A Note About Privacy
A Note About Privacy. (Research, registries, clinical or quality improvement?)
This page primarily relates to the collection and management of medical data for research purposes or for non-research projects like registries and quality improvement studies. It is for guidance only and is not intended to be a definitive authority on the subject of privacy. If in doubt please contact the University's Privacy Office.
Legal Responsibilities
All users of REDCap must comply with appropriate local and federal privacy legislation. This includes Alberta's Health Information Act (HIA) and the Freedom of Information and Protection of Privacy Act (FOIP). Summaries of these acts can be found on the website of the University of Alberta Information and Privacy Office.
University of Alberta staff must also comply with University policy as detailed on the University's policies and procedures site.
What does this mean for us? Projects conducted within the Faculty of Medicine generally fall into one of two categories.
REB Approved Research Projects
The REB is responsible for ensuring that the research team is taking adequate steps to protect the privacy of the research data. Patient identifiers (see TCPS2 chapter 5) may be included in the project database provided that these identifiers have been documented in the REB submission. Researchers must also comply with any specific requirements mandated by the REB.
Projects Without REB Approval
Projects such as registries and quality improvement studies typically do not have REB approval. If the project collects identifiable healthcare information then the project lead must work with the Custodian of the data (as defined in the Health Information Act). The Custodian will need to submit a Privacy Impact Assessment (PIA) to the Office of the Information and Privacy Commissioner of Alberta (OIPC). For inpatient health information the Custodian will be Alberta Health Services or Covenant Health, but for patients seen in ambulatory settings the Custodian may be an individual physician, surgeon or dentist. Contact the University's Privacy Office for advice on who is the Custodian and for information on PIAs.
Since REDCap is operated by the University of Alberta (WCHRI) the Custodian and WCHRI will also require that an information management agreement (IMA) is in place between the Custodian (or Principal Investigator) and the University.
If the project does not collect identifiable healthcare information then there is no obligation to submit a privacy impact assessment (PIA) and we will only require an information management agreement (IMA) in the case of clients who do not have an academic position at the University of Alberta.
REDCap and Privacy
REDCap provides a number of features that are designed to protect the privacy of research participants and is considered to be compliant with Canadian legislation such as the HIA, FOIP, and TCPS2 as well as U.S privacy requirements such as HIPAA. Details of these security features are documented in WCHRI's Privacy Policy document.
REDCap has the potential to be GDPR compliant. These features are enabled on a project by project basis. Please email the helpdesk if your project needs the GDPR privacy features enabled.
Additional Help
For additional help with regards to privacy issues please contact the University's Privacy Office.