Overview
Canada has a complex, multi-layered approach to health data privacy and de-identification that combines federal legislation, provincial laws, and sector-specific guidelines. This creates a comprehensive but sometimes fragmented framework for protecting health information while allowing for its use in research and analysis.
Unlike countries with a single national health data privacy law, Canada's framework reflects its constitutional division of powers, with healthcare primarily falling under provincial jurisdiction while the federal government maintains certain regulatory roles in privacy and data protection.
The Office of the Privacy Commissioner of Canada (OPC) provides oversight at the federal level, while provincial privacy commissioners or specialized health information privacy offices oversee provincial frameworks.
Key Regulatory Bodies in Canada
- Office of the Privacy Commissioner of Canada (OPC) - Federal oversight for PIPEDA and the Privacy Act
- Canadian Institute for Health Information (CIHI) - National, independent organization that provides health information standards and collects healthcare data
- Provincial Information and Privacy Commissioners - Each province has its own commissioner or equivalent office
- Health Canada - Federal department responsible for national health policy
- Statistics Canada - National statistical office that collects and analyzes health data
- Pan-Canadian Health Data Strategy Expert Advisory Group - Established in 2021 to advise on modernizing health data collection and use
"The health information custodian shall de-identify the personal health information before disclosing it... Information is de-identified if it does not identify an individual, and it is not reasonably foreseeable in the circumstances that the information could be utilized, either alone or with other information, to identify an individual."
- Personal Health Information Protection Act (Ontario)
Legal Framework
Canada's health data privacy framework operates at multiple levels:
Federal Level
- Personal Information Protection and Electronic Documents Act (PIPEDA): Applies to commercial activities involving personal information across Canada, with exceptions for provinces with substantially similar legislation. PIPEDA was amended by the Digital Privacy Act in 2015, which introduced data breach notification requirements.
- Privacy Act: Governs how federal institutions handle personal information, including health information collected by federal agencies.
- Canada Health Act: Sets criteria and conditions for health insurance plans that provinces and territories must fulfill to receive federal funding.
- Statistics Act: Governs collection and use of health data for statistical purposes by Statistics Canada, with specific confidentiality provisions.
- Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS 2): Provides ethical guidelines for research involving human participants, including the use of health data.
Example: PIPEDA's 10 Fair Information Principles
PIPEDA is built around 10 fair information principles that apply to health data:
- Accountability: Organizations are responsible for personal information under their control
- Identifying Purposes: Purposes for collection must be identified at or before collection
- Consent: Knowledge and consent are required for collection, use, or disclosure
- Limiting Collection: Collection must be limited to what's necessary for identified purposes
- Limiting Use, Disclosure, and Retention: Information should not be used for purposes other than those for which it was collected
- Accuracy: Personal information must be accurate, complete, and up-to-date
- Safeguards: Personal information must be protected by appropriate security safeguards
- Openness: Organizations must make policies and practices relating to personal information readily available
- Individual Access: Individuals have the right to access their personal information
- Challenging Compliance: Individuals can challenge an organization's compliance with these principles
These principles inform how health data must be de-identified and managed in commercial contexts across Canada.
"De-identification is not a single technique, but a collection of approaches, tools, and methods that can be applied to data to ensure that the risk of re-identification is very low... Whether information is de-identified or not depends on context."
