Skip to main content
Close

Sharing Data

Below is a list of commonly asked questions about sharing data. If you would like to submit an additional question, please contact the Research Privacy Advisor.

Please note that the responses are for guidance only and do not constitute legal advice. Please contact the Research Privacy Advisor if you have specific legal questions and the appropriate consultation will be arranged.


Approvals and Agreements

We are working on ways to streamline the privacy review and information sharing processes for studies that involve multiple health authorities and institutions beyond PHSA. The group leading this effort is called the Privacy and Research Advisory Group (PRAG). For more information on how PRAG can help you in your research please visit our New Initiatives to Facilitate Research page.

 

An Information Sharing Plan (ISP) is needed wherever there is an information sharing situation for secondary purposes (i.e. other than provision of direct health care) so it would cover research uses. An ISP details the specifics relating to the particular information sharing situation e.g. what the data is, how it is being shared, etc. An ISP is accompanied by an Information Sharing Agreement which covers high level legal and governance matters such as security, access and audit rights, disposal, custody and control, dispute resolution etc. 


To avoid the need to enter into an ISA every time information is shared certain parties have agreed to the General Health Information Sharing Agreement (GHISA). The GHISA sets out a standard set of provisions that apply to any sharing situation. Therefore, if there is sharing of data between any two GHISA parties, all that is required is an ISP to detail the specifics of the information being shared; the GHISA provisions automatically apply to the sharing situation. Where a non-GHISA party is involved, either the non-GHISA party can be on-boarded to the GHISA or the party can enter into an ISA. 


Remember that the parties who you are sharing with are bound by the sharing agreement(s).  There are restrictions around how data can be used after it is shared. The information sharing agreement you develop should specify that these data may not be used except for the stated purpose outlined in the agreement and there should be no attempts made to link the data, etc.  The Research Privacy Advisor can help you develop these agreements and make sure that legal counsel is consulted when appropriate. It is important to keep in mind that the steps you take must be reasonable given the circumstances. You can never eliminate all possible risks under all circumstances when data sharing.

 

Referencing the PHSA Signing Authority Policy, item 15 of the Contracting Authority Matrix states that research contracts are to be entered into by the relevant functional officer as set out in the Spending Authority Matrix (see Attachment 2 to the policy on page 13).


The Spending Authority Matrix sets out the spending levels along with the appropriate signing person. Generally speaking, research agreements (unless they are grant agreements) don’t involve money, with most being data exchange/sharing arrangements. In those instances, a person no lower than a Director (e.g., Program Director/Medical Director) should sign off on the agreement. That way, we can be sure that entering into the agreement is authorised by someone who has overall responsibility for the relevant program/area.‎

 

‎If the researcher has REB approval, and the director or relevant authority who governs your database has approved this study, and the information that you provide is de-identified and stays within PHSA, then no other documentation or approvals are necessary.


Sharing with other organizations

‎Yes, but there are a number of issues you should consider before you engage this private company. 


First, you should identify who from the company will have access to the data. That way, they can be listed as an authorised user.  If you simply list the entity itself, it then becomes a question of who is authorised to sign on behalf of the entity and who within the organization has access to the data. From a control perspective, it is better to list the individuals involved. 

Second, even if the company is a private entity, your group is considered a public body since it is within PHSA. So this private company will have to comply with FIPPA and any other legislation that applies to your group within PHSA. This is something that should be made clear in your data management plan and sharing agreement. In addition, the private company should be aware of this before they receive any data. 

The third issue concerns the de-identification of the data. It is acceptable to transfer de-identified personal information outside of Canada. However, under FIPPA, personal information that has NOT been de-identified cannot be transferred outside Canada without the relevant patient or participant’s consent.

‎Yes. If the private company is in the US and data may be going to the US, the same process needs to be followed as set out in the previous FAQ about Canadian firms. Similar to a Canadian private company, this US based private company is required to comply with FIPPA and any other legislation that applies to your group within PHSA. In other words, the governing privacy law in BC applies. 


The next issue concerns the de-identification of the data. It is acceptable to transfer de-identified personal information outside of Canada. However, under FIPPA, personal information that has NOT been de-identified cannot be transferred outside Canada without the relevant patient or participant’s consent.

‎Yes. It is acceptable to transfer de-identified personal information outside of Canada. However, under FIPPA, personal information that has NOT been de-identified cannot be transferred outside Canada without the relevant patient or participant’s consent.

‎We understand that there is always the chance that data can become re-identified. So the issue here is really about the de-identification process used.  As long as you are not sharing identifiable information and have taken all reasonable steps to ensure that the de-identified information cannot become easily identifiable, then you have fulfilled your duty and done what is reasonable. You should note that what is reasonable will depend on the particular situation so different levels of protection may need to be implemented for different situations. Please draw on your Data Steward and the PHSA Research Privacy Advisor for support and guidance when designing your de-identification process to help ensure that it is adequate.


If you share data, you are responsible for making sure that the de-identification process is sound. The process should be at a standard that is reasonable in the circumstance. This is subjective, but necessarily so as there may be a higher reasonable standard for some situations as opposed to others.

Resources

‎To satisfy a pent-up demand for a secure, enterprise solution for sharing protected personal information with recipients that are external to PHSA, IMITS has developed a Secure File Transfer service, which allows anyone with a PHSA, VCH or PHC email account to share documents and other files. This service mimics Dropbox or other cloud-based file sharing services, except shared files remain in Canada and they are fully encrypted during transmission. It also contains proper authentication controls along with the ability to audit application access—a protection that is not available using non-approved cloud-based services.


Everyone with a health authority email address has already been provisioned access (use your email address and password to log in). The IMITS InfoCentre contains more detailed information about the Secure File Transfer service. You must be on the network to access this site.
Before sharing protected personal information with external recipients, you must get permission. 

Acceptable external recipients of shared files include:
Ministry of Health
BC health authorities and other Canadian health organizations
Universities and other research organizations
External contractors or vendors
Private physician offices
If sharing protected health or employee information, you must have approval.  If unsure, inquire at privacy@phsa.ca (or, for REB-approved research studies at PHSA, the Research Privacy Advisor), privacy@vch.ca, or privacy@providencehealth.bc.ca.  The email you choose depends on the owner of the data.

All files containing private/confidential information must be sent with appropriate security measures using passwords or encryption based on the sensitivity of the information.   Passwords should be provided in a different manner (e.g. by phone, text). Please also ensure that recipients secure the information appropriately.

‎A Data Management Plan (DMP) is a document you create that sets out how you will organize, store and share your research data at each stage in your project.  A DMP is a living document that can be modified to accommodate changes in the course of your research.  A DMP is a high level plan: no private data is exposed. For step-by-step guidance in creating a Data Management Plan, we recommend the following online tools:

  • DMP Assistant (Portage initiative) to create data management plans for Canadian funders.
  • DMP Tool to create data management plans for US funders, such as NIH or NSF.

SOURCE: Sharing Data ( )
Page printed: . Unofficial document if printed. Please refer to SOURCE for latest information.

Copyright © Provincial Health Services Authority. All Rights Reserved.

    Copyright © 2017 Provincial Health Services Authority