Information Privacy


Information Privacy plays a crucial role in Research Data Management. While often associated with health research, Information Privacy applies to any research projects that collect, use, and/or disclose (CUD) information considered personal, or identifiable about an individual. In British Columbia, Information Privacy is regulated by the Freedom of Information, and Protection or Privacy Act (or FoIPPA), and it is the responsibility of research groups to comply with the requirements of this legislation.  

Before you read this page 

It is strongly recommended that you consult with an information privacy professional when planning a research project that will collect use, and/or disclose personal or identifiable information.  This page covers high-level concepts about Information Privacy in British Columbia, and may not include all information specifically applicable to your research project. 

For assistance, please contact  

Key Notes: 
Information on this page may be relevant to you if:

  • Your research project involves human subjects or data;  
  • Your research project will collect, use, and/or disclose (CUD) information considered personal, or identifiable about an individual;  
  • Your research data is subject to specific privacy requirements.  


Definitions for Personal Information and Personal Health Information can be found in the Office of the CIO Glossary of terms

Planning research with Privacy in mind  

Responsibility and Accountability 

When planning a research project involving personal or identifiable information, it is important that the involved parties define who will be responsible, and accountable for this information. Where applicable, responsibility and accountability should be made part of a legal agreement between the parties, and clearly identify who is responsible/accountable for what information, how, and at which point in the project.  

It is also important to define which privacy regulation(s) applies to the information collected, used and/or disclosed. It is possible that your research data be subject to multiple regulatory bodies if it crosses British Columbia’s border.  

To learn more about specifics of contract agreements, and legal implications, visit  

Identify Purpose 

Before you start identifying the data elements you will be collecting using and/or disclosing, you should ensure you have identified the purpose for which you will be collecting any information in the first place. Per FoIPPA, you must to be able to justify the purpose for which you will be collecting, using, and/or disclosing personal or identifiable information about an individual.  

Obtain Informed Consent 

Whenever you plan on collecting, using, and/or disclosing personal or identifiable information about an individual for your research, you must obtain formal consent from this individual first. While this may seem simple, informed consent presents a particular complexity because you need to choose the right language for participants to fully understand the extent of the information CUD.  
A formal consent form should: 

  • Be meaningful  
    You must be able to tie each element of your information CUD, to the purpose of your research.  
  • Be clear and concise 
    Participants must be able to fully understand the nature, purpose, and consequences of what they consent to, but must not be overloaded with excessive details that could confuse their decision.  
  • Include key details about CUD 
    By reading your consent form, participants should be able to identify what information will be collected, and how it will used, shared, stored, safeguarded, retained, and disclosed. 
  • Clearly identify the associated risks 
    An informed consent should clearly indicate the meaningful risks, and/or consequences associated with the CUD of the personal or identifiable information about an individual.  
  • Include a withdrawal procedure 
    Participants must be informed about how they can withdraw their consent, should they want to do so.  
Limit Collection 

When collecting personal or identifiable information about an individual, you should limit this collection to only what is necessary to conduct your research. For each element collected, you should be able to justify it relevance, and purpose to your research project.  

Limit Information Use and Disclosure 

FoIPPA has very specific requirements about information use and disclosure within, and outside Canada. Personal or identifiable information about an individual should only be disclosed for the purpose for which it was obtained or compiled or for a use consistent with that purpose. 

When creating your Research Data Management plan, you should be able to clearly explain how you will be using the collected information. You should also be able to explain when, how, to whom, and why it may be disclosed (where applicable).  

Visit our Research Data Management section for more information.  

Information Accuracy 

When planning for CUD of personal or identifiable information about an individual, it is essential that you set protocols to maintain the integrity, and accuracy of this information. Confidential information may be very valuable to the individual; you must ensure that it is up-to-date, accurate enough to serve the purpose of CUD, and handled in a way that will prevent accidental disclosure (such as recording information to the wrong file).  


As a confidential information steward or owner (where applicable), it is the responsibility of your research project to ensure the information CUD is properly safeguarded from malicious elements. Information safeguarding is a requirement of Canadian privacy regulations, and is defined per UBC Security Policy SC14, and associated Standards. For more information about Electronic Information Security, visit our Information Security page. 


Individuals from whom you collect, use, and/or disclose personal information may want to know more about how you manage their data, and they should be able to easily access information about applicable policies, and practices your research project complies with. Where applicable, this information should be made available beyond just your consent form, in a privacy policy for example.   

Individual Access 

Individuals must be made aware of CUD of their personal information, and have the ability to access, and challenge the accuracy of this information, should they need to do so.  

Retention Requirements 

Personal or identifiable information about an individual may be subject to one, or multiple retention policies. To ensure compliance, review your data’s applicable regulation(s), and identify the proper retention period. For more information about data retention at UBC, visit  

Privacy Impact Assessment 

A Privacy Impact Assessment (or PIA) is a risk-based analysis of information collection, use, and disclosure, based on the potential harm that could be caused by its loss, corruption, or disclosure.  Depending on the nature of your research, and the scope of use of your research tools/solution, you may be required to produce a PIA. To learn more about Privacy Impact Assessments for research, visit  


Additional Resources 

For more information about Information Privacy for research, you may also consult:  

University-Industry Liaison Office (UILO)  

Office of the CIO  

Office of the University Counsel  

Privacy Matters