- Office of the Privacy Commissioner of Canada
Provincial Level
Each province and territory has its own health information privacy legislation, including:
- Ontario: Personal Health Information Protection Act (PHIPA) - Enacted in 2004, updated in 2020 with amendments that strengthened penalties and introduced new requirements for electronic health records
- Alberta: Health Information Act (HIA) - Includes specific provisions for health information repositories and data matching
- British Columbia: E-Health Act and Personal Information Protection Act - The E-Health Act specifically regulates health information banks and disclosure directives
- Quebec: Act Respecting the Protection of Personal Information in the Private Sector and Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information - Significantly updated in 2021 by Bill 64 with new privacy requirements
- Nova Scotia: Personal Health Information Act - Includes specific provisions for electronic health records
- New Brunswick: Personal Health Information Privacy and Access Act - Addresses both privacy protection and the right of access to personal health information
- Newfoundland and Labrador: Personal Health Information Act - Includes provisions for a provincial electronic health record
- Manitoba: Personal Health Information Act - One of the first provincial health privacy laws in Canada
- Saskatchewan: Health Information Protection Act - Addresses both privacy and access rights
- Prince Edward Island: Health Information Act - The most recently enacted provincial health privacy law
- Territories: Various health information privacy legislation including the Health Information Privacy and Management Act in Yukon
Case Study: Quebec's Bill 64
In September 2021, Quebec passed Bill 64 (An Act to modernize legislative provisions as regards the protection of personal information), which introduced significant changes to Quebec's privacy regime, including:
- Explicit definitions for de-identified and anonymized information
- Requirements for privacy impact assessments before using de-identified information
- Mandatory breach notification requirements
- Significant administrative penalties (up to $25 million or 4% of worldwide turnover)
- New consent requirements for secondary use of personal information
- Requirements to implement privacy by design principles
- New data portability rights
These changes, which came into effect in phases between 2022 and 2024, represent the most significant update to provincial privacy law in Canada and bring Quebec's framework closer to the GDPR model.
Jurisdictional Complexity
The multi-jurisdictional nature of Canada's privacy framework creates significant complexity for organizations handling health data across provinces. For example:
- A national telehealth provider must comply with PIPEDA and up to 13 different provincial/territorial health privacy laws
- De-identification standards may vary between provinces, requiring different approaches in different jurisdictions
- Data sharing between provinces may trigger multiple compliance obligations
- Organizations must track ongoing legislative changes across multiple jurisdictions
This complexity has led to calls for greater harmonization of health data privacy standards across Canada.
References:
Personal Information Protection and Electronic Documents Act (PIPEDA) Privacy Act Canada Health Act Personal Health Information Protection Act, 2004 (Ontario) Health Information Act (Alberta) Act Respecting the Protection of Personal Information in the Private Sector (Quebec) PIPEDA Fair Information Principles Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS 2)De-identification Concepts and Approaches
Canadian frameworks generally distinguish between different levels of de-identification:
| Concept | Description | Legal Status |
|---|---|---|
| De-identification | The general process of removing identifying information, which may result in either anonymized or coded information depending on the extent of removal | Umbrella term that encompasses various techniques and levels of data transformation |
| Anonymization | Information that cannot be used to identify an individual, either directly or indirectly | Generally falls outside the scope of privacy legislation |
| Coded Information | Information where direct identifiers are removed and replaced with a code, but the code could be used to re-identify (similar to pseudonymization) | Still considered personal information under most Canadian privacy laws |
| Aggregate Information | Statistical information that has been compiled from individual records but does not contain individual-level data | Generally not considered personal information if aggregation is sufficient to prevent re-identification |
| Direct Identifiers | Information that directly identifies an individual (e.g., name, health card number) | Must be removed or transformed in any de-identification process |
| Indirect Identifiers | Information that could identify an individual when combined with other information (e.g., date of birth, postal code) | Must be assessed for re-identification risk and appropriately modified |
Example: De-identification in PHIPA (Ontario)
Under Ontario's Personal Health Information Protection Act, information is considered "de-identified" if:
- All direct identifiers have been removed
- It is not reasonably foreseeable in the circumstances that the information could be utilized, either alone or with other information, to identify the individual
For example, a hospital dataset might be considered de-identified if:
- Original data: "Sarah Johnson, health card number 1234-567-890, DOB: 05/12/1978, admitted to Toronto General Hospital on 06/15/2023 with diagnosis code J45.901 (Asthma)"
- De-identified data: "Patient ID: 45678, Age range: 40-45, Hospital region: Greater Toronto Area, Admission: Q2 2023, Diagnosis category: Respiratory"
This would generally meet PHIPA's de-identification standard, though the hospital would need to assess whether the combination of attributes could still allow for re-identification in their specific context.
