Docstoc

Privacy Confidentiality and Data Security

Document Sample
Privacy Confidentiality and Data Security Powered By Docstoc
					CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


Privacy, Confidentiality and Data Security

Why a Handbook?

This handbook is intended to help all CaNIOS- affiliated persons – Faculty Scientists,
Associate and Adjunct Scientists, full time staff (including Research Coordinators [RCs],
Programming & Biostatistics [P&B], Administrative Support and Systems personnel),
part-time staff (including abstractors and contract workers), visiting Scientists, medical
students, graduate students in Rheumatology, epidemiology, laboratory sciences, and
health services research and post-doctoral fellows – become acquainted with CaNIOS
privacy policies and practices as they related to health information.

We regard the access to that information as an important privilege. Protecting the
privacy of individuals whose health information is housed here is an integral part of
CaNIOS original research agreements. Without this commitment to best principals of
data security and confidentiality, the Network would not exist.

We have developed a CaNIOS Privacy Commitment statement (see below) as part of our
house Privacy Code. The Privacy Code can be found on the CaNIOS website –
www.CaNIOS.ca - along with the an Executive Summary and a Public Information
document (entitled “Our Business is Lupus Care – Our Priority, Privacy within
Research”). Click on Who We Are and Privacy and Confidentiality on the left side of the
homepage; all documents can be found under the commitment statement. The privacy
documents are also available on the CaNIOS intranet.

Privacy Commitment

CaNIOS’ mandate to perform research that contributes to the effectiveness, quality,
equity, and efficiency of health care of the Canadian lupus population is complemented
by its promise to respect personal privacy, safeguard confidentiality of data and provide a
secure environment for the databases under its management.

CaNIOS meets this commitment by having:
    endured data anonymity
    principles and policies in place for the protection of health data
    strict policies which limit access to data even when made anonymous
    heightened security measures: organizational, technological and physical
    processes for review and approval of research proposals
    an active Privacy Compliancey Committee, at the working and governance levels
    mandatory staff training to keep health information protection matters a constant
     priority
    requirements that ALL staff sign a pledge of confidentiality upon commencement
     with CaNIOS and at every change in the CaNIOS Chair.
    regular review of its policies to ensure they are in tune with current health
     information legislation and protection practices.


This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus



About CaNIOS – Just the Facts

There are often general assumptions made that New CaNIOS personnel form all role
groups have been told everything about the Network …and that is not always correct.
Here are some general points to help orient you to CaNIOS.

   CaNIOS is an independent, non-profit research organization, mandated to conduct
    health services research that contributes to the effectiveness, quality, equity, and
    efficiency of health care for the Canadian lupus population.

   CaNIOS governance includes an Executive Committee, a Scientific Committee, a
    Telematics Committee with a Confidentiality Sub-Committee.

   The Network is the product of collective vision to use research methodologies in
    innovative, creative ways to probe the interface of clinical practice, lupus focused
    health services research and lupus focused health policy, in order to create a blueprint
    for a better lupus focused health care system in Canada. Imbedded in its mandate is a
    commitment to research that can serve as a catalyst for change. Other important
    features of CaNIOS’ research activities include advocacy for a system-wide approach
    to health care which is knowledge-based and evidence-oriented; translation,
    dissemination and transfer of research findings to varied audiences in appropriate,
    accessible language; and a commitment to capacity-building for lupus related
    research in a variety of jurisdictions.

   CaNIOS recognizes the importance and benefit of working together with stakeholders
    to achieve positive change. Over the years, extensive network of policy, provider,
    research and academic organizations has collaborated with CaNIOS on countless
    initiatives. Some of our collaborators include: Lupus Clinical Trials Consortium
    (LCTC), Canadian Rheumatology Research Consortium (CRRC), Lupus Canada,
    British Columbia Lupus Association, Winnipeg Lupus Society, and Lupus Ontario, to
    name a few.

   Internationally, CaNIOS Scientists has received unprecedented recognition and
    respect for their research. In addition to having more than __ research initiatives
    underway at any given time, contributions to peer-reviewed medical and health
    services research literature are published on a regular basis in journals such as Lupus,
    J Rheum, A&R, JAMA and NEJM.

   The Network’s Scientific members, comprised of nationally and internationally
    renowned lupus scientists from across the country, has repeatedly supported CaNIOS’
    direction, confirmed the significance of our research and fully endorsed our
    methodologies. Our scientists hold appointments at major universities and hospitals
    across Canada. In addition, many of our scientists have achieved international
    recognition in their respective areas of research.


This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


   Through CaNIOS’ involvement in local, provincial, national and international
    research committees and task forces, CaNIOS has established a diverse network of
    associate scientists and stakeholder organizations to collaborate on research
    initiatives, thereby harnessing available expertise and maximizing the relevance of
    our research efforts.

Personal Health Information – Why are we calling it that?

Personal Health Information is the terminology used in the legislation. For us, it’s the
data we use to do our research.

All health data are considered highly sensitive; thus health information protection is
paramount. Safeguards are in place to protect personal health information against loss or
theft, as well as unauthorized access, disclosure, copying, use, or modification. The
nature of the safeguards will vary depending on the amount, distribution, format of the
information, and the method of storage (see Appendix 1). The methods of protection in
place include:

    1) Physical measures; locked facilities, locked filing cabinets and restricted access to
       offices;
    2) Organizational measures; strict employee confidentiality agreements (with
       immediate dismissal as a sanction) and limiting access on a “need-to-know” basis;
    3) Technological measures; the use of firewalls, “moating” of administrative data
       making it inaccessible externally, passwords, and encryption of data; use of
       removable data cartridges and dummy terminals; and
    4) Anonymization (de-identification) of data by stripping conventional identifiers.

As a condition of employment and membership, all new staff (active, associate and
trainee) must receive a CaNIOS privacy orientation from the Privacy Officer or designate
(may be oral or web-based), and must sign a CaNIOS Confidentiality agreement. This
includes CaNIOS scientists, associate and adjunct scientists, fellows and students, P&B,
RCs, admin support, KT and Systems (see Appendix 2 for CaNIOS Policy on
Confidentiality Agreement). Every person affiliated with CaNIOS for business purposes
(employee, consultant, visiting scientist, research collaborator, etc.) is required to sign a
confidentiality agreement and have a privacy orientation by the Privacy Officer or
designate.

Information and documents shared during the privacy orientation and in the
confidentiality agreement outline CaNIOS expectations and requirements of the
individual with respect to confidentiality of all CaNIOS materials and related activities.

By signing this agreement, individuals agree to familiarize themselves as soon as possible
with all CaNIOS Policies, Procedures and Practices – available from the Privacy Officer
and on the CaNIOS Intranet (www.CaNIOS.ca) – and to comply with them. If in doubt
about their applicability to their work, guidance is available from the most relevant
CaNIOS officer (eg Chair, Vice-Chair, Committee Chair; or Privacy Officer).

This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus



The Executive has requested that this agreement will be signed by all CaNIOS-affiliated
personnel at commencement with CaNIOS activities and at the change of the CaNIOS
Chair. A statement of affirmation of familiarity with all CaNIOS data security and
confidentiality policies will also be required.

On an on-going basis, the CaNIOS Privacy Compliance Committee works to make all
staff aware of the importance of maintaining the security of the data and confidentiality
of personal health information (see Appendix 3 for CaNIOS Policies on Security and
Confidentiality of Data).

Description of Personal Health Information (Data) Held at CaNIOS

This section deals with another assumption – that everyone knows what data sets are held
at CaNIOS and the extent of those data sets. Here are the basics:

  Clinical registry datasets are held at the CaNIOS National Dataset at the SoftWorks
   CaNIOS server. It collects “annual” information of lupus patients followed by the
   CaNIOS members.

  Primary data are collected to answer specific research questions. Such data may be
   obtained from subjects by interviews, abstracted from charts, questionnaires or
   surveys, or through observation and intervention studies done by CaNIOS Scientists.

  Data abstracted from medical records or charts (abstracted data) are collected to
   augment, supplement, and validate registry research projects. These data also provide
   a method to assess quality and processed of care – providing an audit function – and
   thus a way to improve care. This secondary collection of data is performed only after
   REB (Research Ethics Board) approval. Abstracted data are collected under a unique
   study number, the data are de-identified.

  Augmented data sets are created by linking anonymized personal information across
   multiple administrative data sets using unique identifiers called CKNS (CaNIOS key
   numbers). This allows the evaluation of treatments and patient outcomes, highly
   important to the understanding of the effectiveness of health care being delivered.

