violations and the liability constructed in another forum. Institutions (universities and/or the researchers) are also ultimately accountable for any violations. REBs have been successfully sued for the death of a patient in a clinical trial. If the REB, from the institutions’ perspective, is part of their due diligence towards ensuring that they’re doing all they can do, what is its’ liability in the HSPR situation?
Bigger issues are costs and time around these issues: enormous amounts of effort to resolve modest issues for both hospitals and researchers. Perhaps directives from the MoH or provincial authorities asking hospitals to cooperate in these initiatives would help because these would relieve the individual hospitals from having responsibility and the authority to make those decisions. Hospitals too are having problems with understanding PIPEDA and privacy principles; large hospitals, small hospitals – but so are researchers. As a general comment, all these problems are related to a lack of knowledge and lack of an educational component. It is and will be an uphill struggle to try and do your best to orient people to the issues and their responsibilities.
There can be significant time lags in applying for and receiving data, and in signing research agreements – all of which influences other components, such as timelines with granting agencies. These major lags can make funders very hesitant. Looking for bottlenecks in the process (and alleviating these or understanding them) would go a long way to making things work more smoothly.
Cross-province research: everyone wants to do it. Bottom line, local influences and legislation have to be taken into account, but as long as there are common process standards and the data goes to a confirmed/accredited/certified “safe” spot with an audit trail in place, this would go a long way to meeting that large objective.
Discussion of an arbitration mechanism when privacy and research are at odds. Projects are being proposed that have had due diligence done around privacy protections but were turned down; much of the difficulty is because of different definitions and different standards. Impartiality of the PC office makes it an acceptable arbiter.

Suggested Inclusions for a Voluntary Standard

Define roles for data custodians, stewards, privacy officers.
Chain of approvals for HSPR should include: peer review of proposal, REB review, privacy review (POs and/or PCs) as part of voluntary standard.
Put certifications in place to expedite processes (through PCs) for granting agencies, hospitals, institutes, reviewed annually or biannually.

Recommendations

Designate Privacy Officers with responsibility for the organization’s due diligence, part of which is setting up accountability.
The monitoring function should accrue to Ombudsman/PCs office, to help keep the organization in balance by offering guidance, creating backup and depth. These offices might also provide an arbitration mechanism when privacy and research are at odds.
There is need for internal and external audit. Research organizations have a huge interest in ensuring that there is no violation with privacy and confidentiality. These systems of accountability and oversight have to be able to stand up to external scrutiny.
Resources and education for REBs are a priority in HSPR.
Cross-province research is being called for: local influences and legislation have to be taken into account, but as long as there are common process standards and the data goes to a confirmed/accredited/certified “safe” spot with an audit trail in place, this is possible.

Integrating the Knowledge: Recommendations

Voluntary Standard of Privacy Protections for Health Services & Policy Research

1. Why a Voluntary Standard?

As there will never be identical and seamless privacy legislation across the country, there needs to be some sort of an acceptable, interoperable voluntary standard to which all HSPR researchers can comfortably subscribe. This "harmonization" of standards will hopefully facilitate HSPR across Canada, both in local jurisdictions and in collaborative provincial and national frameworks, not only by meeting those legislative standards that exist, but also being acceptable to provincial Privacy Commissioners, data stewards, and Research Ethics Boards (REBs). HSP Researchers who conform to this voluntary standard would be more likely to have expedited project approval based on alignment with best practices - the up-front provision of data security and privacy protections, balancing of risk and benefit, transparency of purpose, use, retention and accountability. They could also be "pre-certified" for submissions to granting agency competitions for funding.

Such a voluntary standard could also provide an authoritative source that has rigorously reviewed privacy in HSPR against the background of PIPEDA's Ten Guiding Principles. A consensus set of standards would be important from at least two points of view:

Over the next one to two years, it would be potentially useful in any sort of court challenge;
Would inform the amending process of PIPEDA, speculated to take place in 2005, and proactively position HSPR needs.

There is significant interest by HSP researchers in the opportunity to study the Canadian health care system by exploiting the Pan-Canadian “natural experiment” that is ongoing and that requires much more focus on data sharing across provincial boundaries.

2. Who Should Help Develop the Voluntary Standard?

The voluntary standard should not come from a process that has not actively involved HSPR researchers, familiar with working with large, linked administrative databases and population-based registries. Some parallel attempts at such standards do not deal well with highly important issues such as consent in HSPR, and differentiating QA/QI initiatives. Although the voluntary standard should be acceptable to the granting agencies, the Workshop membership generally felt that the standard itself should not come from granting agencies.