Case Study: Re-identification Risks in Canadian Health Data
In 2011, researchers from the University of Ottawa demonstrated that supposedly de-identified prescription records could be re-identified by linking them with publicly available information:
- They analyzed a dataset of prescription records that had been stripped of direct identifiers
- By using publicly available information about local politicians (date of birth, postal code), they were able to uniquely identify individuals in the dataset
- This research highlighted the risks of relying solely on removing direct identifiers
- It led to improved de-identification practices that consider the mosaic effect (combining multiple data sources)
This case influenced the development of more sophisticated risk-based approaches to de-identification in Canadian health privacy frameworks.
Canadian Institute for Health Information (CIHI) Standards
The CIHI has developed comprehensive standards for de-identifying health data, which are widely used across Canada. The CIHI approach includes:
1. CIHI's De-identification Guidelines
CIHI's guidelines define three levels of de-identification:
- Level 1: Removal of direct identifiers (names, addresses, health card numbers, etc.)
- Level 2: Removal or modification of indirect identifiers (dates, geographic information, rare characteristics)
- Level 3: Application of statistical techniques to address residual disclosure risks
Example: CIHI's Three-Level Approach
Consider a patient record in a Canadian hospital database:
- Original data: "Robert Thompson, HCN: 123-456-789, DOB: 11/03/1962, 742 Evergreen Terrace, Winnipeg, Manitoba, R3T 2N2, admitted on 07/12/2024 for hip replacement, physician: Dr. Williams"
- Level 1 de-identification: "Patient #89725, male, DOB: 11/03/1962, Winnipeg, Manitoba, R3T 2N2, admitted on 07/12/2024 for hip replacement"
- Level 2 de-identification: "Patient #89725, male, year of birth: 1962, Winnipeg, postal code area: R3T, admitted in July 2024 for hip replacement"
- Level 3 de-identification: "Patient #89725, male, age range: 60-65, Manitoba urban area, admitted in Q3 2024 for orthopedic procedure"
Each level progressively reduces the identifiability of the data while preserving analytical utility for different use cases.
2. CIHI's Privacy Impact Assessment Framework
CIHI has developed a comprehensive Privacy Impact Assessment (PIA) Framework that includes specific assessment criteria for de-identification methods and residual re-identification risk.
CIHI recommends conducting a re-identification risk assessment that considers:
- Uniqueness of records in the dataset
- Availability of external datasets that could be linked
- Motivation for re-identification attempts
- Technical, physical, and administrative safeguards
- Data release context (public, limited release, secure environment)
- Sensitivity of the health information
- Potential for harm if re-identification occurs
3. CIHI's Information Life Cycle
CIHI applies privacy and security considerations throughout the information life cycle:
- Collection: Ensuring appropriate authority and limiting collection
- Use: Limiting use to authorized purposes
- Disclosure: Applying appropriate de-identification before disclosure
- Retention: Maintaining information only as long as necessary
- Disposal: Secure destruction when no longer needed
Case Study: CIHI's Discharge Abstract Database (DAD)
CIHI's Discharge Abstract Database contains clinical, demographic and administrative data on hospital discharges across Canada. CIHI applies multi-level de-identification to this database:
- Patient identifiers are replaced with encrypted identifiers
- Dates are modified to maintain relative time intervals while obscuring exact dates
- Geographic information is generalized to health regions rather than specific locations
- Rare diagnoses and procedures are grouped into broader categories
- Different levels of access are provided based on user needs and authorization
- Public reports use only aggregate statistics with small cell suppression
- Researchers can access more detailed data through a controlled process
This approach has enabled valuable health system research while protecting patient privacy.
Provincial Approaches
Each province has specific approaches to de-identification:
Ontario (PHIPA)
Under PHIPA, information is considered de-identified if:
- It does not identify an individual
- It is not reasonably foreseeable that the information could be utilized to identify an individual
The Information and Privacy Commissioner of Ontario (IPC) provides specific guidelines for de-identification and has endorsed a risk-based approach.
