Statement of Information Practices
To fulfill our mandate for Ontario’s COVID-19 Health Data Platform, the Ministry of Health requires access to personal health information and personal information related to Ontario’s healthcare system. This page explains how we handle and manage personal health information and personal information, including our authority under the law to collect, use and disclose the information. To learn more about the mandate for the Ontario Health Data Platform, see Ontario Health Data Platform - Overview.
Authority to Collect, Use and Disclose Personal Health Information and Personal Information
The Ministry of Health generally derives its authority to collect, use and disclose personal health information and personal information from privacy laws, including the Personal Health Information Protection Act, 2004 (PHIPA) and the Freedom of Information and Protection of Privacy Act (FIPPA).
As a health information custodian and in accordance with subsection 18(11) of the regulation under PHIPA (O. Reg. 329/04), the Ministry of Health’s information practices must be in compliance with PHIPA with oversight by Ontario’s Information and Privacy Commissioner.
Health Information Custodian
The Ministry of Health is designated as a health information custodian under section 3(1)7 of PHIPA. For the purposes of Ontario’s Ontario Health Data Platform, a two-year time limited regulation under PHIPA came into force on July 30, 2020. This regulation permits the Ministry of Health until July 30, 2022, to collect personal health information from the Institute for Clinical Evaluative Sciences (ICES) and Ontario Health for the purposes of (a) researching, analyzing investigating, preventing, responding to or alleviating COVID-19 or its effects; or (b) evaluating or monitoring the impact of COVID-19 on the management of, the allocation of resources to or planning for all or part of the health system.
Researcher
The Ministry of Health established COVID-19 Challenge Questions to help ensure that researchers accessing the Ontario Health Data Platform address high priority COVID-19 research questions that are responsive to the needs of government. See Challenge Questions. Under certain circumstances, with a research plan approved by a research ethics board, we are permitted to use and disclose personal health information that was collected for the purposes set out subsection 18(11) of the regulation.
FIPPA Institution
The Ministry of Health is an institute as defined in FIPPA and is subject to its requirements. FIPPA governs how we manage and handle personal information and imposes requirements to protect the privacy of individuals. FIPPA has rules which are based on 2 assumptions:
- An individual has the right to control his or her personal information.
- Rules governing the collection, use, disclosure, retention, security and disposal of personal information are necessary to protect privacy.
The Ministry of Health will only collect personal information where the collection is specifically authorized by law, used for the purposes of law enforcement or necessary for the administration of a lawfully authorized activity. We will only use and disclose personal information as allowed or required by law.
Sources of Personal Information and Personal Health Information
The Ministry of Health will collect personal information and personal health information from the Institute for Clinical Evaluative Sciences and Ontario Health until July 30, 2022. Most of the personal health information and personal information that is collected comes from facilities such as hospitals, clinics, independent health facilities and laboratories, collected by the Institute for Clinical Evaluative Sciences and Ontario Health under their Prescribed Entity status under PHIPA.
We also collect personal information from other government organizations, such as:
- Ministry of Health
- Ministry of Government Services
We collect personal information directly from researchers as required to process research applications and account administration.
Use of Personal Health Information and Personal Health Information
The Ministry of Health uses personal information and personal health information for the following purposes:
- researching, analyzing, investigating, preventing, responding to or alleviating COVID-19 or its effects;
- evaluating or monitoring the impact of COVID-19 on the management of, the allocation of resources to or planning for all or part of the health system.
The following describes the types of personal health information and personal information we collect for COVID-19 research priorities and how we use it to support the Ontario Health Data Platform:
- clinical information systems and registries, genomics, public health, hospital, laboratory, and diagnostic imaging information system;
- hospital discharge summaries and emergency department visits;
- physician claims submitted to the Ontario Health Insurance Plan;
- medical drug claims submitted to the Ontario Drug Benefit Program; and
- claims submitted for home care and long-term care.
For more information about COVID-19 Research Priorities, see OHDP Research Priorities.
Protection of Information
The Ministry of Health has physical, administrative and technical systems in place to safeguard personal information and personal health information in our custody against loss, theft, unauthorized access, disclosure, copying, use or modification. The types of safeguards correspond to the sensitivity, amount, access and format of the information. The following describes some of the safeguards the Ministry of Health implements to protect information.
Physical safeguards
- We have in place controls to secure physical premises, including controlled access to data center premises.
- Operational areas that store personal health information and personal information require restricted access with a secondary level of access controls.
- Personnel are given appropriate identification.
- Visitors are appropriately screened and are authorized to be on data center premises.
- Video surveillance is used for forensic purposes.
Administrative safeguards
- We use policies, agreements, and a privacy and security training and awareness program to reinforce personnel and third-party understanding of the responsibility to protect personal information and personal health information.
- We do not use personal information or personal health information we have access to except as necessary to operate the Ontario Health Data Platform.
- We have in place a privacy breach management program to identify, contain, investigate and report on privacy breaches and cybersecurity incidents. We notify the applicable data partner of any privacy breach at the first reasonable opportunity.
- We have comprehensive privacy impact assessment practices to ensure privacy risks are identified, mitigated and responsibly managed.
Technical safeguards
- We ensure adoption of industry standards for the Ontario Health Data Platform systems to ensure the security of:
- Personal information and personal health information in our custody
- The technical systems used
- Data is encrypted during transmission to the Ontario Health Data Platform and is stored on secured servers.
- We ensure system logging, monitoring and auditing practices are in place to record when personal health information is transferred.
Disclosure of Personal Information and Personal Health Information
The Ministry of Health may disclose personal health information that we collected for the purposes researching, analyzing, investigating, preventing, responding to or alleviating COVID-19 or its effects; or evaluating or monitoring the impact of COVID-19 on the management of, the allocation of resources to or planning for all or part of the health system through the Ontario Health Data Platform to:
- researchers who comply with the research requirements set out in PHIPA, and if the research is consistent with COVID-19 Research Priorities.
Request Access to Your Personal Information and Personal Health Information
The Ministry of Health provides individuals with a right of access to, and correction of, their personal information in accordance with the requirements of FIPPA.
To make a request contact:
- Manager, Access and Privacy Office
Ministry of Health
1st Floor, 99 Adesso Drive
Concord, ON L4K 3C7
Telephone: 416-327-7040
Website: https://www.health.gov.on.ca/en/public/publications/information/state_of_info.aspx
Contact the Privacy Office
Contact us if you would like more information or have privacy concerns about the Ontario Health Data Platform, information practices or privacy program:
- Attention: Research Legal Services
78 Fifth Field Company Lane
Fleming Hall - Jemmett Wing, 3rd Floor
Kingston, ON K7L3N6
Email: researchlegal@queensu.ca
Email: privacy@ohdp.ca
Website: ohdp.ca
Contact the Information and Privacy Commissioner
You have the right to submit any concern about the information practices for the Ontario Health Data Platform to:
- Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8
Phone: 416-326-3333 or 1-800-387-0073
TDD/TTY: 416-325-7539
Email: info@ipc.on.ca
Website: www.ipc.on.ca