Individuals who should be involved in the voluntary standard development include:

HSPR investigators
Repository representation
Privacy Officers
Data Stewards
Privacy Commissioners
REB chairs
Representatives from granting agencies
Public representation
Health Records specialists
Health Law specialists

The Workshop membership also felt it was highly important that there be public consultation of the documented standards, which would include profiling the public benefit of HSPR.

3. What Should be Considered for Inclusion in the Privacy Toolkit for HSPR

Tools that should be considered for inclusion in this voluntary standard include:

Institutional /Privacy Codes
Standardized information-sharing agreements
Standardized Privacy Impact Assessments (PIAs)
Standardized policies and procedures for data protection
Confidentiality agreements for all staff
Active privacy orientation for all new staff
Standardized accountability processes
Active and on-going staff education
Information for the public about privacy and data-security protections
Bi-annual review of policies and procedures by provincial Privacy Commissioners
Table of equivalences for definitions and/or a list of glossary terms articulating the local definition variances or frames of reference.

4. Next Steps:

A. Developing a Voluntary Standard:

Name a group or body to develop the standards as well as the process. This group should include Privacy Commissioners/Ombudsman, data custodians, data stewards, researchers, health records specialists, health law specialists and the public.
This group must be credible to ensure the standard's legitimacy, relevance, acceptability and uptake.
The initial process may include a systematic review of all current standards (ie, CIHI, BC Health Information Standards Council, CIHR, Tri-Council Policy Statement) to develop the framework that complements and builds upon the standards already in place.
Previous work by other groups can become the basis of the templates that are adapted to local circumstances, which may be made as specific as necessary to local practices and legislation. Starting with templates is cost effective and will help build commonality across all jurisdictions.

B. Other Important Issues to which we should Turn Our Attention

It's important to capitalize on one of the major undeveloped opportunities in this country - to exploit the Pan-Canadian natural experiment in health that is going on every day. That will require much more focus on data flow across provincial boundaries, which PIPEDA makes difficult. This area needs much more attention.
This type of voluntary standard could serve for a few years until PIPEDA is reviewed (projected for 2006) but also serve as help for the amending process for PIPEDA. Participate actively in facilitating the collection of information to lead to possible PIPEDA revisions. Research seems to be "hanging out there, unattended."
The standard could provide guidance in decision-making - be an "authoritative statement" - if there are any court challenges in HSPR (the standard being these as 'voluntary guidelines').
Where do the funds come from to resolve these issues? Research costs of implementing/maintaining privacy due diligence.
Develop training materials for REBs about the conduct of HSPR.
Promote capacity building in research ethics with explicit expertise in privacy, confidentiality, data management.
Encourage Privacy Commissioners and oversight bodies to extend equivalent protection strategy to other countries with comparable oversight systems:
- Australia, New Zealand, Denmark, United Kingdom;
- Economically-developing countries for whom HSR will be a major route to health.

Summary

The specific intent of these workshops was to consolidate needs/knowledge to develop recommendations for a privacy voluntary standard for Canadian HSPR. Specific objectives included:

Presentation and discussion of some of the privacy standards for HSPR in each of the provincial jurisdictions to familiarize participants with best practices as well as concordant/discordant areas;
Sharing of privacy codes, policies and procedures to facilitate intra-organizational standards for privacy;
Creation of a networking opportunity for researchers with similar goals and potentially disparate rules of operation;
Consolidation of needs/knowledge, development of recommendations for harmonized privacy standards for HSPR that have the potential to meet the intent of both federal and provincial legislation and which will foster inter-jurisdictional, intra-provincial and national research opportunities;
Presentation and discussion of international standards for HSPR by invited international experts to familiarize participants with concordant/discordant areas.

The workshops were a positive experience for participants; we surprised each other with similarities (rather than differences) of experience and needs, and affirmed that we're on the right track. The workshops generated direction, providing an unusual networking opportunity for the HSPR community, provided a collegial forum for discussion of what might be the basis of a voluntary privacy "best practices" standard for Canadian HSPR researchers, and helped us, as a group, make collective recommendations and decisions on next steps. The invited speakers confirmed the wide scope of privacy issues in HSPR, but envisioned possibilities, not just barriers, to research. The creation of a voluntary standard of privacy "best practices" should strategically improve access to inter- and intra-provincial research opportunities, as well as favourably position Canadian health services and policy researchers for both national and international research activity.