Example: Ontario IPC's De-identification Guidelines
The IPC recommends a modified version of the "Five Safes" framework:
- Safe data: Applying statistical methods to protect confidentiality
- Safe projects: Ensuring the data use is appropriate and ethical
- Safe people: Ensuring users are trained and trustworthy
- Safe settings: Implementing technical and physical controls
- Safe outputs: Ensuring research results don't disclose sensitive information
In practice, this means Ontario healthcare organizations must consider both the de-identification techniques and the broader context of data use.
The IPC also provides specific guidance on:
- Risk-based de-identification for structured data
- De-identification of free-text clinical notes
- Re-identification risk thresholds (generally recommending less than 5% risk)
- Data sharing agreements for de-identified information
Alberta (HIA)
The HIA defines "non-identifying" health information and provides guidelines for anonymization, focusing on both direct and indirect identifiers.
Alberta's approach emphasizes:
- Stricter controls for individually identifying health information
- Different requirements for custodians (healthcare providers) versus non-custodians
- Specific data matching provisions for combining datasets
- Mandatory Privacy Impact Assessments for new information systems
- Specific provisions for health information repositories
- Rules for disclosure of non-identifying health information for research
Example: Alberta's Data Matching Requirements
Under Alberta's HIA, data matching (combining information from different sources) requires:
- A Privacy Impact Assessment submitted to the Privacy Commissioner
- Public notice of the data matching program
- Justification of why the matching is necessary
- Description of security safeguards
- Information about how the matched data will be used or disclosed
These requirements apply even when using de-identified information if there's a possibility of re-identification through the matching process.
British Columbia
The E-Health Act defines "de-identified" as data that has been modified so that the identity of the individual cannot be determined by using a single identifier or by combining identifiers.
BC's approach includes:
- Rules for data linking between health information banks
- Requirements for disclosure directives
- Special provisions for health research
- Distinction between "information sharing" and "data linking"
- Mandatory Privacy Impact Assessments for data linking initiatives
- Requirements for ministerial approval for certain data linking activities
Quebec
Quebec has recently updated its privacy legislation with the passage of Bill 64 (2021), which includes more explicit provisions about de-identification and anonymization. The new law:
- Distinguishes between "de-identified" and "anonymized" information
- Defines "de-identified information" as information that no longer allows the person to be directly identified
- Defines "anonymized information" as information that irreversibly no longer allows the person to be identified directly or indirectly
- Requires risk assessments for de-identified data
- Establishes stricter consent requirements
- Introduces potential penalties for re-identification attempts
- Requires organizations to have a governance framework for personal information
Case Study: Ontario's Electronic Health Record Initiative
Ontario's ConnectingOntario program illustrates the provincial approach to balancing data sharing with privacy protection:
- Creates a secure provincial electronic health record system
- Implements role-based access controls to limit data access
- Uses audit logs to track all access to personal health information
- Allows patients to implement consent directives to mask certain information
- Applies de-identification for secondary uses like health system planning
- Requires Privacy Impact Assessments for system changes
- Includes mandatory privacy training for all users
This approach demonstrates how technical safeguards, governance controls, and de-identification work together in provincial health information systems.
