Improving Care

Reducing morbidity and mortality and enhancing quality of life

Informing Policy

Transforming health care at the local, national and international levels

Featured Projects

With more than 80 scientists, research at Advancing Health encompasses a wide breadth of areas


The Evidence Speaks

A recurring feature highlighting the latest in Advancing Health research

Our People

In the News

Research Resources

From design to execution, Advancing Health provides a broad range of support services

Work in Progress Seminar Series

Our People

Top ten tips for keeping your data private and protected

Posted on


Today is Data Privacy Day, an international initiative to promote privacy and data protection best practices among businesses and organizations. It is also an opportunity to inform people of their privacy rights and the impact technology may have on them.

In the conduct of clinical trials, investigators and clinical trial sponsors are responsible for ensuring the rights, integrity, and confidentiality of participants are protected. This encompasses aspects from recruitment and informed consent, through to the conclusion of research activities and the retention and destruction of data. Here are ten reminders and tips for investigators because, while the duties of a study may be delegated, responsibility may not.

  1. Understand your institution’s privacy requirements and information security policies. If you are the lead investigator, you must also understand these policies at affiliated institutions. Keep in mind that privacy regulations vary by province.
  2. Make privacy and information security a line item in your grants and protocols. Designate a member of the study team with a privacy role and allocate time and resources to this task.
  3. Physical, organizational, and technological measures should be implemented. This is to safeguard the personal data of trial participants. For example, ensure adequate support of infrastructure needed to implement best practices, including appropriate space for the confidential conduct of research activities and secure storage for source documents; apply a policy of segregation of duties for data collection, supported by a role-based access model for electronic data capture platforms.
  4. Only collect data you need. Ask yourself, is this data point required to fulfill the research objectives?
    1. Participants’ initials should not be collected on data collection forms or in a clinical trial database. Random letter-code generators or sequential letter-codes (e.g. AAA, AAB, AAC …) are good alternatives.
    2. Collect full birthdate only when necessary. A full birthdate in a pediatric trial may meet an REB’s approval, for example. Otherwise, collect the participant’s age at screening or, better still, use ranges (e.g. participant is 21-25, 26-30, 31-35, etc.).
    3. Anticipate and explicitly document likely future uses or collaborations, defining scope and purpose. If a data point is not in the protocol, it should not be in the clinical trial database!
      Did you know that the first three characters of a postal code represent a Forward Sortation Area averaging about 8,000 households?
  5. Understand that identifiable data is a continuum, from direct identifiers such as name, address, and birthdate to indirect identifiers such as geographic location, named facilities, or dates and characteristics (e.g. rare health conditions) on a medical history form.
  6. De-identify data as soon as possible, segregating personal information from clinical trial data. Encrypt electronic files that link clinical trial data to personal information.
  7. Limit the devices you use to access data containing personal or identifiable information, and encrypt all devices used to store, access or transfer such data. Cloud-based platforms (e.g. Gmail, SurveyMonkey) may store data on servers in the US and be subject to US laws.
  8. Participant consent is a dynamic process. This is especially true for qualitative research where, for example, open-ended interview techniques are used; the personal data collected may not always be anticipated at the outset of the interview. Ongoing discussions of consent with research participants is the best way to protect the privacy of individuals and communities.
  9. Understand your responsibilities in reporting data breaches. These vary by province. If the provincial regulations do not require you to report a data breach, consider whether you are required to do so by your obligations to research participants.
  10. Make appropriate arrangements, financial and otherwise, for required length of data retention and destruction. Note that your files may be subject to US laws if stored in US-owned data storage facilities.

For more information on privacy and data protection best practices, please see:
Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans – TCPS2 (2018)
International Council for Harmonisation Guidelines
CIHR Best Practices for Protecting Privacy in Health Research (September 2005)
Good Clinical Data Management Practices (GCDMP)

Recent Stories

At Advancing Health, we produce high-quality evidence to change health care through improved patient care, evidence-informed policy, and innovative health system approaches.