By collecting a "toolkit" of privacy/data security practices, policies and procedures from participants' organizations across Canada and bringing these together on a shared CD, we were able to provide templates that could potentially save our organizations time and expense. Sharing information in the toolkit facilitates better use of resources by not having to "reinvent the wheel", as well as standardizing an approach to privacy practices and policies. It was not our intention to require that workshop participants disclose highly detailed privacy/security strategies which might jeopardize the security of systems in place, rather, that they provide general principles and best practices which can be tailored to the individual needs and legislative requirements of other research groups, as well as contacts for further consultation. Additionally, CIHRs' keen interest in knowledge translation activities of deliverables that are of practical use to the research community at large should be well served. Finally, the call to describe the current status of population-based health and health services databases and their potential for use in innovative, important health research in Canada will require tools such as those proposed here to navigate and create opportunities for national collaboration; tools that will be essential in helping plan strategic investments in population health and HSPR.

Appendix 1: Funding Partners

Funding Partners for this Initiative include:

Canadian Institute for Health Information Canadian Population Health Initiative

And the following Canadian Institute for Health Research (CIHR) Institutes:

Institute of Health Services and Policy Research
Institute of Population and Public Health
Institute of Neurosciences, Mental Health and Addiction
Institute of Aboriginal Peoples Health
Institute of Human Development, Child and Youth Health
Institute of Genetics
Institute of Aging
Institute of Nutrition, Metabolism and Diabetes
Institute of Cancer Research

Additional funding provided by Weir Foulds LLP's Health Law Group

Appendix 2: List of Workshop Invitees/Participants

Arbour, Dr. Laura
Assistant Professor,
UBC Department of Medical Genetics,
4500 Oak St.
Vancouver, BC V6H 3N1
larbour@cw.bc.ca

Agnew, Alex
Director of Corporate Services
Health Quality Council of Saskatchewan
241 - 111 Research Drive,
Saskatoon, SK S7N 3R2
(306) 668-8821
aagnew@HQC.sk.ca

Bartlett-Esquilant, Dr. Gillian
McGill University
Royal Victoria Hospital
Dept. of Medicine,
Clinical Health and Informatics Research
Morrice House
1140 Pine Ave.
Montreal, QC H3A 1A1
(514) 934-1934 Ext. 32979
gillian.bartlett@mcgill.ca

Boufford, Judy
Workplace Safety & Insurance Board
200 Front Street West, 20th Floor
Toronto, ON
judy_boufford@wsib.on.ca

Bower, Peter
Executive Director
Access & Privacy
Office of the Ombudsman
750 - 500 Portage Avenue
Winnipeg, MB
(204) 982-9130
(204) 942-7803
pbower@ombudsman.mb.ca

Burchill, Charles
Senior Systems Analyst
Manitoba Centre for Health Policy
Dept of Community Health Sciences,
Universityof Manitoba
408 - 727 McDermot Avenue
Winnipeg, MB R3E 3P5
(204) 789-3429
(204) 789-3910
charles_burchill@umanitoba.ca

Carr, RJ
Policy Analyst
Government of Nunavut
Department of Health & Social Services
PO Box 1000, Station 1000
Iqaluit NU X0A 0H0
(604) 822-5059
(604) 822-5690
Rcarr@gov.nu.ca

Cavoukian, Ann
Privacy Commissioner of Ontario
Office of the Information and Privacy Commissioner of Ontario
80 Bloor St West, Suite 1700
Toronto, ON
(867) 975-5718
(867) 975-5733
commissioner@ipc.on.ca

Chapman, Sheila
Project Manager - Privacy Initiative
CIHR Institute of Health Services & Policy Research
410 Laurier Ave. West 9th Floor, 209A
Ottawa, ON K1A 0W9
(613) 954-1803
(613) 941-1040
schapman@cihr-irsc.gc.ca

Collins, Paulette
Senior Administrator
Manitoba Centre for Health Policy
Dept of Community Health Sciences,
Universityof Manitoba
408 - 727 McDermot Avenue
Winnipeg, MB R3E 3P5
(204) 975-7730
(204) 789-3910
paulette_collins@cpe.umanitoba.ca

Dowler, Judith
Health Canada
Health Care & Issues Div.
Health Promotion and Programs
Ottawa, ON K1A 1B4
(613) 941-7561
(613) 948-2110
judith_m_dowler@hc-sc.gc.ca

Flewelling, Tim
Information Architect
Health and Wellness Government of New Brunswick
(506) 453-2871
(506) 444-5505
tim.flewelling@gnb.ca