References:
IPC Ontario: De-identification Guidelines for Structured Data Office of the Information and Privacy Commissioner of Alberta - Publications Office of the Information & Privacy Commissioner for BC - Guidance Documents Commission d'accès à l'information du Québec: Anonymization Guide ConnectingOntarioTechnical Approaches
Canadian frameworks generally recommend several technical approaches to de-identification:
| Technique | Application | Example |
|---|---|---|
| Suppression | Removing variables that can directly identify individuals | Removing names, health card numbers, and medical record numbers |
| Generalization | Reducing the precision of variables | Using age ranges (30-35) instead of exact ages (32) |
| Randomization | Adding statistical noise to data | Adding random variations to lab test results while preserving clinical significance |
| Sub-sampling | Using only a portion of the original dataset | Releasing only 10% of records from a rare disease registry |
| Synthetic data generation | Creating artificial data that preserves statistical properties | Creating simulated patient records that match population statistics |
| Cell suppression | Hiding small counts in tabular data | Replacing counts less than 5 with an asterisk (*) in public health reports |
| Date shifting | Adjusting dates while preserving time intervals | Shifting all dates for a patient by a random number of days (consistent within each patient) |
| Masking | Replacing portions of identifiers | Replacing the last 3 digits of postal codes with XXX (e.g., M5S XXX) |
| Pseudonymization | Replacing identifiers with codes | Replacing patient names with randomly generated identifiers that allow linking records |
| Top/bottom coding | Grouping extreme values | Reporting ages as "90+" for anyone over 90 years old |
Example: Statistics Canada Approach to Health Data
Statistics Canada applies specific disclosure control methods to health survey data:
- Record swapping: Exchanging records between similar respondents to mask unique combinations of attributes
- Top and bottom coding: Grouping extreme values (e.g., age 90+ instead of exact ages)
- Controlled rounding: Rounding small counts in tables while maintaining totals
- Geographic aggregation: Using health regions rather than postal codes
- Removal of outliers: Excluding unusual cases from public use microdata files
- Sampling fraction reduction: Releasing only a sample of the collected data
- Global recoding: Reducing detail in variables (e.g., collapsing occupation codes)
- Local suppression: Suppressing specific values that create unique combinations
These techniques allow Statistics Canada to release valuable health data while protecting privacy.
Case Study: Health Data Research Network Canada
The Health Data Research Network Canada (HDRN) has developed standardized approaches to working with sensitive health data:
- Implemented the HDRN Distributed Analytics approach that allows analysis without centralizing sensitive data
- Developed common data quality assessment frameworks
- Created standardized processes for researcher access to health data
- Established the Data Access Support Hub (DASH) to coordinate multi-jurisdictional research
- Applied consistent privacy and security standards across provincial data centers
- Implemented output checking protocols to ensure no identifiable information is released
This network has enabled national health research while respecting provincial privacy frameworks and maintaining appropriate de-identification standards.
Risk-Based Approach
Canadian frameworks generally emphasize a risk-based approach to de-identification that considers:
- The sensitivity of the information
- The intended purpose and recipients of the information
- The potential for combining the information with other available data
- The environment in which the data will be used
- Governance controls that will be in place
- The motivation and resources of potential attackers
- The potential harm if re-identification occurs
- The public benefit of the intended data use
This risk-based approach recognizes that:
- Perfect anonymization is increasingly difficult in the era of big data
- The same dataset may present different levels of risk in different contexts
- Technical measures must be complemented by administrative and legal safeguards
- Risk assessment should be ongoing as new data sources become available
- De-identification exists on a spectrum rather than being a binary state
- Different use cases may require different levels of de-identification
Example: Governance Controls in Canadian Research Networks
The Canadian Primary Care Sentinel Surveillance Network (CPCSSN) uses a combination of technical de-identification and governance controls:
- Patient identifiers are replaced with randomly generated IDs
- Dates are shifted by a random number of days (consistent within each patient)
- Free text notes are processed to remove names and other identifiers
- Postal codes are truncated to the first three characters
- Researchers must apply for data access with a specific research protocol
- A data access committee reviews all requests
- Data use agreements prohibit re-identification attempts
- Results are reviewed before publication to ensure no identifiable information
- Secure computing environments control how data is accessed
- Regular privacy audits are conducted
This multi-layered approach allows for valuable health research while maintaining privacy protections.
Case Study: Population Data BC
Population Data BC provides a comprehensive example of the risk-based approach to health data access:
- Implements a secure research environment for accessing linked health data
- Uses a five-stage approval process for data access requests
- Requires ethics approval for all research projects
- Applies different levels of de-identification based on research needs and context
- Uses a separation principle where identifying information is kept separate from content data
- Employs privacy officers to review all outputs before release
- Requires researchers to complete privacy training
- Implements technical controls including virtual secure research environments
- Conducts regular privacy audits and compliance monitoring
This approach has enabled British Columbia to become a leader in population health research while maintaining strong privacy protections.
