Use the new PHSA Intra-Program Data Sharing Form. This form provides information for data transmission, privacy and security, and use when sharing data between PHSA programs. All parties must agree to the conditions in this one page document and keep a copy of the form for each of their files. Contact Research Privacy for more information.
To avoid the need to enter into an Information Sharing Agreement (ISA) every time information is shared, certain parties have agreed to the General Health Information Sharing Agreement (GHISA). The GHISA sets out a standard set of provisions that apply to any sharing situation. Therefore, if there is sharing of data between any two GHISA parties, all that is required is a brief Information sharing plan (ISP) to detail the specifics of the information being shared; the GHISA provisions automatically apply to the sharing situation. Where a non-GHISA party is involved, either the non-GHISA party can be on-boarded to the GHISA or the party can enter into an ISA.
If the researcher has REB approval, and the director or relevant authority who governs your database has approved this study, and the information that you provide is de-identified and stays within PHSA, then no other documentation or approvals are necessary.
There are a number of issues you should consider before you engage this private company.
First, you should identify who from the company will have access to the data. That way, they can be listed as an authorised user. If you simply list the entity itself, it then becomes a question of who is authorised to sign on behalf of the entity and who within the organization has access to the data. From a control perspective, it is better to list the individuals involved.
Second, even if the company is a private entity, your group is considered a public body since it is within PHSA. So this private company will have to comply with FIPPA and any other legislation that applies to your group within PHSA. Similar to a Canadian private company, a US based private company is also required to comply with FIPPA and any other legislation that applies to your group within PHSA. In other words, the governing privacy law in BC applies. This is something that should be made clear in your data management plan and sharing agreement. In addition, the private company should be aware of this before they receive any data.
The third issue concerns the de-identification of the data. It is acceptable to transfer de-identified personal information inside or outside of Canada.