Information Privacy plays a crucial role in research data management. While often associated with health research, Information Privacy applies to any research projects that collect, use, and/or disclose (CUD) information considered personal, or identifiable about an individual.
Before you read this page
It is recommended that you discuss the collection, use, and/or disclosure of personal or identifiable information requirements of your project with an information privacy professional during the project planning phase. This page covers high level concepts about Information Privacy in British-Columbia, and may not include all information specifically applicable to your research project.
For assistance, please contact arc.support@ubc.ca
Information on this page may be relevant to you if:
- Your research project involves human participants or information about individuals;
- Your research project will collect, use and/or disclose (CUD) personal and/or identifiable information about an individual;
- Your research information is subject to specific privacy requirements.
How UBC defines Personal Information
Definitions for Personal Information, and Personal Health Information can be found in the Office of the CIO Glossary of terms. Further guidance on what constitutes Personal Information can be found on the UBC Office of the University Counsel website.
Planning research with Privacy in mind
In British Columbia, Information Privacy is primarily regulated by the BC Freedom of Information and Protection of Privacy Act (FIPPA) and the BC Personal Information and Protection Act (PIPA). It is the responsibility of researchers to determine which legislation applies to their research data and comply with the requirements of this legislation. UBC researchers are encouraged to follow the privacy principles below when collecting, processing and disclosing Personal Information:
Responsibility and Accountability
When planning a research project involving personal and/or identifiable information, it is important that the stakeholders define who will be responsible and accountable for this information. Where applicable, responsibility and accountability should be made part of a legal agreement and/or consent document between the involved stakeholders, and clearly identify who is responsible/accountable for what information, how, and at which point in the project.
It is also important to define which privacy regulation(s) applies to the information CUD. Your research data may be subject to multiple regulatory bodies, especially if it crosses British Columbia’s border.
To learn more about the specifics of contract agreements and their legal implications, visit:
For consent forms and responsibilities associated with the CUD of personal information, visit
Identify Purpose
The purpose for which personal information is collected should first be identified and documented prior to initiating data CUD activities. Identifying the purpose helps you determine what personal information is required to fulfill that purpose. A justification of the purpose is required in some research documents like consent forms and data access requests.
Obtain Informed Consent
Whenever you plan on collecting, using, and/or disclosing personal or identifiable information about an individual for your research, you must obtain formal and informed consent from this individual first.
A formal and informed consent form should:
Be meaningful
You must be able to tie each element of your information CUD to the purpose of your research.
Be clear and concise
Participants must be able to fully understand the nature, purpose, and consequences of what they consent to, but must not be overloaded with excessive details that could confuse their decision.
Include key details about CUD
By reading your consent form, participants should be able to identify what information will be collected, and how it will used, shared, stored, safeguarded, retained, and disclosed.
Clearly identify the associated risks
An informed consent should clearly indicate the meaningful risks, and/or consequences associated with the CUD of the personal or identifiable information about an individual.
Include a withdrawal procedure
Participants must be informed about how they can withdraw their consent, should they wish to do so.
More Information
The UBC Research Ethics Boards provides researchers with consent advice, guidelines and templates for use in research projects
Limit Collection
When collecting personal or identifiable information about an individual, you should limit this collection to only what is necessary to achieve the indicated purpose of your research project.
Limit Information Use and Disclosure
Both FIPPA and PIPA have very specific requirements about information use and disclosure within, and outside Canada. Personal or identifiable information about an individual should only be used or disclosed for the purpose for which it was obtained or compiled.
When creating your Research Data Management plan, you should be able to clearly explain how you will be using the collected information. You should also be able to explain when, how, to whom, and why it may be disclosed (where applicable).
Retention Requirements
Personal or identifiable information about an individual may be subject to one or multiple retention policies. To ensure compliance with the appropriate and/or authorized data retention period:
- Review the UBC RISE Application Guidance Notes on data retention/disposition;
- Review the signed consent forms and/or research agreements associated with your research project.
The administrative documents related to your research project (e.g. project proposals) are subject to UBC data retention policies.
To learn more about UBC information retention requirements, Visit:
Information Accuracy
When planning for CUD of personal or identifiable information about an individual, it is essential that you set protocols to maintain the integrity and accuracy of this information. Confidential information may be very valuable to the individual; you must ensure that it is up-to-date, accurate enough to serve the purpose of CUD, and handled in a way that will prevent accidental disclosure (such as recording information to the wrong file).
Safeguarding
As confidential information custodian or owner (where applicable), it is your responsibility to ensure that the information CUD for your research project is properly safeguarded from malicious elements (e.g. unauthorized access, use and disclosure). Information safeguarding is a requirement of Canadian privacy legislation and is further documented in UBC Information Systems Policy (SC14), and associated Standards.
Openness
Individuals from whom you CUD personal information may want to know more about how you manage their data. They should be able to easily access information about applicable policies and practices to which your research project complies. Where applicable, this information should be made available beyond just your consent form, in a privacy statement for example.
Individual Access
Individuals must be made aware of CUD of their personal information, and have the ability to access and challenge the accuracy of this information, should they need to do so.
Privacy Impact Assessment
A Privacy Impact Assessment (or PIA) is a risk-based analysis of information CUD, based on potential harm that could be caused by its loss, corruption, or disclosure. Depending on the nature of your research, and the scope of use of your research tools/solutions, you may be required to produce a PIA.
Additional Resources
To learn more about UBC security requirements, visit:
To learn more about UBC legal requirements, visit:
To learn more about UBC information privacy and security, visit:
To learn more about UBC contracts and partnerships, visit:
Can’t find what you are looking for?
Send us an email at arc.suport@ubc.ca to talk to one of our subject matter experts.