Implementation Considerations
Organizations implementing de-identification in the Canadian context should consider:
- Provincial variations: Ensuring compliance with the specific provincial legislation applicable to their jurisdiction
- Cross-border data flows: Understanding implications when data crosses provincial or international boundaries
- Indigenous data governance: Respecting principles of Indigenous data sovereignty and governance
- Documentation: Maintaining records of de-identification processes and risk assessments
- Evolving standards: Staying current with changing guidance from privacy commissioners
- Data sharing agreements: Implementing appropriate contractual controls
- Re-identification risk assessment: Conducting regular evaluations as new data sources emerge
- Training: Ensuring staff understand de-identification principles and practices
- Technological advances: Monitoring developments in re-identification techniques
- Breach response: Having protocols for responding to re-identification incidents
Example: Indigenous Data Governance Considerations
The First Nations principles of OCAP® (Ownership, Control, Access, and Possession) have important implications for health data de-identification:
- Ownership: First Nations communities own their cultural knowledge and health information
- Control: First Nations must control how their information is collected, used, and disclosed
- Access: First Nations must have access to information about themselves
- Possession: Physical control of the data should be maintained by First Nations institutions
Organizations working with Indigenous health data must consider these principles alongside technical de-identification approaches, often requiring community engagement and specific data governance agreements.
Case Study: Cross-Border Health Data Transfers
A Canadian healthcare organization partnering with a U.S.-based cloud provider for health analytics faced complex de-identification requirements:
- Needed to comply with provincial health privacy law for data collection
- Required to meet PIPEDA standards for cross-border transfers
- Had to consider potential U.S. law enforcement access under the CLOUD Act
- Implemented a multi-layered approach:
- Strong de-identification before data left Canada
- Contractual safeguards with the U.S. provider
- Technical controls including encryption
- Data residency requirements for certain sensitive elements
- Privacy Impact Assessment reviewed by provincial commissioner
This illustrates how Canadian organizations must navigate multiple jurisdictional requirements when implementing de-identification for international data sharing.
Proposed Legislative Changes
Bill C-27 (The Digital Charter Implementation Act, 2022) proposes significant changes to Canada's privacy framework, including:
- Updated definitions of de-identified and anonymized information
- New rules for the use of de-identified information
- Explicit recognition that anonymized information falls outside the scope of privacy law
- Potential penalties for deliberately re-identifying anonymized information
- New data mobility rights that could affect health data portability
- Expanded consent requirements and exceptions
- Significant administrative penalties for non-compliance (up to 5% of global revenue)
- New requirements for automated decision systems
- Enhanced transparency requirements
These proposed changes would bring Canada's approach closer to the GDPR model, though with distinct Canadian elements.
Example: Bill C-27 Definitions
Bill C-27 proposes the following definitions:
- De-identified information: "Information that has been modified so that an individual cannot be directly identified from it, though a risk of the individual being identified remains"
- Anonymized information: "Information that has been irreversibly and permanently modified, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means"
These definitions would create clearer distinctions between different levels of de-identification and their legal status.
Pan-Canadian Health Data Strategy
In 2021, the Pan-Canadian Health Data Strategy Expert Advisory Group was established to address fragmentation in health data systems. Their recommendations include:
- Creating common data standards and interoperability requirements across provinces
- Developing harmonized approaches to de-identification and data sharing
- Establishing clear governance frameworks for health data
- Enhancing digital health literacy among healthcare providers and the public
- Building public trust through transparency and meaningful engagement
- Addressing legislative and policy barriers to appropriate health data use
- Ensuring Indigenous data sovereignty principles are respected
If implemented, these recommendations could significantly streamline health data de-identification practices across Canada while maintaining strong privacy protections.
Case Study: The Digital Health Immunization Repository
The COVID-19 pandemic highlighted both the potential and challenges of pan-Canadian health data sharing. The development of digital vaccine credentials required:
- Coordination between federal, provincial, and territorial governments
- Balancing privacy concerns with public health needs
- Creating interoperable systems that could work across jurisdictions
- Implementing appropriate de-identification for aggregate reporting
- Developing privacy-preserving verification mechanisms
- Addressing public concerns about surveillance and tracking
This experience has informed ongoing discussions about modernizing Canada's health data framework, including approaches to de-identification that can better support public health responses while protecting individual privacy.