Gibson, Elaine
Associate Professor/Associate Director
Health Law Institute
Dalhousie Law Faculty 6061 University Avenue Halifax, Nova Scotia B3H 4H9
(902) 494-6882
(904) 494-6879
Elaine.gibson@dal.ca

Gideon, Valerie
Director, First Nations Centre
National Aboriginal Health Organization
130 Albert Street, Suite 1500
Ottawa, ON K1P 5G4
(613) 233-1543 Ext. 501
Direct (613) 566-5970
(613) 233-1853
vgideon@naho.ca

Grant, Debra
Research Officer
Privacy Commissioner of Ontario
80 Bloor Street West, Suite 1700
Toronto, ON M5S 2V1
(416) 326-3333
(416) 325-9195
dgrant@ipc.on.ca

Herbert, Carole
Manager, Ontario Cancer Registry & Privacy Officer
Cancer Care Ontario
620 University Ave.
Toronto, ON M5G 2L7
(416) 217-1245
(416) 971-6888
Carole.Herbert@cancercare.on.ca

Hutchison, Brian
Director, CHEPA
McMaster University
1200 Main Street West
Hamilton, ON L8N 3Z5
(905) 525-9140 Ext. 22123
(905) 545-5211
hutchb@mcmaster.ca

Jackson, Phil
Director Health Information Privacy Branch
Ministry of Health and Long-Term Care
101 Bloor Street West
Toronto, ON M5S 2Z7
(416) 327-4395
(416) 314-8275
phil.jackson@moh.gov.on.ca

Kendall, Ora
Chief, Data Development & Exchange Program
Population & Public Health Branch,
Health Canada
130 Colonnade Rd., Rm 371A,
Nepean ON K1A 0K9
(613) 954-2268
(613) 957-6218
Ora_Kendall@hc-sc.gc.ca

Kephart, George
Director, Population Health Research Unit
Dalhousie University
Community Health and Epidemiology
5849 University Avenue
Halifax, NS B3H 4H7
(902) 494-5193
(902) 494-1597
George.Kephart@dal.ca

Kosseim, Patricia
Acting Director, Ethics Office
Canadian Institutes for Health Research
410 Laurier Ave. West 9th Floor,
209A Ottawa, ON K1A 0W9
(613) 954-1801
(613) 941-1040
PKosseim@cihr.ca

Larsen, Craig
Institute Manager
CIHR Institute of Health Services & Policy Research
209 - 2150 Western Parkway
Vancouver, BC V6T 1V6
(604) 222-6874
(604) 224-8635
clarsen@ihspr.ubc.ca

Laupacis, Dr. Andreas
President & CEO
Institute for Clinical Evaluative Sciences
G106 - 2075 Bayview Avenue
Toronto, ON M4N 3M5
(416) 480-4297
(416) 480-6048
alaupacis@ices.on.ca

Lix, Dr. Lisa
Researcher,
Manitoba Centre for Health Policy
Dept of Community Health Sciences,
Universityof Manitoba
408 - 727 McDermot Avenue
Winnipeg, MB R3E 3P5
(204) 975-7799
(204) 789-3910
lisa_lix@cpe.umanitoba.ca

McDonald, Lucy
Director of Communications & Privacy
Newfoundland & Labrador Centre
for Health Information
1st Floor Crosbie Bldg.,
1 Crosbie Place
St. John's, NL A1B 3Y8
(709) 757-2424
(709) 757-2411
lucym@nlchi.nf.ca

Malone, Lorna
Consultant
Research, Analysis & Infrastructure,
Canadian Population Health Initiative
Canadian Institute for Health Information
377 Dalhousie Street, Suite 200,
Ottawa, ON K1N 9N8
(613) 241-7860, ext. 4132
(613) 241-8120
lmalone@cihi.ca

McGrail, Kimberlyn
Research Associate
Centre for Health Services and Policy Research
429 - 2194 Health Sciences Mall
Vancouver, BC V6T 1Z3
(604) 822-8044
(604) 822-1370
kmcgrail@chspr.ubc.ca

Meslin, Dr. Eric
Director,
Indiana University Center for Bioethics
714 North Senate Avenue
Suite EF 200
Indianapolis, IN 46202
Tel 317-278-4034 or 317-278-4036
Fax 317-278-4050
emeslin@iupui.edu

Momborquette, Duane
Director, Health Planning
Saskatchewan Health
3475 Albert Street
Regina, SK S4S 6X6
(306) 787-3160
(306) 787-2974
dmombourquette@health.gov.sk.ca