The Use of Personal Health Information at CaNIOS

The personal health information held at CaNIOS is used for the following purposes:

  To perform research that contributes to the effectiveness, quality, equity, and
   efficiency of health care in the Canadian lupus population (CaNIOS’ mandate)
  To carry out health services research in the areas of clinical and policy relevance
   from a population-wide prospective
  To document Canada-wide patterns of lupus medical care on a yearly basis
  To articulate “Policy Options” arising from CaNIOS’ health services research

This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


  To develop and disseminate information and decision tools for use by patients,
   practitioners, clinician-managers, administrators, and policymakers
  To facilitate collaboration among health services researchers in Canada, and between
   researchers and decision-makers
  To train lupus researchers and promote a wider understanding of relevant concepts
   from clinical epidemiology and lupus related research

Project Documentation

The Canadian Standards Association (CSA) ten guiding principles found in the Federal
legislation Bill C-6 (Personal Information Protection and Electronic Documents Act
[PIPEDA]) and each Provincial legislation (Ontario – the Personal Health Information
Protection Act 2004 [PHIPA]) similarly favor system-wide accountability of the uses
made of personal health information. Our evaluation of our typical use patterns and the
legislative requirements has led us to recognize the need to be able to log each use of the
data sets housed at CaNIOS and to affirm that use of the data meets data security and
confidentiality standards. To this end, the Confidentiality Committee developed two
separate Privacy Impact Assessment (PIA) forms to provide the needed documentation
without hamstringing day-to-day research work (forms____________). These
documents were put into use ____.

All projects using CaNIOS databases and resources must have a CaNIOS scientist as
Principal or Co-Investigator.

Every project at CaNIOS has a research proposal with developed work/analysis plan and
timelines, whether it’s a formal grant application or a two-page internal submission to the
Project Development and Review Sub-Committee (chaired by the Vice-Chair or
designate). There are exceptions: for example, administrative data runs are often
performed to inform proposal-writing and to respond to approved ad hoc reports, but
these uses still must be logged with PIA forms.

For purposes of logging all uses of data at CaNIOS, the Investigator of each approved
project (granting agency, internally or externally planned projects), must file the
following with the chair of the Project Development and review Sub-Committee:

 1.    a copy of the approved proposal or grant;
 2.    a copy of the appropriate REB approval form the main study centre. Some
       projects require multiple REB approvals; it is not necessary to file copies of each
       to CaNIOS but are to be collected by the project’s Principal Investigator;
 3.    a copy of the appropriate PIA form.

Using Privacy Impact Assessment (PIA) Forms – long and short versions

These forms are available from several sources: they are available by accessing _____ or
can be found on the CaNIOS Intranet (found at www.canios.ca/general/…), or can be


This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


obtained from the Privacy Officer or Chair of Project Development and Review Sub-
Committee.

Long-form PIA (form 2004-2): this document is to be completed for all newly submitted
projects in which linkage to the administrative databases is planned with data from
another source.

Short form PIA (form 2004-1): this document is to be completed for each use of
administrative databases ONLY. These documents are to be filed with the Privacy
Officer, who will routinely seek Executive approval and provide you, the Director,
Programming & Biostatistics, and the Chair, Project Development and Review Sub-
Committee with copies for project files.


The “REB” – Research Ethics Board: When We Use IT

The office of the university Health Network REB – CANIOS’ ethics review panel – is
situated at 800 University Avenue 8th floor. Toronto Ontario telephone 416-603- ).

The area of ethics and the role of the REB is changing rapidly because of the shift in
international ethics and privacy standards (CaNIOS ethics policies can be found in
Appendix 4). This policy will be updated as soon as new standards come into place,
regardless of the review cycle of this document.

CaNIOS contract staff are often engaged in multiple chart abstraction studies
simultaneously across the country. To lessen the burden on hospital Medical Records
Departments and on the scientists submitting for REB approval at multiple sites, the
CaNIOS National Coordinator or Administrative Assistant will assist the Research
Coordinator staff and faculty to complete ethics forms for hospitals across the country
and to coordinate convenient placement of CaNIOS contract chart abstractors.

For convenience, copies of ethics review policies/forms for UHN (as well as forms from
other hospital/university for ethics submission) are available through the CaNIOS
National Coordinator or the Administrative Assistant (who maintains a database of forms
and submissions). We try to have the most up-to-date forms available, but please check
form dates with your centre’s contact person.

    As of September 1, 2004, for every use of the CaNIOS National database, CaNIOS
     research teams are required to complete the abbreviated PIA form as part of our
     logging of data use (see Appendix 4 for CaNIOS Policy on REBs). This approach is
     in place because of concerns about the use of anonymized National data and
     downstream concern about consent issues even in this context. The UHN Reb, after
     evaluating CaNIOS data security, privacy and confidentiality policies and
     procedures, gave CANIOS scientists permission to use the National database for
     projects, provided theCaNIOS Scientific Chair and the Privacy Officer submit
     annual reports on all uses of the Natioanal data to the REB (using the abbreviated

This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


     PIA submissions as background) to ensure that the REB is kept abreast of work that
     has been done. Four-to-six projects are randomly chosen for review by the
     Chairman of the REB. Based on tracking/logging of projects and regular reporting
     to the REB, for publication purposes all studies using this National data will be
     considered to have REB approval and may include that statement as required by
     the peer-reviewed journals. The REB felt that this practice met the intent of the
     guiding principles of accountability, transparency and limiting use.

    Primary Data are collected by CaNIOS scientists and staff within the context of
     clinical trials and epidemiological studies. These studies require development of a
     research proposal, review/approval (either by external granting agency or the
     CaNIOS Project Development and Review Committee) and full review and approval
     through appropriate institutional and/or university REB. Collection of primary data
     from patients participating in clinical trials only occurs after individual informed
     consent is sought and obtained (as per the Tri-Council Policy Statement [TCPS]).
     The burden of obtaining consent from individuals rests with the CaNIOS
     investigators, site investigators and their designated staff. Patients who agree to
     participate in clinical trials are fully informed as to the risks and benefits of the
     research project and the type of information that will be gathered. They are also
     advised that they can withdraw from the research project at any time without
     prejudice to their care; they receive a copy of their signed consent forms for their
     own records. Rather than using names, each participant is assigned a study number
     or code ensuring that personal clinical information is made anonymous. If primary
     data collected in the context of a clinical trial are to be linked to an administrative
     dataset, separate consent for that linkage is required.

    Data abstracted from medical records (chart abstraction) is performed only after
     REB approval, which is usually obtained by expedited review, as there is no direct
     patient contact and no effect on patient care. Abstracted data are collected
     anonymously at the time of the abstraction by assigning unique study numbers in
     lieu of collecting personal identifiers such as name, address, phone number – except
     where explicit consent to do so has been obtained in clinical studies (eg, for
     purposes of telephone or survey follow-up).

We recommend any question or concern about the need for REB review for a project be
discussed with the Chair or the Privacy Officer. In studies where data usage may be
perceived by the community to highly sensitive and/or controversial, full ethics
submission is recommended.

“The Rules” for Using Health Information at CaNIOS

This section outlines the rules for handling health information at CaNIOS. It is a
distillation of the formal CaNIOS policies that are included in the appendix of this
document. The most current version of CaNIOS policies can also be found on the
CaNIOS Intranet.


This document is intended for CaNIOS internal use only
CaNIOS       Canadian Network for Improved Outcomes in Systemic Lupus


Primary and Chart Abstraction Data

   The data can only be used for the purposes for which they were collected; primary
    and secondary research questions should be carefully articulated and plans for future
    linkage or extended follow-up should be included in the proposal and on the PIA
    form completed on the project.

   All documents and all portable electronic media that contain identifiers must be
    stored in locked cabinets when not in use.

   Unique study numbers must be used for each study subject to prevent unauthorized
    identification of individuals. The master record that links study number to personal
    information/identifiers must be stored separately under lock and key.

   When providing hospitals with lists of medical records/admission dates to be puller,
    the list may be sent by email in a password-protected Word or Excel file, with the
    password being sent by another email or transmitted over the phone. The password
    should be an alpha-numeric combination which follows CaNIOS password policy.
    Remember, the medical record number and date of admission/discharge are sensitive
    data. The email that contains the list is an attachment should not be copied to other
    people. Request that the electronic file be deleted by the recipient once the list has
    been printed, and either delete or copy to a stored floppy disk for record keeping). If
    hospital policy 0requires that the file needs to be saved, it becomes the responsibility
    of the recipient.

   Laptop programs for chart abstraction MUST be equipped with encryption software
    for data protection. Medical Care numbers should only be abstracted if they are
    required for linkage with external health administrative datasets). However, when
    abstracted data are transmitted at the individual record level or sent by CaNIOS by
    other means, the provincial health care number field must be excluded. A module
    should be included in the programming that allows the extraction of a separate file
    from their data, which contains a two-entry table: the provincial health care number
    and unique study ID. This file should be sent securely to the Director of
    Programming and Biostatistics or the Health Information Coordinator. They will
    create the IKN tables and attach it to the study data file after it has been stored on
    the UNIX/MATRIX system.

   Clinical data records that contain anonymized information at an individual level
    must be kept on a password-protected cartridge that is only used when the data are
    actually needed. At all other times, these cartridges must be stored in a locked
    cabinet. Cartridges are never to be left linked to PCs under any circumstances.
    Under pre-approved special circumstances, data may be stored in encryption
    software such a s BestCryptTM until they are transferred to the UNIX/MATRIX.

