Research Privacy

VCHRI's Privacy Advisor provides practical guidance on privacy, security and data management best practices, while supporting researchers in navigating legislative and institutional processes/requirements that may affect access to data.

In an effort to reduce the risk of COVID-19 in our workplace, working remotely is being supported where possible. Please review the privacy and confidentiality guidance for researchers working from home when contemplating a remote working situation for your research team.

Secondary use data from VCH

The VCHRI Privacy Advisor reports both to VCHRI and VCH’s Data Release and Access Management Office (DRAMO). The DRAMO’s mandate is to facilitate data access for operations and research across VCH, and to make data extracts available specifically for research projects.  If you need data from VCH Decision Support or data from multiple departments across VCH, the DRAMO is a great resource.

Refer to Overview of Data Available for Research Projects in the VCH’s Data Warehouse.

Data linking across parties

Are you undertaking a project that requires data to be linked across multiple organizations (e.g., VCH, BC Ambulance, BC Renal Agency or the Ministry of Health data sources)?  Are you considering linking health data to data from non-health organizations, such as law enforcement or insurance data?

These types of projects may take longer than expected due to the need for legal agreements and coordination by each party. 

Third party applications
Are you seeking to install third party software or application on the VCH Network or MedIT Network? Are you anticipating collecting VCH data in a third-party application?  This may require a privacy and security review. 
Patient recruitment for research
Patient information maintained by VCH is subject to the Freedom of Information and Protection of Privacy Act (FIPPA). This statute restricts public bodies, such as VCH, from disclosing personal information of its clients to researchers for recruitment purposes.  
Provincial research projects

Are you undertaking a project that is recruiting at multiple health authorities or involving multiple partners across the health sector? 

VCH is part of a provincial Privacy and Research Group (known as PRAG).  The mandate of PRAG is to provide a forum for health authority Privacy and Research leads to coordinate on common provincial research projects or projects that may become provincial in scope to better support and ensure projects meet our common requirements under the Freedom of Information and Protection of Privacy Act (FIPPA). 

Data management plans

A Data Management Plan (DMP) is a tool to document digital assets management practices. DMPs are expected to soon be a Tri-Agency requirement. The DMP outlines data governance, data documentation and metadata standards, data storage and preservation, and how data will be managed over time. The DMP may serve to document the data linking strategies between parties. A DMP includes most of the requirements of a Privacy Impact Assessment (PIA) and may replace a PIA in most situations, where agreed by all parties.  

Information sharing plans

An Information Sharing Plan (ISP) documents the process for sharing and linking data for secondary use purposes (quality improvement/evaluation and/or research) between two or more health organizations that are party to the General Health Information Sharing Agreement (GHISA). At present, the GHISA is a framework between the Ministry of Health and the regional health authorities in British Columbia for sharing health information. 

The ISP is needed for research projects in scenarios where two or more GHISA parties are directly sharing data to facilitate the project and one party is taking on a data governance role (linking and de-identifying data and releasing it on behalf of the other parties).  The ISP is not needed if all health organization data is transmitted and shared through Population Data BC (aka PopData). 

Privacy impact assessments

A Privacy Impact Assessment (PIA) is a particular assessment that is conducted by an organization to determine if a current or proposed system, project, program or activity meets the requirements set out by relevant legislation and best practices. These requirements include ensuring collection, use and disclosure of personal information are authorized by legislation and that protection of the information meets reasonable security arrangements.  

PIAs are not a requirement for Vancouver Coastal Health Research Institute approved research projects. The VCHRI Operational Research Approval process, the Research Ethics Board approval process and the coming Tri-Agency Data Management Plan requirements seek to identify the key privacy and security risks and include the basic requirements of the PIA.  

Exceptions may include:

  • Projects where one organization is taking a data governance role on behalf of other parties and the other parties are seeking assurances that their data remains protected.  Examples might include the development of new provincial or pan Canadian Research Registries, or cross organizational projects involving significant data linkage;
  • PIAs may also be done to support highly visible projects and to support funding requirements.  
System access

Do you need direct access to PARIS, IntraHealth Profile EMR, InSite, Sunset or CareConnect for research purposes? 

Many older health systems at VCH were not designed to facilitate research access.  Even if you already have access to these systems for provision of care purposes, you may require additional approvals to access these systems for research purposes.  

Other privacy resources

VCH, PHC, PHSA, and UBC have been working to align security policies.  While this work is still ongoing, you should know that the basic security standards and requirements are similar. 

Guidelines and references


Anna Low, Privacy Advisor