Information Privacy plays a crucial role in Research Data Management. While often associated with health research, Information Privacy applies to any research projects that collect, use, and/or disclose (CUD) information considered personal, or identifiable about an individual. In British Columbia, Information Privacy is regulated by the Freedom of Information, and Protection or Privacy Act (or FoIPPA), and it is the responsibility of research groups to comply with the requirements of this legislation.
Before you read this page
It is strongly recommended that you consult with an information privacy professional when planning a research project that will collect use, and/or disclose personal or identifiable information. This page covers high-level concepts about Information Privacy in British Columbia, and may not include all information specifically applicable to your research project.
For assistance, please contact email@example.com
Information on this page may be relevant to you if:
- Your research project involves human subjects or data;
- Your research project will collect, use, and/or disclose (CUD) information considered personal, or identifiable about an individual;
- Your research data is subject to specific privacy requirements.
Definitions for Personal Information and Personal Health Information can be found in the Office of the CIO Glossary of terms.
Planning research with Privacy in mind
Responsibility and Accountability
When planning a research project involving personal or identifiable information, it is important that the involved parties define who will be responsible, and accountable for this information. Where applicable, responsibility and accountability should be made part of a legal agreement between the parties, and clearly identify who is responsible/accountable for what information, how, and at which point in the project.
It is also important to define which privacy regulation(s) applies to the information collected, used and/or disclosed. It is possible that your research data be subject to multiple regulatory bodies if it crosses British Columbia’s border.
To learn more about specifics of contract agreements, and legal implications, visit https://uilo.ubc.ca/researchers
Before you start identifying the data elements you will be collecting using and/or disclosing, you should ensure you have identified the purpose for which you will be collecting any information in the first place. Per FoIPPA, you must to be able to justify the purpose for which you will be collecting, using, and/or disclosing personal or identifiable information about an individual.
Obtain Informed Consent
Whenever you plan on collecting, using, and/or disclosing personal or identifiable information about an individual for your research, you must obtain formal consent from this individual first. While this may seem simple, informed consent presents a particular complexity because you need to choose the right language for participants to fully understand the extent of the information CUD.
A formal consent form should:
- Be meaningful
You must be able to tie each element of your information CUD, to the purpose of your research.
- Be clear and concise
Participants must be able to fully understand the nature, purpose, and consequences of what they consent to, but must not be overloaded with excessive details that could confuse their decision.
- Include key details about CUD
By reading your consent form, participants should be able to identify what information will be collected, and how it will used, shared, stored, safeguarded, retained, and disclosed.
- Clearly identify the associated risks
An informed consent should clearly indicate the meaningful risks, and/or consequences associated with the CUD of the personal or identifiable information about an individual.
- Include a withdrawal procedure
Participants must be informed about how they can withdraw their consent, should they want to do so.
When collecting personal or identifiable information about an individual, you should limit this collection to only what is necessary to conduct your research. For each element collected, you should be able to justify it relevance, and purpose to your research project.
Limit Information Use and Disclosure
FoIPPA has very specific requirements about information use and disclosure within, and outside Canada. Personal or identifiable information about an individual should only be disclosed for the purpose for which it was obtained or compiled or for a use consistent with that purpose.
When creating your Research Data Management plan, you should be able to clearly explain how you will be using the collected information. You should also be able to explain when, how, to whom, and why it may be disclosed (where applicable).
Visit our Research Data Management section for more information.
When planning for CUD of personal or identifiable information about an individual, it is essential that you set protocols to maintain the integrity, and accuracy of this information. Confidential information may be very valuable to the individual; you must ensure that it is up-to-date, accurate enough to serve the purpose of CUD, and handled in a way that will prevent accidental disclosure (such as recording information to the wrong file).
As a confidential information steward or owner (where applicable), it is the responsibility of your research project to ensure the information CUD is properly safeguarded from malicious elements. Information safeguarding is a requirement of Canadian privacy regulations, and is defined per UBC Security Policy SC14, and associated Standards. For more information about Electronic Information Security, visit our Information Security page.
Individuals must be made aware of CUD of their personal information, and have the ability to access, and challenge the accuracy of this information, should they need to do so.
Personal or identifiable information about an individual may be subject to one, or multiple retention policies. To ensure compliance, review your data’s applicable regulation(s), and identify the proper retention period. For more information about data retention at UBC, visit https://recordsmanagement.ubc.ca
Privacy Impact Assessment
A Privacy Impact Assessment (or PIA) is a risk-based analysis of information collection, use, and disclosure, based on the potential harm that could be caused by its loss, corruption, or disclosure. Depending on the nature of your research, and the scope of use of your research tools/solution, you may be required to produce a PIA. To learn more about Privacy Impact Assessments for research, visit https://privacymatters.ubc.ca/privacy-impact-assessment
For more information about Information Privacy for research, you may also consult:
University-Industry Liaison Office (UILO)
Office of the CIO
Office of the University Counsel