   Primary data must not be transported t the clinical UNIX system (MATRIX) without
    prior approval from the Chair or designate. The only common reason for

This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


     transporting primary data to the UNIX system is for linkage to the administrative
     data.

    Confidential documents that contain personal identifiers that need to be discarded
     must be shredded on site under the supervision of CaNIOS personnel (see Shredding
     Policy – Appendix 5).

    Discussion of the project with persons outside the team must never reveal personal
     identifiers. All access to study participants’ records will be denied to persons
     outside the study team, unless the participant has provided consent.

    Personal health information should not reside at any time on the LAN.


Administrative, Registry and Augmented Data

The administrative, registry and augmented data sets are stored on the moated CaNIOS
UNIX (E4500) system and the clinical MATRIX system (E3000), and are highly
confidential. Every reasonable step has been made to ensure that data confidentiality is
protected. However, ironclad confidentiality is virtually impossible without rendering the
data useless for research purposes. Therefore, all UNIX and MATRIX users are required
to use the data and the system in a responsible manner that ensures that confidentiality is
maintained and in accordance with CANIOS policies and procedures. Access to data is
strictly controlled (see Access Policy on page ).

    Data can only be used for approved CaNIOS projects and other authorized purposes.
     Any use of the data must be documented by the completion of a PIA form.

    All UNIX/MATRIX users must have undergone CANIOS privacy orientation from
     the CaNIOS Privacy Officer or designate and signed the CANIOS confidentiality
     agreement before being granted an UNIX system account.

    UNIX accounts are assigned to individuals at CaNIOS and must not be shared; do
     not divulge your UNIX password to anyone under any circumstances.

    Any attempt to decrypt an encrypted field is forbidden, and regarded as a breach of
     the confidentiality agreement.

    No data at the individual level of patient or physician can be moved from the UNIX
     system without prior written permission of the Chair or designate; the Health
     Information Coordinator must be informed of these occurrences.

    Aggregate analysis results and intermediary results can be exported from the UNIX
     system if they no longer contain information at the individual level of physician or
     patient. These results must be transported to a CaNIOS PC where further analysis or
     report generation may be carried out.

This document is intended for CaNIOS internal use only
CaNIOS       Canadian Network for Improved Outcomes in Systemic Lupus



   Any aggregated information that has a cell size of five or less (ie, the aggregation is
    fiver or fewer individuals, or events) must not be released outside of CaNIOS.
    Exceptions (e.g., rare diseases) are considered on a case-by-case basis with Ministry
    approval only.

   Users must not attempt to identify individuals based on unencrypted identifiers (eg,
    date of birth [DOB], sex, residence code) and/or any other prior knowledge.

   UNIX: Without exception, external data files must not be transported to the UNIX
    server by the user. If a user plans to mount data to the UNIX to link to
    administrative data in the MOHLTC-ICES data base files, that data must be passed
    to the Health Information Coordinator or the Director of P&B. They will transport
    data to the UNIX system and encrypt the necessary fields. Any other identifying
    information will be stripped from the data and, if necessary, dummy identifiers will
    be added. Without exception, written permission from the Chair/designate and the
    technical assistance of the Health Information Coordinator or the Director, P&B is
    required to remove a copy of a data file once on the UNIX system. Any attempt by
    the user to reconnect the data back to the original unencrypted identifiers is strictly
    forbidden.

   MATRIX server: When CaNIOS is functioning under a signed research agreement
    as the data repository for a research study or trial (example: the 1000 Canadian
    Faces of SLE), the data are the property of the investigators as long as they have not
    been linked to the MOHLTC-ICES administrative databases. Any copies of the data
    requested by the project team for analyses external to CaNIOS must be approved in
    writing by the data owners/agency and co-signed by the Chair or designate. Data
    use decisions in this circumstance are the responsibility of the data owners. The
    technical assistance of the Systems Manager or UNIX Systems Administrator is
    required to remove a copy of the data file from the MATRIX server. Once copies
    have been provided to authorized users, CaNIOS is not responsible for data use
    external to CaNIOS. If future linkage of clinical data on the MATRIX server is
    planned, these data are then transferred permanently to the UNIX for that purpose
    and cannot be removed or copied.

   Individual records should be viewed on the computer monitor screen whenever
    possible. If it is necessary to print them out for easier viewing, IKNs should be
    removed prior to printing (e.g. use a sequential identifier instead) and the printouts
    should be shredded once they have been reviewed.

   All computer output and listings destined for garbage/recycling should be shredded
    first as a security precaution as per the Shredding Policy (see Appendix 5 for
    Shredding Policy).




This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


    All terminals are now equipped with screensavers which automatically “lock” after
     15 minutes, they cannot be used unless logged into again by the user (Appendix 6
     for Password Policy).

    Unless an overnight data run required, do not leave your terminal (switch boxes)
     logged on to the UNIX system overnight.

Access Policy for CaNIOS Administrative Data

To reduce the chances of a breach of the confidentiality guidelines, either willful or
inadvertent, CaNIOS has implemented a set of restrictions on access to the administrative
data on the UNIX system. Anyone who is given access to the UNIX system is assigned
to one of four levels of access. These levels range from 0 to 3 with decreasing access
rights as the levels go up.

Level 0

Caretakers as outlined in the MOHLTC research agreement: full access to all data sets as
well as access to unencrypted identifiers for the purposes of encryption and record
linkage.

Level 1

Programmers and Biostatisticians:
 access to all data with encrypted identifiers and the transfer PC, described below

Level 2

Research Coordinators, core facility:
 access to all data with encrypted identifiers and with high-risk demographic fields
   removed and access to transfer PC

Level 3
Students, adjunct faculty and any other users not covered above:
 access only to project-specific data sets with identifiers and high-risk demographic
   infields removed and no access to transfer PC.

The two areas of greatest vulnerability of the administrative data lie in the users’ ability
to remove individual anonymized records form the system through the transfer PC and
the ability of users to infer identifies based on the values of certain demographic fields.
The limitations on access focus on these two points.

The transfer PC has no electronic connections to any other system other than to the UNIX
system and was set up to allow users to down-load files of aggregated data and/or listings
form SAS or STATA analyses. A transfer of data using this machine involves logging


This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


onto the machine itself and then logging onto the UNIX system. By limiting access to
the transfer PC, CaNIOS reduces the risk of inappropriate transfer of data.

Certain demographic fields, including postal code and birth date, contain information on
individuals that present an increased risk that the individual can be identified form the
anonymous records. Any identification of this type would be a grave breach of security.
Users are given access to a less specific version of the same information, for example
birth year rather than birth date and forward sortation or county rather than postal code.

CaNIOS has tried to strike a balance between giving researchers access to the data that
they need and minimizing its exposure to potential breaches of confidentiality and
ownership. The P&B group is the most intense user of the administrative data. For this
reason they are given a level of access with very little restrictions. It is also within their
duties to assist other researchers in preparing data sets, especially in instances where
restrictions prevent other users from deriving needed information. Other full-time
CaNIOS employee, such as Research Coordinators and Faculty, are generally restricted
from accessing the high-risk demographic fields. Any information they need that is to be
derived from these variables can be performed by P&B. The students, adjunct faculty
and others who require access to the administrative data face the most restrictions. This
is a group of users who typically are low-volume and may be a higher risk to security and
confidentiality because they are not as tied to the CaNIOS culture. These suers will
require assistance from the P&B group in putting their project-specific data sets together
and moving results form the transfer PC.

Other Restrictions

Access to some CaNIOS centre-specific clinical databases is restricted to only those
researchers who require access for a CaNIOS-approved project. Approval for use is
required form the Registry. Due to the richness of the data records, these data are higher
risk even with the high-risk demographic fields suppressed. Users will be subject to the
above usual data restrictions as well.

Exceptions

There must be very compelling reasons to make any exceptions for the above policies and
the exception must be approved by the Chair of CANIOS. One exception that has been
made is for the analysis of data using specialized software that is not available for the
UNIX system. In this instance, and with approval from the Chair, the user can move the
project-specific data to a password-protected cartridge for use on a desktop PC with the
specialized software, and the encryption software, BestCryptTM. The cartridge must be
stored under lock and key when not in use. If it is not used over a period of one week or
more, it should be turned over to one of the caretakers for storage in the CaNIOS data
safe.




This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


Data Destruction

Personal health information shall be retained only as long as necessary for the fulfillment
purposed for which it was collected, compiled or extracted. It is the responsibility of the
principal investigator to specify a destruction date for all data brought into a project as
part of the privacy impact assessment and to ensure that the destruction is carried out by
that date. Destruction of data means that there will no longer exist any copy of the data
either in its original form or any derived form in paper, electronic, or any other storage
medium including back-up tapes or CDs. The only exception will be aggregated forms of
the data in published manuscripts and reports. Computer programs that were designed to
manipulate the data may be stored indefinitely provided no vestiges of the data remain
within the programs (see Appendix 7 for full details – may also be found on s:/policies).