Mustard, Cam
President and Scientific Director
Institute for Work & Health
481 University Ave.,
Suite 800
Toronto, ON M5G 2E9
(416) 927-2027 Ext. 2143
(416) 927-4167
cmustard@iwh.on.ca

Nahwegahbow, Amy
Researcher/Writer, First Nations Centre
National Aboriginal Health Organization
130 Albert Street, Suite 1500
Ottawa, ON K1P 5G4
(613) 233-1543
(613) 233-1853
anahwegahbow@naho.ca

Neville, Doreen
Associate Professor
Health Policy & Health Care Delivery,
Faculty of Medicine
HSC Room 2837,
Memorial University of Newfoundland,
Prince Philip Drive,
St. John's NFLD A1B 1V6
(709)777-6215
(709)777-7382
dneville@mun.ca

Noseworthy, Dr. Tom
Professor and Head,
Dept of Community Health Sciences
Director, Centre for Health and Policy Studies
University of Calgary
3330 Hospital Drive NW
Calgary, AB T2N 4N1
(403) 220-2481
(403) 270-7307
tnosewor@ucalgary.ca

Ries, Nola
Research Associate/Project Manager
Health Law Institute, Law Centre,
University of Alberta
Edmonton, AB T6G 2H5
(780) 492-7577
(780) 492-9575
nries@law.ualberta.ca

Robens Paradise, Yoel
Director, Health Record Services
and Privacy Officer
St. Paul's Hospital
1081 Burrard Street
Vancouver, BC V6Z 1Y6
(604) 806-9098
(604) 806-9006
yparadise@providencehealth.bc.ca

Roch, Joan
Chief Privacy Officer
Canadian Institute for Health Information
377 Dalhousie Street
Ottawa, ON K1N 9N8
(613) 241-7860
(613) 241-8120
jroch@cihi.ca

Roos, Noralou
Professor and Director
Manitoba Centre for Health Policy
Dept of Community Health Sciences,
University of Manitoba
408 - 727 McDermot Avenue
Winnipeg, MB R3E 3P5
(204) 789-3319
(204) 789-3910
noralou_roos@cpe.umanitoba.ca

Samis, Stephen
Manager, Research, Analysis and Infrastructure
CPHI Secretariat
377 Dalhousie St., Ste. 200
Ottawa, ON K1N 9N8
613-241-7860 Ext. 4129
613-241-8120
ssamis@cihi.ca

Slaughter, Pamela
Privacy Officer
Institute for Clinical Evaluative Sciences (ICES)
G Wing, 2075 Bayview Avenue
Toronto, ON M4N 3N5
(416) 480-4055 Ext. 1- 3886
(416) 480-6048
pam@ices.on.ca

Shortt, Dr Samuel
Director
Centre for Health Services and Policy Research
Queen's University
Kingston, ON K7L 3N6
(613) 533-6387
(613) 533-6353
seds@post.queensu.ca

Spencer, Pamela
General Counsel, Corporate Secretary & Chief Privacy Officer
Cancer Care Ontario,
620 University Avenue
Toronto, ON M5G 2L7
(416) 217-1223
(416) 217-1249
pamela.spencer@cancercare.on.ca

Stranc, Leonie
Decision Support Services
Manitoba Health
300 Carlton St.
Winnipeg, MB R3M 3M9
(204) 786-7204
(204) 772-7213
lstranc@gov.mb.ca

Stanley, Dr. Fiona
Director,
Telethon Institute for Child Health Research
University of Western Australia
PO Box 855
WEST PERTH WA 6872
AUSTRALIA
(08)9489 7967 (Telethon Institute for Child Health Research)
(08)9476 7800 (Australian Research Alliance for Children and Youth)

Sullivan, Dr. Terry
Vice President, Research & Cancer Control
Cancer Care Ontario
620 University Ave.
Toronto, ON M5G 2L7
(416) 217-1244
(416) 217-1243
terry.sullivan@cancercare.on.ca

Tamblyn, Dr. Robyn
Epidemiologist
McGill University
Royal Victoria Hosital
Div. Of Epidemiololgy and Biostatistics
Room 4.11
Montreal, Quebec H3A 1A1
(514) 842-1231 Ext. 6902
(514) 843-1493
robyn.tamblyn@mcgill.ca

Tarshis, Debbie S.
Partner
Weir Foulds LLP
The Exchange Tower, Suite 1600
PO Box 480, 130 King St. W.
Toronto, ON M5X 1J5
(416) 947-5037
(416) 365-1876
dtarshis@weirfoulds.com

