Skip to Main Content

Privacy information basics

Understand the importance of privacy and your legal obligations concerning the use of personal information in research.

Privacy and the ethical review

For your research project, what do confidentiality, anonymity and privacy mean?

  • Confidentiality – your obligation to safeguard information provided by a third party
  • Anonymity – where the information never had identifiers associated with it
  • Privacy – protecting personal information against unauthorized access

How do you define personal information or identifiable information?

Information about an identifiable individual stored in any format including paper, electronic, photographs, audio and video recordings. See the page:  “Defining Personal Information”

Can you collect the individuals’ information without identifying them? Is anonymity possible?

If you are collecting the information (for example, in a survey) and there is no need for individuals to identify themselves, then this may not be considered “personal information” under privacy legislation. However, if the information can be linked to individuals’ contact information or if their responses could reveal their identity, then it is personal information. 

Have you completed a privacy research agreement, if required by any privacy legislation or regulations governing the organization in which you will be conducting your research? 

Where a researcher intends to collect, without seeking the individual’s consent, personal information held by a public body or private sector company or organization, a research agreement is required under the applicable privacy legislation. For example, you may want access to the information individuals provided in their application for a benefit or service. The agreement will confirm the steps you must take to protect the personal information while it is under your control. 

Will you be collecting personal information only from publicly available sources? 

If yes, you still need to notify individuals of the intended use of their information for research purposes. 

Will you collect the personal information directly from the research participants? If so, describe the methods for obtaining and handling the information, including the following:

Types of data to be collected – names, contact information, age, opinions, views, etc. See the examples of types of personal information on the page: “Defining Personal Information.” 

Notification of Purposes (i.e. Consent Form) – should be in writing – identify all uses or purposes for their information – confirm and describe how you will keep it secure against risks such as improper access or disclosure – provide your contact information so they can easily ask questions about your research - then obtain the research subject’s informed, written consent 

Limit Collection, Use, Disclosure and Retention – collect only the information you need – turn off the recorder or put down your pen when all questions are answered – limit collecting subjects’ contact information to what is necessary – use the information for only the intended purposes – share the information only with others involved in the research – minimize the time you retain the information in identifiable form and follow the research ethics policy for retention and destruction of personal information 

Appropriate Safeguards – the more sensitive the information, the higher the required security measures to protect the information against risks such as unauthorized collection, access, use, disclosure or disposal

  • At home or elsewhere, keep paper records in locked storage when not in use.
  • Use passwords and encryption for protecting electronic records in all computers and other storage devices such as memory sticks.
  • When travelling, do not leave laptops and other portable devices unattended.
  • It is best not to store research subjects’ personal information on hard drives.
  • If you will use online survey tools or tele/video conferencing services based outside Canada, you must notify participants in advance that these services may not meet Canadian standards for protecting personal information against risks such as inappropriate use or disclosure to third parties

Any modes of observation (e.g. photographs, or audio or video recordings) that allow identification of particular subjects – the notification in your consent form must confirm your use of any of these methods to collect an individual’s image or voice and how you will safeguard these images or recordings against unauthorized access. 

Do you plan to link the personal information you gather in your research with other information about the participants that is contained in public or personal records? - if yes, this use of the information must be included in the notification given to potential participants before they give their consent. 

Provision for confidentiality of data resulting from the research – have you received the individual’s consent to include his or her identifiable information in the research results, report or presentation? 

Do you plan to use the participants’ personal information for related research or for other purposes (i.e. a secondary use)? - if yes, you must explain in your REB Request for Ethical Review: why identifying information is essential; how you will protect the personal information, and; how you will obtain informed consent from those who provided the data or an authorized third party.