Information Breach

An information breach occurs when personal information is collected, retained, used or
disclosed in ways that are not in accordance with the CaNIOS Confidentiality and
Security of Data Policy in the Privacy Handbook. There are many types of information
breaches, but most do not “harm” individuals; rather, “rules” are broken (please see
Appendix 8 for complete policy – may also be found on s:/policies). CaNIOS staff are
encouraged to report breaches to the Privacy Officer so that they can be immediately
addressed and/or remediated Our privacy culture at CaNIOS sits on a framework of
teamwork and is intended to be non-adversarial.

The most common breach of information is the unauthorized disclosure of personal
health information; for example, personal health information may be lost (i.e. a disk is
misplaced), stolen (i.e. the theft of a laptop computer), or inadvertently disclosed through
human error (i.e. information meant for person A is actually sent to person B, or a cell
size of less than five is used in a study). Examples of other types of breaches include
transfer of identifiable data form the UNIX system or maintenance of data past
destruction date.

The most serious type of breach results in revealing health information of persons
contained in the CaNIOS databases. This situation is so serious that it could result in the
suspension of CaNIOS operation as outlined in the original CaNIOS research agreement.
Policies for the management of a serious breach include notification of the Ministry of
Health, the Privacy Commissioner of Ontario and the CaNIOS Board (see Appendix 8).




This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


Glossary of Terms
Administrative Data/Database – Health administrative databases were originally
designed for tracking hospital discharge summaries, physician billing claims, claims for
prescription drugs and other health0related issues. These data are stored and used within
the secure UNIX environment.

Aggregated data – Summed and/or categorized anonymous data is analyzed and placed
in a format that precludes further analyses (for example, in tables or graphs) to prevent
the chance of revealing individual’s identity (individual records cannot be reconstructed).

Augmented data – Data that is enriched through linkage to other datasets or by the
addition of clinical data obtained form chart abstraction to administrative date.

BestCryptTM – Software that sits on most operating systems that is used for purposed of
encrypting data as it is entered into a computer.

Cartridgse – Removable media used for storing data which may be analyzed on a PC.

Chart abstraction – Data abstracted from medical records are collected to augment,
supplement, and validate administrative and registry research projects.

Clinical Registry Data/Database – By special research agreements, CaNIOS holds
clinical registry databases such as the Ontario Cardiac Care Network (CCN), which
collects information on patients waiting for heart procedures such as bypass surgery,
angiography and balloon angioplasty, and the Registry of the Canadian Stroke Network
(RCSN), a national database collecting information on patients suffering strokes.

Co-I – Co-Investigator on a research project

Consent – In this context, persons giving permission (usually written but can be verbal)
for the use of their health information for a study or clinical trial.

Data agreements – A formal legal contract between CaNIOS and a data owner
(example: a hospital-based clinical dataset or data collected by outside agencies). These
agreements are always required when data not collected by CaNIOS researchers or held
by CaNIOS are being brought in-house for analysis and/or linkage. These agreements are
drawn up by VP Corporate Affairs.

Data linkage – Using a unique number such as IKN, joining information on an
individual found in different databases to give a “picture” of the care continuum (see also
record linkage).

Encrypted data – Data that is scrambled either just prior to transmission or as it is being
entered into a database when special software is used (BESTCRYPTTM). The purpose is
to protect the data.

This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus



GM3 Key – Allows entry through CaNIOS external doors after business hours (6pm-7am
Mon-Fri) and weekends.

GUIDs – Global unique identifier is a term used by Microsoft for a number that its
programming generates to create a unique identity for an entity such as a patient or a
patient event.

HIPAA – Health Insurance Portability and Accountability Act. American legislation
which took effect April 14, 2003 to protect personal health information: protect patient’s
medical records and information provided to health plans, doctors, hospitals and other
health care providers.

IKNs – CaNIOS Key Numbers. Unique numbers assigned to each of all valid health
cards in Ontario.

Knowledge Transfer – The exchange, synthesis and ethically sound application of
research findings among researchers and knowledge users. Within CaNIOS, this is the
role group that handles external relations and public affairs.

LAN- Local Area Network

Linking File – Specific to survey files where consent has been obtained to link the
survey to administrative data.

Marlock Key – Coded keys that aloow or restrict access to different aareas within
CaNIOS

MARTIX Server – Server where clinical research data is housed

Medical Record Number – The unique six or seven digit number assigned to a hospital
chart. Coupled with the hospital’s unique number, this provides a way of locating
persons with disease or procedures of interest for research projects when chart abstraction
is planning as a way to collect clinical data on these subjects.

Moated Data or Server – Data held on computer with no external connections so it
cannot be hacked into form outside.

MOHLTC – Ontario Ministry of Health and Long-Term Care

P&B – Programming & Biostatistics. A CANIOS role group.

Passwords – At CaNIOS, there is a distinct preference for computer passwords that are
not dictionary words and that combine alpha-numeric-symbols in the password (ie,
bs89$bo).



This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


Personal Health Information – Identifying information about an individual in oral or
recorded form, if the information relates to the physical or mental health of the
individual, and includes information that consists of the medical history of the
individual’s family; also relates t the providing of health care to the individual, including
the identification of a person as a provider of health care to the individual (Bill 31).

Personal Identifiers – Data that characterize persons such as full name, address
(including postal code), date of birth.

PHIPA – the Personal Health Information Protection Act, 2004; Ontario’s personal
health information privacy legislation.

PI – Principal Investigator (leading scientist or faculty person n team)

 PAI forms – Privacy impact assessment forms. There are two types of PIA Forms: the
short (one-page) form is for use in projects using only administrative data; the long form
(five pages) is used for all other types of studies at CaNIOS

PIA log – The log of all CaNIOS studies maintained by the Privacy Officer.

PIPEDA – Personal Information Protection Electronic Documents Act (Bill C-6).
Canadian federal privacy legislation.

Primary Data – Are collected to answer specific research questions. Such data may be
obtained from subjects by interviews, chart abstractions or reviews, questionnaires or
through observation and intervention studies by CaNIOS scientists.

Public File – usually survey data that is available to anyone to use.

RC – Research Coordinator. A CaNIOS role group.

REB – Research Ethics Board

Record Linkage – using an unique number such as IKN, joining information together on
an individual found in different databases to give a “picture” of the care continuum (see
also data linkage).

SASTM – statistical software used in the analyses of large datasets

STATATM – statistical software used in the analyses of large datasets

Study ID – the unique number assigned to each patient as they enter a research study

Survey data – data collected from surveying the public




This document is intended for CaNIOS internal use only
CaNIOS       Canadian Network for Improved Outcomes in Systemic Lupus


Transfer PC – the computer used for mounting data cartridges of new data onto the
UNIX

Unique Study Number – the unique number assigned to each patient as they enter a
research study. Same as study ID.

UNIX – moated server where administrative data is housed

X-terminals – “dummy” terminals that allow no activity other than doing analyses on the
UNIX. Cannot copy, save, store, remove or modify data.




This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


Appendix 1: Confidentiality Agreement

                            Policy and Procedure Manual
Policy Section:       Security                                     Policy No.:
Policy Subject:       Confidentiality Agreement                    Date issued: 8 2004
Issued by:            Confidentiality Committee                    Date Revised:

POLICY:

Every person affiliated with CaNIOS for business purposes, (employee, consultant,
visiting scientist, research collaborator, etc.) is required to sign a Confidentiality
Agreement and thereafter on a yearly basis. The confidentiality agreement outlines
CaNIOS expectations and requirements of the individual with respect to confidentiality
of all CaNIOS materials and related activities (see confidentiality agreement).

PROCEDURE:

All new employees receive a Confidentiality Agreement to sign with their contract.

   When individuals conduct research with CaNIOS, either directly or indirectly, or will
    have access to confidential information associated with the execution of the research
    project, it is the responsibility of the Director, Research and/or Faculty to notify
    Administration before the project begins. The Administrative office will then ensure
    that the individual is contacted and arrange a Privacy orientation with the Privacy
    Officer and request a confidentiality agreement be signed which will be placed in
    their personnel file.

   All CaNIOS staff and affiliates must annually sign a new confidentiality agreement.
    This will be done of July 1st of each year and/or at the Annual PI Meeting.




This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


Appendix 2: Confidentiality & Security of Data

                             Policy and Procedure Manual
Policy Section:        Security                                      Policy No.:
Policy Subject:        Confidentiality & Security of Data            Date issued: 8 2004
Issued by:             Confidentiality Committee                     Date Revised:

POLICY:

Principles and procedures for confidentiality and security of data are to be strictly
enforced and adhered to in order to respect the privacy of users and providers of the
health care system, and to protect data/databases against loss, destruction or unauthorized
use. CaNIOS.’ Chair or designate is accountable for the Network’s compliance with
these principles and for ensuring that all research studies are conducted in accordance
with the current standards for ethical acceptability and that they adhere to the principles
of privacy, confidentiality and security.

PROCEDURE:

   CaNIOS administration will ensure that all personnel of CaNIOS, including students
    and associates (providers or researchers not formally affiliated with CaNIOS), receive
    an orientation to the principles of privacy, confidentiality and security.