Tkachenko, Laurisa
Director, Privacy Office
Workplace Safety & Insurance Board
200 Front Street West, 20th floor
Toronto, ON
(416) 344-3685
laurisa_tkachenko@wsib.on.ca

Van Til, Dr. Linda
Epidemiologist
PEI Department of Health and Social Services
PO Box 2000
Charlottetown, PEI C1A 7N8
(902) 368-4964
(902) 368-4969
lvtal@gov.pe.ca

Watson, Dr. Diane
Assistant Director,
Institute of Health Services and Policy Research,
CIHR
403- 2194 Health Sciences Mall
Vancouver, BC V6T 1Z3
(604) 822-3136
dwatson@chspr.ubc.ca

Weisbaum, Karen
Privacy Consultant and Project Manager
Centre for Evaluation of Medicines,
Dept. of Clinical Epidemiology & Biostatistics,
McMaster University
11 Balaclava Street
Kingston, ON K7L 1J4
(613) 546-0999
kmweisbaum@sympatico.ca

Wilkinson, John
Partner
Weir Foulds LLP
The Exchange Tower, Suite 1600
PO Box 480, 130 King St. W.
Toronto, ON M5X 1J5
(416) 947-5010
(416) 365-1876
jwilkinson@weirfoulds.com

Williams, Dr Jack
Senior Scientist
Institute for Clinical Evaluative Sciences (ICES)
G Wing, 2075 Bayview Avenue
Toronto, ON M4N 3N5
(416) 480-4055 Ext. 1- 4780
(416) 480-6048
jack.williams@ices.on.ca

Willison, Dr. Don
Scientist, Assistant Professor
Centre for Evaluation of Medicines,
Dept. of Clinical Epidemiology & Biostatistics,
McMaster University
105 Main Street E, P1
Hamilton, ON L8N 1G6
(905) 522-1155 Ext. 4911
(905) 528-7386
willison@mcmaster.ca

Wolfson, Dr. Michael
Assistant Chief Statistician,
Analysis & Development
Statistics Canada
R.H. Coats Bldg.,
26th Floor, Section K
Tunney's Pasture
Ottawa, ON K1A 0T6
(613) 951-8216
(613) 951-5643
wolfson@statcan.ca

Appendix 3: Agenda - Phase I

Harmonizing Research & Privacy: Standards for a Collaborative Future
Toronto Eaton Centre Marriott Hotel
October 27 & 28, 2003

Monday, October 27
Day 1: “Soundbites: Sharing Our Experience”

0830 - Registration/Continental Breakfast –
2nd Floor, KING Meeting Room foyer

0900 - Paulette Collins: Sr. Administrator, Manitoba Centre for Health Policy: Welcome and Introduction of Jack Williams

0905 - Jack Williams, Principal Investigator, Senior Scientist, ICES: Why We’re Here and What We Want to Accomplish – Putting our Houses in Order. (20 minutes)

0925 - Ann Cavoukian, Information and Privacy Commissioner of Ontario: Welcome (10 minutes)

0935 - Peter Bower: Executive Director, Access and Privacy, Ombudsman of
Manitoba: “The Importance of Consultation in the Public or Community
Interest” (10 minutes)

0945 - Nola Ries: Project Manager, Health Law Institute, University of Alberta– “Legal Issues in Population Health” (30 minutes)

1015 - Joan Roch – Privacy Officer, Canadian Institute for Health Information “Data Sharing Issues/Challenges” (20 minutes)

1035 - Valerie Gideon – Director, First Nations Centre, National Aboriginal Health Organization: “First Nations Perspective on Research and Privacy” (20 minutes)

1055 - Coffee Break (15 minutes)

1110 - George Kephart, Director, Population Health Research Unit, Dalhousie University: “Accountability, Transparency and Building Public Trust.” (20 minutes)

1130 - Robyn Tamblyn, Associate Professor, Departments of Medicine, Epidemiology and Biostatistics, McGill University: “The Quebec Experience in HSR” (20 minutes)

1150 - Patricia Kosseim: Sr. Ethics Policy Advisor, Canadian Institutes for Health Research. “Update on CIHR-related Activities”(20 minutes).

1210 - Elaine Gibson, Associate Director, Health Law Institute, Dalhousie University. “In the Absence of Legislation: Accountability and Oversight - Tell Us What to Do” (15 minutes).

