With the rapid advancements in technology and the breadth of data available, public bodies, organizations, and agencies are increasingly sharing information to increase knowledge, conduct research, and inform policies and procedures about public issues.
In Ontario, data sharing between organizations is governed by privacy legislation such as the Personal Health Information and Protection Act (“PHIPA”) and Freedom of Information and Protection of Privacy Act (“FIPPA”). In some cases, it is a statutory requirement that a written data sharing agreement (“DSA”) be established between the parties to set out the terms and conditions under which information is shared:
- to ensure compliance with applicable laws
- to ensure the proper safeguards are implemented to prevent unauthorized use, collection and disclosure.
In any event, it is considered best practice that data partners develop a written DSA when sharing information to protect data.
What is in a DSA?
Data sharing can be complex depending on the data partners, type of information, and the flow of information. This is why a DSA must be carefully drafted to ensure that your organization is compliant with applicable privacy laws and that proper safeguards are in place to protect your information. If your organization is involved in the collection, use, and disclosure of information you should consider the following ten questions when drafting a DSA:
- Who are the parties that will be collecting, using, and disclosing data?
- Who will be disclosing or receiving the data?
- If governed under PHIPA, identify if the party is a:
- Health Information Custodian (“HIC”)
- Health Information Network Provider (“HINP”)
- Electronic Service Provider
- Prescribed Entity
- Prescribed Registry
- Under PHIPA, a party can wear multiple hats (i.e. a party can be both a HIC and a HINP and would have to comply with the obligations as set out in the Act).
- Will there be a secondary use or disclosure of the data by the recipient?
- What is the purpose of data sharing between the parties?
- If you are disclosing data, you must consider how the receiving party is going to use your data, and for what purpose.
- Data cannot be collected any more than reasonably necessary to serve the purpose. It is important that DSAs make it clear as to why a party is collecting or using the data.
- For example, some common purposes under PHIPA include:
- Planning, management and analysis of the health system
- What information is being shared?
- Is it personal health information?
- Is it personal information?
- Is it de-identified data?
- Is it other information that is not governed by privacy legislation?
- Is the information going to be linked to other data sets?
- What is the legal authority for collection, use and disclosure of the data? What is the governing legislation?
- Under what legislation are the parties able to collect, use, and disclose data? This is often dependent on who the party is, and what type of information is being shared.
- How will the data be shared between the parties?
- Will the data be disclosed only from one party to another? Or will it be disclosed both ways?
- Will there be third party disclosures?
- It is often helpful to include a flow chart to illustrate how the data is being shared especially in complex situations where there are multiple parties, and uses.
- What are the data elements, data sets, time frame, and collection rationale?
- How will the data be transferred?
- What secure method of transfer will be used? Will it be electronic or hard copies?
- What is the frequency of data transfer?
- Is it a one-time disclosure or on-going disclosure (i.e. annual disclosure of information)?
- How will the data be retained or destroyed?
- In some cases, the data is either returned to the originating party or destroyed after the DSA is terminated or expired. This should be clearly stated in the DSA.
- What privacy and security safeguards are in place by the receiving party to ensure your data is protected against unauthorized use?
- For example:
- Administrative Safeguards: Have in place robust policies and procedures governing authorized users collection, use and disclosure of data; establish privacy breach protocols; provide on-going privacy and security training; and monitoring compliance.
- Technical Safeguards: Encryption for portable devices; strong passwords; firewalls; and anti-malware scanners.
- Physical Safeguards: Use alarm systems and lock rooms where equipment is used to send or receive information; keep portable devices in a secure location, such as a locked drawer or cabinet.
- For example:
Note that this blog does not constitute legal advice – seek assistance from legal counsel. For assistance in drafting a data sharing agreement, please contact Pamela Seto at email@example.com.