   All personnel (full- and part-time employees, contract workers/consultants, temporary
    help, students and affiliates) of CaNIOS will sign a confidentiality agreement to
    ensure that they do not disclose confidential information to any other person, or
    entity. In doing so, each person acknowledges that the disclosure of confidential
    information is grounds for immediate dismissal.

   All research proposals should be in compliance with the requirements of the Project
    Development & Review Committee and the Ethics Review Board (see Ethics Policy).

   Confidential information includes data, results and drafts of products not yet released
    including files, print-outs, e-mail and e-mail attachments.

   All documents and portable media which contain personal identifiers must be stored
    in locked cabinets when not in use.

   At the start of a project, the PI/Role Group Manager will meet with team members to
    review precautions and safeguards with respect to confidentiality and security.


Research Agreements
A. Data from the individual CaNIOS centres


This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


   The administrative data CaNIOS receives from the individual CaNIOS centres is
    covered by special research agreements. The agreements outline the handling of
    identified data records. Their use is restricted to specific individuals named in the
    agreements.

   Individual records cannot be given to investigators unless these exceptions are
    provided for by additional, specific, agreements.

B. Use of Secondary Data and Use by Providers and Researchers not Formally
Affiliated with CaNIOS

   A research agreement must be in place between CaNIOS and the originating
    organization that specifies the data to be governed by the agreement and the intended
    use of the data. Data retention/destruction dates should be defined.

   The research agreement must be approved by both CaNIOS and the originating
    organization.

   The research agreement with persons who own the data will stipulate how CaNIOS
    will handle the data and how the data will be used.

   CaNIOS must have written documentation from the data contributor that clearly
    indicates that all submitted data files and study materials can be on site.

   The research agreement must be signed by both parties before the data starts flowing
    to CaNIOS.

   The data must come directly from the data source to the Health Information
    Coordinator or Director, P&B. The data must be password-protected and encrypted if
    possible. Notification of password should be done in a separate e-mail.

   There may be circumstances in which identifiers accompany the data. In such cases,
    it will be the responsibility of the designated data custodians (Health Information
    Coordinator, Director P&B with the assistance of the Manager, Systems) to
    anonymized the records upon receipt and before use by researchers.

   No data at the individual level of patient or physician can be removed from the UNIX
    system without prior written permission of the Chair or designate: the Health
    Information Coordinator and the Director, P&B, must be informed of these
    circumstances in advance.


Physical Security
The following provisions have been made to assure safe data handling and storage.


This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


A: Corridor Control, Alarm Systems, and Security Cameras

   Electronically controlled key access divides the building into levels of security, each
    successive level being more secure and restricted to fewer employees (full- and part-
    time employees, contract workers/consultants, temporary help, students and
    affiliates). The same system provides a detailed record every time a coded Marlock
    key is used in a lock

   Access to the room which contains the administrative data server (ie, UNIX room) is
    restricted to designated persons.

   The building has continuous video camera surveillance.

   Glass breakage detectors set off the alarm if outside windows are broken on the
    ground floor.

   Ground floor windows have frosted glass or privacy blinds to ensure visual privacy of
    data.

B: Protection of Data

   Written approval for access to data housed at CaNIOS (primary, secondary or
    administrative) must be obtained from the Chair or designate.

   Data tapes that contain identifiers are accessible only to designated persons (the
    Director, P&B or the Health Information Coordinator) as outlined in the MOHLTC-
    ICES research agreement.

   All data cartridges are delivered to CANIOS by either MOHLTC persons or bonded
    couriers.

   Data tapes and cartridges are kept in fire-proof tape safes.



I. Primary Data Studies
Primary data are collected to answer specific questions. With consent, such data may be
obtained form subjects by interviews, chart abstractions or chart reviews, questionnaires
or through observation and intervention studies.

   Unique study numbers must be used for each study subject to prevent unauthorized
    identification of individuals.




This document is intended for CaNIOS internal use only
CaNIOS         Canadian Network for Improved Outcomes in Systemic Lupus


   The master record that links study numbers to personal information/identifiers will be
    stored separately under lock and key (ie, a locked filing cabinet or a secure room).
    The PI or designate will control access to this area.

   Access to the study database will also be controlled. The PI or designate will be
    responsible for determining the level of access allowed for each staff member
    involved in the study.

   It will be the responsibility of the PI or designate to outline data security guidelines to
    team members and contract personnel and to ensure that they are adhered to and
    followed both on and off site.

   Details of ongoing projects should not be discussed with persons outside the CaNIOS
    research environment. All access to study participants’ records will be denied to
    persons outside the study team, unless the participant has provided written approval.

   Confidential documents that contain personal identifiers that need to be discarded
    must be shredded on site (see Appendix 5 for Shredding Policy).

   Clinical data records that have proper CaNIOS clearance but show information at an
    individual level must be kept on a password-protected cartridge that is only in use
    when the data are actually needed. At other times these cartridges must be stored in a
    locked cabinet.

   Study forms must not contain personal identifiers. They should have unique study ID
    numbers. These study ID numbers are cross-linked to personal identifiers (such as
    MRN or IKN) that ultimately enable linkage. These must be stored separately and
    securely from the data. All study forms will be designed to ensure that CaNIOS
    policies are implemented when data are stored temporarily off-site (ie, in laptops used
    in chart abstraction studies).

   The clinical data server must not contain identified data – only the unique study ID.

   Primary data must not be transported to the MATRIX server without prior approval
    from the Chair or designate.

   Transportation to the UNIX system may be approved for purposes of linkage to
    MOHLTC-ICES files. See section under Secondary/Health Administrative Data for
    policy guidelines.

   Study documents and data will be stored in a secure environment for a minimum of
    five years after the completion of a study, at which time paper documents should be
    shredded and data tapes will be destroyed on-site as per the data retention/data
    destruction agreed upon at the outset of the study. Data destruction certificates can be
    issued for the investigator.


This document is intended for CaNIOS internal use only
CaNIOS         Canadian Network for Improved Outcomes in Systemic Lupus


Special procedures for primary data transmitted electronically have been developed:

Barriers are present in each step in the data transfer process ensuring a secure one-way
flow of information.
    o Data will be encrypted on the site laptop and password-protected before
       transmission to ensure only authorized access to data
    o Automated messages on the computer screen will remind the data collectors to
       transfer their data in a timely fashion or access to the laptop will be denied
       (abstractors are locked out after 7 days – this is to assure that data collection
       remains current in case of theft of the laptop). Security-ensuring encryption
       software will be placed on laptops to ensure encryption of the data while entering
       [which renders data useless if the laptop is stolen]).
    o Personal identifiers (name, address, telephone number, health card number
       [HCN], medical record number [MRN]) are not included in data transmission.
    o Patients are identified only by an assigned unique study number. Any high-risk
       identifiers are placed in a separate file (eg, DOB, postal code, HCN) copied to
       disk (encrypted and password-protected) and couriered to CaNIOS. The file is
       stored and secured separately from the dataset at CaNIOS.
    o A disk or CD is created with the health card numbers of the persons of interest in
       the databases matched to a unique study number, and is sent encrypted and
       password-protected by courier.
    o Data should go directly to the Director, P&B or the Health Information
       Coordinator, who will then transfer the data to the UNIX system after it has been
       suitably encrypted. Data should not be sent to the Study Investigator, Research
       Coordinator or Analyst directly.

Data Analysis and Secure MATRIX Environment

   A secure “clinical studies” server (called the MATRIX) has been positioned for the
    retention and analysis of data from large clinical trials and registries. Its files must
    not be transported to the UNIX system for linkage by the researcher, but passed to
    designated persons (data custodians) who will carry through with the process.

   CaNIOS will only present aggregated data in its reports to prevent the indirect
    identification of individuals. Information in the cells should be suppressed according
    to CaNIOS research agreement rules that disallow cell size less than (<) 5.


II. Secondary/Health Administrative Data
Secondary use of data refers to the use of data contained in records originally collected
for other purposes. This can include health administrative data or data collected in the
context of registries or surveys, for example. Health administrative databases were
originally designed for tracking hospital discharge summaries, physician billing claims,
claims for prescription drugs and other health-related issues. These data are stored and
used within the secure UNIX environment.

This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


Encryption and Linkage

   Most data sets arrive containing identifiers that are accessible only to designated
    persons as outlined in the MOLTC-ICES research agreement.

   These identifiers are encrypted before the data files are released for general research
    use. Individuals designated in the MOHLTC-ICES agreement (data custodians) can
    use a compiled, machine-coded, module to carry out data encryption on incoming
    MOHLTC data.

   Users work only with encrypted MOHLTC data to carry out their analyses.

   Any attempt to decrypt encoded fields is a breach of confidentiality and grounds for
    dismissal.

   External data files, approved under policies of primary and secondary data collection,
    may need to be linked to MOHLTC-ICES files. The file must not be transported to
    the UNIX system by the researcher, but passed to the data custodians who will carry
    through with the process.