1225 - Question Period (10 minutes)

1235 - Lunch (1 hour) generously provided by WeirFoulds LLP Health Law Group

1335 - Terry Sullivan: VP Research, Cancer Care Ontario: “Painting a Picture of Those Who Say No“ (15 minutes)

1350 - Kim McGrail, Research Associate, BC Centre for Health Services and Policy Research: “ Overview of the BC Health Linked Database Access Policy: Levels of Ethical Challenge” (15 minutes)

1405 - Lucy MacDonald, Director of Communications, Newfoundland and Labrador Centre for Health Information “Newfoundland and Labrador: Moving Forward Without Provincial Legislation” (10 minutes)

1415 - Yoel Robens Paradise, Director Health Services and Privacy Officer, St. Paul’s Hospital, Vancouver: “Health Research vs. Quality Assurance: the Issue and Implications” (20 minutes)

1435 - Judith Dowler, Health Canada: “Researching the Health of First Nations and Inuit: the Health Canada Perspective” (10 minutes)

1445 - Charles Burchill, Privacy Officer and Senior Systems Analyst, Manitoba Centre for Health Policy: “Practical Applications in Access and Use of Manitoba data” (10 minutes)

1455 - Pam Slaughter, Privacy Officer/ Sr. Research Coordinator, ICES: “ICES Web-based Privacy Orientation for Researchers and Staff ” (10 minutes)

1505 - Linda Van Til, Epidemiologist, PEI Dep’t of Health & Social Services: “Research and Privacy: PEI” (10 minutes)

1515 - Cam Mustard, President, Institute for Work and Health, Professor, Public Health Sciences, University of Toronto: “Developing An Action Plan: Borrowing the Best from Each Province” (20 minutes)

1535 - Question Period (10 minutes)

1545 - Coffee/Juice Break (15 minutes)

1600 - Roundtable Discussion #1 “ Developing Working Definitions: Defining Our Terms” (60 minutes)

anonymization (de-identifying, pseudonomizing)
linkage
residual disclosure (identifying, de-identifying, linkage, small cell rules)
population health research
“in the public good”

1700 - Adjournment Day 1

Tuesday, October 28
Day II Roundtable Discussions

0900 Welcome Day 2 and Housekeeping

0915 – 1045 - Roundtable #2: Privacy: Who Gets It? Care and Maintenance in HSPR

The ambiguity of legislation is inviting folks to look for coherence. Best practice standards/guidelines should be developed for consistency in HSPR evaluation. What should these standards be and where should they come from – researchers, government organizations, granting agencies?
REBs and Researchers: the interface. Should privacy safeguards be incorporated into the existing REB review process? Should research be subject to review by an arm of the provincial Privacy Commissioners, alternate arms-length organizations, or part of the granting agency process?
Resourcing Due Diligence. Doing due diligence on privacy, confidentiality, data security, record keeping, audit functions, training of staff and quality control for security. These activities need constant vigilance for ensuring due diligence. Are there standard processes in place at organizations across the country? Where do the resources come from?

1045-1100 - Coffee Break

1100 – 1230 - Roundtable #3: Accountability

How do we communicate effectively with the public about what we’re doing in HSPR?
Who owns the database developed in conducting longitudinal research, linkage studies and registries?
Chart review in HSPR vs. chart review in QA: what’s the difference? What’s the downstream accountability?
Registries and consent in HSPR. Is there need for consent in registries when the data use planned is HSPR?

1230 – 1330 - Lunch

1330 - 1500 - Roundtable #4: The Fuzzy Box— Data Stewardship and Management

Stewardship offices have to be able to serve both privacy and research interests simultaneously but impartially. Research needs champions. This should be a designated person who can solve problems and arbitrate in the privacy process. Who would that be?
How would the process work? When there are problems and inquiries about stewardship, there needs to be proof of due diligence and oversight mechanisms that will stand up to scrutiny. There should be standardized processes for ensuring accountability among HSPR researchers. Consistent rules and mechanisms would ensure this. Where do these processes come from and who should develop them?