How It Compares to Other Frameworks
Canada's approach differs from HIPAA Safe Harbor in several ways:
- More fragmented due to federal-provincial division of powers
- Generally more contextual and risk-based rather than providing a specific list of identifiers to remove
- Stronger emphasis on the purpose of data use and the data environment
- More varied definitions and standards across different provinces
- Greater focus on governance controls as complementary to technical de-identification
- Less prescriptive about specific identifiers that must be removed
- More emphasis on privacy impact assessments
- Greater focus on the role of data sharing agreements
Compared to the EU's GDPR:
- Similar principles-based approach in many provinces
- Less harmonized across the country
- Generally less prescriptive regulatory guidance
- Greater emphasis on sectoral solutions (like CIHI standards for healthcare)
- Less emphasis on pseudonymization as a distinct legal category
- Similar focus on risk-based approaches
- Less emphasis on data protection by design and default
- Generally lower administrative penalties (though Quebec's Bill 64 has introduced GDPR-level penalties)
- Less explicit recognition of data subject rights
Example: Comparative Approach to Dates
The treatment of dates illustrates the differences between frameworks:
- HIPAA Safe Harbor: Requires all dates directly related to an individual (except year) to be removed or limited to year
- Canadian Approach: Varies by context and risk assessment; might allow month/year in low-risk scenarios but require broader date ranges in higher-risk contexts
- GDPR: Considers dates as personal data that may require pseudonymization or anonymization depending on context and purpose
For example, a dataset containing admission dates for patients with rare conditions might be handled as follows:
- Under HIPAA: All dates would be limited to year only (e.g., "2024")
- Under Canadian frameworks: Dates might be generalized to quarters or months based on a risk assessment of the specific dataset and its intended use
- Under GDPR: Dates might be pseudonymized with technical and organizational measures to prevent re-identification
Case Study: Multi-jurisdictional Research Project
A research project involving health data from Canada, the US, and the EU had to navigate different de-identification requirements:
- Canadian data: Required provincial research ethics board approvals and compliance with provincial health privacy laws
- US data: Required HIPAA compliance with either Safe Harbor or Expert Determination
- EU data: Required GDPR compliance with appropriate safeguards for pseudonymized data
The solution involved:
- Creating jurisdiction-specific de-identification protocols
- Implementing the most stringent requirements across all datasets to ensure compliance
- Using data sharing agreements with specific provisions for each jurisdiction
- Conducting regular compliance reviews
- Implementing a federated analysis approach that minimized cross-border data transfers
This illustrates how organizations operating across multiple jurisdictions must navigate complex and sometimes conflicting de-identification requirements.
Official Resources
- Office of the Privacy Commissioner of Canada - PIPEDA
- Canadian Institute for Health Information - Privacy and Security
- Information and Privacy Commissioner of Ontario - De-identification Guidelines for Structured Data
- Office of the Information and Privacy Commissioner of Alberta - Publications
- Office of the Information & Privacy Commissioner for BC - Guidance Documents
- Statistics Canada - Trust Centre
- Health Canada - Privacy and Confidentiality of Health Information
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Personal Health Information Protection Act, 2004 (Ontario)
- Health Data Research Network Canada
- First Nations Information Governance Centre - OCAP® Principles
- Commission d'accès à l'information du Québec - Guide to Anonymization
- Pan-Canadian Health Data Strategy
- Canadian Primary Care Sentinel Surveillance Network - Data Access
- Population Data BC
Academic and Professional Resources
- El Emam K, Arbuckle L. De-identification: A Critical Debate. Future of Privacy Forum
- El Emam K, et al. A Systematic Review of Re-Identification Attacks on Health Data
- Privacy by Design at Population Data BC: A Case Study
- HealthCareCAN Privacy Toolkit
- Canadian Medical Protective Association: Electronic Records Handbook