   The designated person (data custodian) will transfer the data set to the UNIX system,
    encrypt any identifiers and/or link the records to any restricted access data files. The
    data will then be passed on to the researcher with any unencrypted identifiers deleted.
    The data custodian will delete the original file from the UNIX system.

   The researcher may then link the data to other secondary data on the CaNIOS-
    encrypted identifiers in the UNIX environment but is constrained by the guidelines
    outlined in section C, and can only remove data from the UNIX system with
    permission form the Chair or designate.

Data analysis and Secure UNIX Environment

   The UNIX server is located in a secure area and are not networked to the LAN. The
    UNIX terminals are hard-wired to the UNIX server.

   The UNIX system administrative password is restricted to one person only.

   Administrative and secondary data must be stored and analyzed in the UNIX
    environment. Aggregated analysis results and intermediary results can be exported
    from the UNIX server if they no longer contain data at the individual level of
    physicians or patients. Further analysis of such aggregated results can be carried out
    only on a CaNIOS PC.

   CaNIOS will only present aggregated data in its reports to prevent the indirect
    identification of individuals. Information in the cells should be suppressed according
    to CaNIOS research agreement rules that disallow cell size less than (<) 5.

This document is intended for CaNIOS internal use only
CaNIOS         Canadian Network for Improved Outcomes in Systemic Lupus



   Data at the individual level may not be released to persons outside CaNIOS unless
    prior explicit approval has been given by the MOHLTC. Exceptions must be covered
    by written approval that clearly states what data are being released. Queries should
    be submitted to the Chair or designate.

   Researchers must not attempt to reconnect MOHT+LTC data to any individually
    identified patients or providers by the use of incidental identifiers or conditions that
    lie outside the identifiers normally encrypted in the MOHLTC data files. This is
    considered a breach of confidentiality and grounds for dismissal.

   Researchers must not attempt to identify individuals based on other identifiers (ie,
    date of birth, sex, residence) and/or any prior knowledge. This is considered a breach
    in confidentiality and grounds for dismissal.

   Aggregate analysis results and intermediary results can be exported form the UNIX
    system if they no longer contain information at the individual level of physician or
    patient. These results must be transported to a CaNIOS PC where further analysis or
    report generation may be carried out.

   All dummy (X) terminals, printers, and the “Transfer PC” are connected to the UNIX
    environment using a “Smart” switch that prevents unauthorized connections.

   The “transfer PC” is configured to log all data transfers.




This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


Appendix 3: Ethics Review Process for CaNIOS Research Projects

                            Policy and Procedure Manual
Policy Section:       Privacy                                       Policy No.:
Policy Subject:       Ethics Review Process for                     Date issued: 8 2004
                      CaNIOS Research Projects
Issued by:            Confidentiality Committee                     Date Revised:

POLICY:

All research projects conducted at CANIOS require ethics approval. Ethics approval for
use of the administrative data are handled somewhat differently than other data. Semi-
annual reports on the sue of the administrative data are drafted and sent to the Research
Ethics board (REB) by the Chair and the Privacy Officer, using the submitted abbreviated
Privacy Impact Assessment (PIA) forms as background, to ensure that the REB is abreast
of work that has been done. Based on submission of our tracking/logging of projects and
regular reporting to the REB, for publication purposes all studies using these
administrative data may be considered to have REB approval and may include that
statement as required by the peer-reviewed journals.

Research projects that involve the use of primary data, the release of data in an
aggregated form, or the transfer of data with unique identifiers to, and/or from CaNIOS,
must be submitted for review and approval. This is normally done through the UHN
REB but approvals from the other REBs are acceptable.

PROCEDURE:

   Protocols to be submitted to a REB must first be reviewed and approved by the
    CaNIOS Chair or designate.

   Researchers will comply with the Tri-Council Policy Statement: Ethical Conduct for
    Research Involving Humans (1998)


   Issues/questions related to ethics review or confidentiality agreements should be
    referred to the CaNIOS Chair or designate.

   Protocols for submission to the UHN REB can be found in the Guidebook for
    Submission of Protocols to the REB. A copy of this is available on the intranet.

   Research projects that are solely secondary data analyses are governed by formal
    confidentiality agreements (e.g. MOH:TC and Cancer Care Ontario) and the policies
    and procedures of CANIOS.

   The transfer of secondary data to CaNIOS form other institutions must be approved
    by the originating (host) institution’s approval review process. The protocol must

This document is intended for CaNIOS internal use only
CaNIOS           Canadian Network for Improved Outcomes in Systemic Lupus


     clearly specify: the information to be transferred to CaNIOS; how long it is to be
     held; the individuals who are authorized to use the confidential data; and, whether the
     original information is to be returned/transferred back to the the host instiution under
     any circumstances.

    Researchers must adhere t the protocol once it has been approved by a REB. Changes
     to the protocol must be submitted for approval to the REB that originally approved
     the study.




1.   The three research councils have issued a new research ethics guideline which can be reviewed at:
     http://www.mrc.gc.ca/publications/publications.html (accessed Aug 22, 2004)

     Update link (the research ethics is listed half way down the link; this document also contains the CIRH
     position on the Privacy Act):
     http://www.cirh-irsc.gc.ca/services/funding/grants_awards_guide/cureent/general/ggcamp_e.shtml

     This document sites the following as the link the Tri-Council Policy Statement: Ethical Conduct for
     Research Involving Humans (1998): www.nserc.ca/programs/ethics/english/policy.htm




This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


Appendix 4: Shredding Policy

                            Policy and Procedure Manual
Policy Section:       Privacy                                       Policy No.:
Policy Subject:       Shredding Policy                              Date issued: 8 2004
Issued by:            Confidentiality Committee                     Date Revised:

POLICY:

All confidential information, such as computer printouts and any printed information
containing personal identifiers, must be destroyed by shredding, using one of the two
methods available at CaNIOS.

PROCEDURE:

   1.      Shredding machines:
            Small shredding machines are located on each floor.

   2.      Confidential On-site Shredding by a Third Party:
            CaNIOS has an arrangement with a bonded organization that provides
           special : Confidential” collection bins and performs on-site shredding of the
           material placed into these special bins.

            Large, locked, wheeled blue bins marked “Confidential” are located
           throughout the Marlock Key protected areas. Material to be destroyed on-site
           by the third party shredding company must be put into these bins. It is not
           necessary to remove staples or clips: however, no binders, hanging folders or
           hardcover books are to be disposed of in these special collection bins.


            Once a month the bins are collected and the contents shredded on site in a
           mobile shredder unit. A CaNIOS staff member is present each time the bins
           are collected and the contents destroyed. The third party shredding company
           upon completion of each on-site shred provides a certificate confirming that
           the destruction process was carried out in a confidential manner.

Please note that there are a number of smaller blue barrels marked “Nit Confidential”
located throughout CaNIOS. These barrels are the property of UHN. The contents of
these barrels are collected by UHN staff from time to time and removed form CaNIOS
premises. NO MATERIAL THAT IS REQUIRED TO BE SHREDDED ON-SITE IN A
CONFIDENTIAL MANNER SHOULD BE PLACED INTO THSE BINS.




This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


Appendix 5: Password Policy

                            Policy and Procedure Manual
Policy Section:       Security                        Policy No.:
Policy Subject:       Password Policy                 Date issued: 8 2004
Issued by:                                            Date Revised:

POLICY:

This policy outlines the handling, responsibilities, and scope of password for the
Information Technology (IT) resources of CANIOS. This policy acts as an extension of
the CaNIOS IT security policy. This policy applies to LAN connected PCs, stand alone
PCs, and Laptops.

The CaNIOS password dilemma:
Passwords are the entry point to our IT resources. Protecting access to our resource is
pivotal in ensuring that our systems remain secure. We must be diligent in guarding
access to our resources and protecting them form threats both inside and outside our
organization.

Password handling:
Passwords for all systems are subject to the following rules:
    No passwords are to be written, e-mailed, hinted at, shared, or in any way known
      to anyone other than the user involved. This includes supervisors and personal
      assistants.
    No passwords are to be shared in order to “cover” for someone out of the office.
      Contact Systems, and we will gladly provide access to the resources you require
      (ie, calendars or shared folders).
    Passwords cannot be your name, address, date of birth, username, nickname,
      license plate, or any term that could easily be guessed by someone who is familiar
      with you.
    Passwords are not to be displayed or concealed in your workspace.

Note: On occasion systems may require your password. Once work requiring user
password has been completed the user should change their password.

Systems involved:
The CaNIOS password policy will address the passwords for the following IT systems
with their rules:
    Network, client operating system, and Outlook: Every 83 days, users will be
       warned that hey have 7 more days to change their password. (Password will be
       changed every 90 days).
    BIOS Passwords: On all CANIOS laptops. We recommend changing this
       password every 45 days.



This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


      Screener Savers: Password protected screensavers are activated after 15 minutes
       of non-use. The control panel function to disable this feature will be removed
       form user control.