1500 - Debriefing time and questions (45 minutes)

1545 - Next steps and formation of writing group

1600 - Adjournment

Agenda - Phase II
Sunday, February 22 1500 – 1800 pm

Day 1: Tea and Keynote Speakers

1500 - 1530 - Registration: Salon 4-5 Foyer

1530 - Welcoming Remarks (Andreas Laupacis)

1545 - Housekeeping Issues (Paulette Collins)

1600 - Plenary Session I
Introduction of Dr. Fiona Stanley (Noralou Roos)

1700 - Plenary Session II
Introduction of Dr. Eric Meslin (Pam Slaughter)

1800 - Dinner: Trinity Room 1&2

Monday, February 23 0830 – 1600
Day II: Putting It All Together

0800 - Continental Breakfast - Salon 4-5 Foyer

0830 - Welcome and Housekeeping (Paulette Collins and Pam Slaughter)

0845 - 1015 - Discussion: Our International Experts. What Does Their
Experience Mean for Us? (Karen Weisbaum - facilitator)

1015 - Coffee Break

1030- 1100 - CIHR Best Practices Document Presentation (Sheila Chapman and Patricia Kosseim)

1100 – 1130 - Discussion of CIHR Best Practices Document (Karen Weisbaum - facilitator)

1130 – 1200 - Discussions from the Workshop Roundtables Report (Karen Weisbaum - facilitator)

Roundtable 1. Discussion of Definitions (30 Minutes)

1200 – 1300 - Lunch: Salon 4-5 Foyer

1300 - Discussions from the Workshop Roundtables Report (con’t)
(Karen Weisbaum - facilitator)

1300 – 1345 - Roundtable II: Discussion of Accountability

1345 – 1430 - Roundtable III: Discussion of Privacy: Who Gets It?

1430 – 1445 - Refreshment Break: Salon 4-5 Foyer

1445-1530 - Roundtable IV: Discussion of The Fuzz Box: Data Stewardship & Management

1530 – 1600 - Discussion of Integration and Next Steps (Karen Weisbaum - facilitator)

1600 - End of Event

Appendix 4: Shared CD Table of Contents

Cancer Care
- Application Procedure
- Privacy Policy
Centre for Health Services and Policy Research
- CHSPR Privacy Statement
- Data Access Form
- Information Sharing Agreement template
- Access Policy for Research Uses of Linked Health Data
Canadian Institute for Health Information
- CIHI Privacy Toolkit
Dalhousie University
- Confidentiality Contract
- Data Access Request Guidelines and Procedures
Health Canada
- Data and Privacy Terms
- GOL Security Initiative
- GOL Security Initiative (French)
- Privacy Impact Assessment Policy
- Statistical Disclosure Control
- End User Agreement
- Privacy Impact Assessment Policy (French)
- US Disclosure Limitation Methodology
Institute for Clinical Evaluative Sciences
- Privacy and Data Security Handbook
- Privacy Impact Assessment Form
- Abbreviated Privacy Impact Assessment Form
Institute for Work and Health
- 2002 WSIB Master Agreement.doc
- 2002 WSIB Research Agreement.doc
- 2002 WSIB Research Agreement_AppA. Doc
- Electronic Policy for IWH. Doc
- Framework for Ethical Conduct. Wpd
- research_agreement_template. Wpd
Manitoba Centre for Health Policy
- Confidential Information Agreement
- Data sharing Agreement
- Privacy Toolkit Contents
- Protocol for Conducting Administrative Research
National Aboriginal Health Organization
- FNC OCAP Information Sheet
- NAHO - Ethics Toolkit
- NAHO - Surveillance Toolkit
- OCAP Paper
- Privacy Toolkit
- RHS - Code of Ethics
Newfoundland and Labrador Centre for Health Information
- Privacy Policies and Procedures
- Privacy, Confidentiality and Access Standards
Statistics Canada
- Statistics Act
- Privacy Act
- Record Linkage
- Policy on informing survey respondents.doc
- Data Stewardship at Statistics Canada.doc
- EDP Security Policy. Doc
- Employee Privacy Code. Doc
- Policy on micro data release. Doc
- Policy on record linkage. Doc
- The Companion Guide to the Statistics Act. Doc

Breadcrumb trail

Workshop: Harmonizing Research And Privacy: Standards For A Collaborative Future

Table of Contents

Executive Summary

The specific objectives of this workshop were:

Outcomes of the Workshop

Introduction

Outline of the Workshop Proceedings

Day One: Presentations

Day Two: Roundtable Discussions

Workshops: Phase Two

Phase II Workshop: Day One

The International Perspective

Health Services Research and Privacy: Lessons from the US Regulatory System (with particular comments on HIPAA).

Phase II Workshop: Day Two

Integrating the Knowledge from Both Phases

Key Discussion Outcomes

Integrating the Knowledge: Recommendations

Summary

Appendix 1: Funding Partners

Appendix 2: List of Workshop Invitees/Participants

Appendix 3: Agenda - Phase I

Appendix 4: Shared CD Table of Contents