Privacy and Data Security for Research

The Privacy Department and the Data Security Office at Women’s College Hospital (WCH) are available to provide guidance and support to teams engaged in research activities including but not limited to data access, analysis, storage, sharing and assessment of new technologies.

We are committed to protecting personal health information under the custody or control of WCH in accordance with the Ontario Personal Health Information Protection Act, the guiding privacy principles set out by the Canadian Standards Association’s Model Code for the Protection of Personal Information, and privacy best practices.

FAQs

Please refer to Administrative Policy 1.20.002 “Privacy and Security of Personal Health Information” for the definition of PHI or Patient Information.  It can be found on the intranet here: https://mywch.ca/bins/content_page.asp?cid=744-1307-1811&lang=1

PHI is any information that identifies an individual AND information about:

  • Their physical or mental health; family health history
  • Provision of health care or identification of their care provider
  • Payments or eligibility for healthcare
  • Donation of body part or body substances, or derived from testing or exam of such
  • Health card number, identification of a substitute decision maker

WCH encourages the use of REDCap to collect data. For more information on REDCap, please contact the REDCap Office at REDCap@wchospital.ca

To process and/or analyze data, WCH recommends using REDCap or Excel. For more information on REDCap, please contact the REDCap Office at REDCap@wchospital.ca.

To share data with external collaborators and/or participants, WCH recommends using REDCap. For more information on REDCap, please contact the REDCap Office at REDCap@wchospital.ca.

To store your data, WCH recommends using REDCap. For more information on REDCap, please contact the REDCap Office at REDCap@wchospital.ca.

It is important to know where your data processing and analysis software or tools are hosted to ensure data security and privacy.  You can verify the host country within the Terms of Service or agreements.

Note that REDCap is hosted at WCH and protected by WCH IMIT and in accordance with industry standards. For more information on REDCap, please contact the REDCap Office at REDCap@wchospital.ca.

The guidelines below introduce institutions to the basic concepts and techniques of de-identification, outline the key issues to consider when de-identifying personal information in the form of structured data and they provide a step-by-step process that institutions can follow when removing personal information from datasets.

These guidelines are available from the Information and Privacy Commissioner of Ontario here: https://www.ipc.on.ca/wp-content/uploads/2016/08/Deidentification-Guidelines-for-Structured-Data.pdf

Destruction of research data is dependent on where the research data exists/where it is hosted.  Please contact IMIT for further support.  Please note that after 93 days, data is completely removed from SharePoint/Teams once it is deleted. For REDCap, data is completely removed 30 days after deletion.

You can also refer to WCH policies:

Policy 1.10.008 – Retention/Destruction of Corporate Records (refer to sections on Research data)

Policy 1.130.002 – Destruction of the Health Record (refer to sections on Research records)

To assess your technology platforms/software solutions, please contact the Privacy Officer and Data Security Officer for additional information and/or to determine if safeguards are required to ensure approval at WCH.

Contact

The WCH Privacy Department can be contacted via email: Privacy@wchospital.ca

Data Security can be contacted via email: CyberSecurity@wchospital.ca

For additional information on privacy, please visit: https://www.womenscollegehospital.ca/privacy/