Password composition:
The following systems have systemically enforced password requirements as stated:
    Network and client operating system (and Outlook):
Passwords must meet the following criteria:
    Password is at least six (6) characters long.
Passwords must include at least one of the following:
    Capital letter
    Number
    Non-alphanumeric character
    As example of a great password is:
    Use a sentence like: I love working at Sunnybrook #1
    Your password would then be ilwaS1#

Support:
Users are to contact the IT staff for supper of the password policy. IT welcomes your
questions and suggestions and strives to keep our resources secure.

System Administrator passwords:
Administrative passwords are subject to stringent composition, frequent change, and
limited access. This includes passwords for routers, switches, WAN links, firewalls,
servers, Internet connections, administrative-level network operating system accounts,
and any other IT resource.
     Passwords for administrative resources must meet the following criteria:
     Password is at least 7 characters long.
     Passwords must include at least one of the following:
     Capital letter
     Number
     Non-alphanumeric character

Responsibilities:
IT has the responsibility to enforce this policy. This will be done through systematic
means and interaction with users. CaNIOS users are responsible for complying with this
policy.




This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


Appendix 5: Data Destruction Policy

                             Policy and Procedure Manual
Policy Section:        Privacy                                       Policy No.:
Policy Subject:        Data Destruction Policy                       Date issued: 8 2004
Issued by:             Confidentiality Committee                     Date Revised:

POLICY:

Personal health information shall be retained only as long as necessary for the fulfillment
of purposes for which it was collected, compiled or extracted. It is the responsibility of
the principal investigator to specify a destruction date for all data brought into a project
as part of the privacy impact assessment and to ensure that the destruction is carried out
by that date. Destruction of data means that there will no longer exist any copy of the
data either in its original form or any derived form in paper, electronic, or any other
storage medium including back-up tapes or CDs. The only exception will be aggregated
forms of the data in published manuscripts and reports. Computer programs that were
designed to manipulate the data may be stored indefinitely provided that no vestiges of
the data remain within the programs. The new CaNIOS project management system will
be designed to track all data sets that come into CaNIOS and for individual projects it
will capture types of data used and monitor data destruction.

Procedure:
The primary challenge in the destruction of data is to track all derived forms of the data.
Any use of data at CaNIOS must be for an approved project and logged in the PIA log.
The destruction of data at CaNIOS will occur at two levels, the source level and the
project level. The source level data are brought to CaNIOS through either open-ended or
closed-ended agreements.

1. Open-Ended Data Agreements

Open-ended agreements are agreements whereby data are brought to CaNIOS on a
regular on-going basis. There may not be a specific data destruction date as part of the
agreement but the individual agreements will contain clauses on how the agreement may
be brought to a close and what would constitute data destruction compliance. According
to CaNIOS policy, these data only reside on the disks of the UNIX system and on back-
up tapes that are stored in secure on-site safes.

1a. Third Party Data Agreements: This includes any data brought to CaNIOS on an
ongoing basis by agreement with organizations other than CaNIOS centres such as the
Cancer Care Ontario.

2. Closed-Ended Data Agreements

Closed-ended agreements are agreements whereby data are brought to CaNIOS over a
finite period of time with a data destruction data specified as part of the agreement.

This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


2a. Third Party Data Agreements: This includes all data that have been collected by a
third party and come to CaNIOS as the result of an agreement with that party. The
formal legal agreement between CaNIOS and the outside party will include a data
destruction date. This date of destruction will also be the de facto date of destruction on
the privacy impact assessment form of any project that makes use of the data in the
agreement and will recorded in the project management system. All third party data
agreements are formalized through the office of the VP, Corporate Services who will
forward copies of agreements to the Health Data Coordinator who will enter and monitor
the information in the project management system. The health Data Coordinator will
generate reports every 3 months to flag any destruction dates that are pending within the
next 6 months. The principal investigators of any projects that make use of the data will
be notified of the pending destruction date. The principal investigator named in the data
agreement will be asked to sign a document attesting to the destruction of the data once
that has occurred. Any data file that contains any part of the data specified in the
agreement will be destroyed before the destruction date. The manager of computer
systems and/or the director of programming and biostatistics may be called upon to
ensure or verify that the data have been removed form the CaNIOS systems.

2b. Primary Collected Data: This category includes data obtained from subjects by
interviews, chart abstractions or chart reviews, questionnaires or through observation and
intervention studies. These data are collected within specific approved projects and the
data destruction date will be specified in the privacy impact assessment form and
recorded in the CaNIOS project management system.

Project-level Data Sets
Project level data sets can include any data extracted from the CaNIOS administrative
data holdings (open-ended agreements) or it can be data brought to CaNIOS under
closed-ended agreements or any data sets derived from such data. The use of any data
within a project requires approval through the privacy impact assessment form and the
date of destruction for these data sets must be indicated on the form and entered into the
CaNIOS project management system. By default, the destruction date will be 4 years
from the date of submission of the PIA form. An earlier destruction date may be
specified but justification must be given on the form if a later destruction date is required.
Any data sets that are derived form data brought to CaNIOS through closed-ended
agreements must be destroyed by the destruction date specified in the agreement or
within 4 years, whichever is shorter. A later destruction date than 4 years out may be
justified on the PIA form but it cannot be later than the destruction date of the agreement.

The Health Data Coordinator will generate reports form the project database every 3
months to determine which projects have a data destruction date pending in the next
quarter and will send notification to principal investigator. The PI will sign a document
attesting to the destruction of the data once that has occurred and will file the document
with the director of research projects who will note the signing in the project management
system. The Health Data Coordinator will also send copies of the notifications to the
Privacy Officer, Director, P&B, Director, Research Projects and Manager, Systems who
will assist with and/or verify data destruction. At the same time, the Health Data

This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


Coordinator will generate a report to determine if any data destruction date has passed
without the PI signing off on destruction. This report will go the Privacy Officer,
Director, P&B, Director, Research Projects and Manager, Systems who will follow up
with the PI and destroy all data within one week of the report.

The programming code written for the project does not need to be destroyed at the time
of data destruction and should be archived at that time.

Data Backups
Destruction of data must include the destruction of any back up tapes or CDs that have
been made of the data. It is the responsibility of project research personnel to notify the
systems department of any backup tapes associated with the project that need to be
destroyed. Systems will destroy all appropriate tapes with a magnetizing device. A
yearly report will be generated from the project management system that lists all projects
(by number) that have reached the data destruction date and systems will compare that to
any backup tapes that they have on file so to verify that all required tapes have been
destroyed.

Any data stored on the UNIX system must not be stored in a location where it will be
copied to tape as part of a routine backup. This includes any directory branching form a
/bkup directory.




This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


Appendix 6: CaNIOS Information Breach Policy

                             Policy and Procedure Manual
Policy Section:        Privacy                                       Policy No.:
Policy Subject:        Information Breach Policy                     Date issued: 8 2004
Issued by:             Confidentiality Committee                     Date Revised:

What is an Information Breach?

An information breach occurs when personal health information is collected, retained,
used or disclosed in ways that are not in accordance with either the CaNIOS
Confidentiality & Security of Data Policy in the Privacy Handbook. The most common
breach of information is the unauthorized disclosure of personal health information; for
example, personal health information may be lost (i.e. a disk is misplaced), stolen (i.e. the
theft of a laptop computer), or inadvertently disclosed through human error (i.e.
information meant for person A is actually sent to person B, or a cell size less than five is
used in a study). Examples of other types of breaches include transfer of identifiable data
from the UNIX system or maintenance of data past the destruction date.

Policy

The purpose of this policy is to guide CaNIOS faculty and staff on how to proceed in the
event of an information breach, and to demonstrate to stakeholders that a systematic
procedure is in place to respond to and deal with an information breach. The document
includes information on notification, documentation and containment of an information
breach.

Definitions

Several terms require definition before proceeding to the procedures to follow in the
event of an information breach at CaNIOS.

Personal Health Information Protection Act Bill 31
A “made-in-Ontario” health information act in response to the federal Personal
Information Protection and Electronic Documents Act (PIPEDA). The bill was passed
May 20, 2004 and received Royal Assent on May 21, 2004. Full force of the law comes
into effect on November 1, 2004. See
http://www/ontla.on.ca/dpcumetns/Bills/38_Parliment/Session1/b031ra_e.htm

Disclosure
From bill 31, “disclose” in relation to personal health information in the custody or under
the control of a health information custodian or person, means to make the information
available or to release it to another health information custodian or to another person, but
does not include to use the information, and “disclosure” has a corresponding meaning
(divulger”, “divulgation”)



This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


External Breach of Health Information (or “external breach”)
This term describes the situation where an information breach occurs outside of the
confines of CaNIOS, in the public domain.

Internal Breach of Health Information (“internal breach”)
This term describes the situation where a breach of health information is discovered
within the confines of CANIOS and has not been released to the public. For example an
individual attempts to remove data form UNIX system to work outside of CaNIOS in a
manner that is NOT in accordance with data agreement. The notification process for an
internal breach is described below. A breach form does not need to be completed for this
type of breach.

Information Breach
General term to describe when personal health information is collected, used and/or
disclosed in manner that is not in accordance with current privacy legislation (PIPEDA,
Bill 31).

Personal Health Information
According to Bill 31, “Personal Health Information”, means identifying information
about an individual in oral or recorded form, if the information
   a) relates to the physical or mental health of the individual, including information that
      consists of the medical history of the individual’s family;
   b) relates to the providing of health care of the individual, including the identification
      of a person as a provider of health care to the individual;
   c) is a plan of service within the meaning of the Long-Term Care Act, 1994 for the
      individual;
   d) relates to payments or eligibility for health care in respect of the individual
   e) relates to the donation by the individual of any body part or bodily substance of the
      individual or is derived form the testing or examination of any such body part or
      bodily substance;
   f) is the individual’s health number, or
   g) identifies an individual’s substitute decision-maker.

PIPEDA
Personal information protection electronic documents act (bill C-6). Canadian Federal
privacy legislation that applies to all organizations that collect, use or disclose personal
information (includes personal health information) in the course of commercial activities,
unless provinces have legislation deemed federally to be substantially similar to PIPEDA.
See www.privcom.gc.ca or http://www.privcome.gc.ca/legislation/02_06_01_e.asp

Use
According to Bill 31, “use” , in relation to personal health information in the custody or
under the control of a health information custodian or a person, means to handle or deal
with the information, subject to subsection 6(1), but does not include to disclose the
information, and “use” as a noun, has a corresponding meaning. (“utiliser”,
“utilization”).

This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus



Procedure
General Steps
The general order of events that occur upon discovery of an information breach is in
flowchart 1. The general steps involved in the notification process following a breach are
outlined in Flowcharts 2 and 3. The steps described below are meant to be a general
guide as it is acknowledged that there will be different steps to be followed according to
the type of data involved in the breach. Where required, individual projects will have
their own breach plan.

Discover of Breach
The person who discovers the breach is responsible for the following:
 Starting the process of containment (in order to avoid further information breach)
 Notifying his/her supervisor and the CaNIOS Privacy Officer (or designate).

Special notes:
 For the purposes of this document, containment procedures are described before
   notification procedures. However, in practice, containment and notification should
   occur, where possible, simultaneously
 Once the appropriate individuals are notified (described below), the “discoverer” of
   the breach is relieved of the responsibility of notification, but must remain available
   for consultation during the documentation, investigation and action phases.

Containment
The process of containment is to be initiated by the discoverer of the breach in order to
prevent further release of information. The containment process is as follows:
 Determine what if any information has been disclosed.
 Retrieve as much of the breached information as possible (ideally all breached
   information)
 Ensure no copies of the personal health information have been made or retained by
   the individual who was not authorized to retrieve or receive the information.
 Ensure that additional breaches cannot occur through the same means.
 Determine whether the privacy breach would allow unauthorized access to any other
   personal health information (e.g. an electronic information system) and take whatever
   necessary steps are appropriate (e.g. change passwords, identification numbers and/or
   temporarily shut down a system).

Special note:
 Containment should occur simultaneously as the notification step. Thus it is not
   necessary that all steps be completed before the notification step.

Notification
The individual who discovers the information breach is responsible for:
 Notifying his/her immediate supervisor,
 Notifying the CaNIOS Privacy Officer or designate
This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


   At this point, the discoverer of the breach is not responsible for any further
    notification.

Special Note:
Refer to Appendix A for quick reference regarding notification procedure. This page can
be posted at each person’s desk and filled in appropriately.

The CaNIOS Privacy Officer (or designate) then:
 Brings the issue to the members of the core Breach Team, which is comprised of the
   CaNIOS Privacy Officer, the VP Corporate Services and the Chief Executive Officer.

The CaNIOS Core Breach Team:
 Decides if documentation is required
 If documentation is required, it is initiated and completed by the Privacy Officer
 Determines the extent of the breach (i.e. whether it is an internal or external breach)
 Decides further process for notification (if any)
 Is responsible for notifying the appropriate individuals
 Decides at which point the CaNIOS Executive Committee (which includes the CEO,
   VP, the Director of Research and the Director of Policy and External Relations) is
   notified of the breach.

Once the core Breach Team has determined the extent of the breach, the CaNIOS Privacy
Officer will bring the issue forward to the CaNIOS Confidentiality Committee, where
members will be briefed on the situation and instructed on how to proceed.

Documentation (Appendix B)
 Documentation of the breach is important for management of the incident and
   prevention of additional breaches
 The decision regarding documentation of a breach is to the discretion of the CaNIOS
   Privacy Officer and the CaNIOS Core Breach Team
 The Privacy Officer (or designate) is responsible for the documentation of the breach
   and will fill out the breach form
 The Privacy Officer (or designate) will consult the discoverer of the breach to gain
   details of the event.

Special Note:
It is important to note that should the breach require documentation, this is not done with
the intent of punishment, but rather as a tool for collecting all appropriate information to
aid in the investigation of the event.

Internal Breach
In the event that the information breach is deemed “internal”. The CaNIOS
Confidentiality Committee will come up with recommendations on actions and report
back to the core Breach Team who will then decide final action.

External Breach

This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


In the event that the information breach is deemed “external”, the following occurs:
 The CaNIOS Board of Directors is notified
 The Ontario Ministry of Health and Long-Term Care (MOHLTC) is notified
 The CaNIOS Confidentiality Committee is notified of the situation and instructed on
    how to provide support
 CaNIOS legal counsel is notified and advises on further action
 The Information Privacy Commission (IPC) of Ontario is notified of the breach
 In the situation that the breach occurred with grant-funded research, the VP of
    Research at UHN is notified
 If required, the data custodian (i.e. the group that provides the data to CaNIOS or
    investigator within CaNIOS) is notified.

Investigating the Information Breach
The Record of Breach started upon discovery of the breach will be an invaluable tool in
the investigation phase of the health information privacy breach. The extent of the
investigation is dependent on the type of information breach:
 In the case of the internal breach, the CaNIOS Privacy Officer, and members of the
    Confidentiality Committee will investigate the breach, and provide recommendations
    to the core Breach Team.
 In the case of an external information breach, if warranted, CaNIOS, working with
    the IPC will conduct an investigation of the privacy breach.

The objectives of all breach investigations are the following:
 Interview individuals involved with the privacy breach or individuals who can
   provide information about a process and confirm details on the Record of Privacy
   Breach.
 Ensure any issues surrounding containment and notification have been addressed by
   CaNIOS
 Discuss the complaint with the parties and obtain any relevant evidence (if required)
 Create documentation of the breach and the response to it

Action
According to the extent of the information breach and the impact of the breach, several
actions may be taken:
 In the case of an internal breach, the Confidentiality Committee recommends action
    for the core Breach Team to implement.
 In the case of an external breach, changes to CaNIOS policies and procedures must be
    made in order to avoid another breach of a similar nature.
 An education campaign within CaNIOS will be carried out by the Confidentiality
    Committee in order to educate CaNIOS employees on how to avoid similar breaches.
 A review of the CaNIOS information breach policy will also be done in order to
    improve the response to a breach and ensure that a clear, concise protocol is in place.
 Finally, should it be determined, the person(s) responsible for the breach will be
    terminated according to the terms in the CaNIOS Confidentiality Agreement.


This document is intended for CaNIOS internal use only
CaNIOS       Canadian Network for Improved Outcomes in Systemic Lupus


RECORD OF BREACH
                                           Form completed by:______________________
                                           Date of Completion:______________________

INFORMATION ON DISCOVERY

DATE OF DISCOVERY:           _______________

TIME OF DISCOVERY:           _______________

NAME OF INDIVIDUAL WHO
DISCOVERED THE BREACH:                 _________________________________

ROLE/JOB TITLE:                        _________________________________

PROJECT TITLE:                         _________________________________________

DETAILED DISCRIPTION OF BREACH: (Include information on when the breach
is believed to have occurred, the type of breach that occurred and the type of data that
was breached. Use an additional page if necessary)
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________

NOTIFICATION:
CaNIOS NOTIFICATION:

Individual                             Notified by:            Date         Time
Privacy Officer
CEO
VP Corporate Affairs
Confidentiality Committee
CaNIOS Executive Committee



Type of Breach:
Internal:

External:
External Notification (if required):

                                       Notified by:            Date         Time
Information and Privacy
Commissioner of Ontario

This document is intended for CaNIOS internal use only
CaNIOS      Canadian Network for Improved Outcomes in Systemic Lupus


Ministry of Health
Board of Directors
CaNIOS legal counsel
UHN VP research
Other Hospital
_______________________
Police
Other Agency
_______________________

CONTAINMENT:
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________




Other Project Information:
Principal Investigator: ________________________________

Other CaNIOS staff on project:
________________________________________________________________________
________________________________________________________________________




This document is intended for CaNIOS internal use only
CaNIOS        Canadian Network for Improved Outcomes in Systemic Lupus


Flowchart 1




This document is intended for CaNIOS internal use only

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:7/14/2012
language:English
pages:41