Confidentiality and privacy protection

Mandatory - Ensure you have a research agreement if research involves personal information held by any institution subject to the Freedom of Information and Protection of Privacy Act (FIPPA)

Waterloo policy, procedure or guideline

Guideline - Securing research participants’ data

External policy/requirements

The requirements for a research agreement are described in Section 10(1) of R.R.O. 1990, Regulation 460 of FIPPA. Also see “Form 1” at the bottom of the link.

Registration 460 also identifies institutions which are subject to FIPPA; see “Schedule.”

Data Use and Disclosure Standard (Cancer Care Ontario)

Data sharing guidelines (NIH)

Data sharing agreements (PCO)

Who can help?

Privacy Office, Secretariat & Office of General Counsel

fippa@uwaterloo.ca

Associate Director, FANS, Office of Research

Mandatory - Ensure you have a research agreement if research involves personal information held by any institution subject to the Freedom of Information and Protection of Privacy Act (FIPPA)

Waterloo policy, procedure or guideline	External policy/requirements	Who can help?
Policy 8 Data Management Plans for Research Guideline for Data Sharing Agreements Guideline - Securing research participants’ data	The requirements for a research agreement are described in Section 10(1) of R.R.O. 1990, Regulation 460 of FIPPA. Also see “Form 1” at the bottom of the link. Registration 460 also identifies institutions which are subject to FIPPA; see “Schedule.” Data Use and Disclosure Standard (Cancer Care Ontario) Data sharing guidelines (NIH) Data sharing agreements (PCO)	Privacy Office, Secretariat & Office of General Counsel fippa@uwaterloo.ca Associate Director, FANS, Office of Research

Waterloo policy, procedure or guideline

External policy/requirements

Who can help?

Policy 8

Data Management Plans for Research

Guideline for Data Sharing Agreements

Guideline - Securing research participants’ data

The requirements for a research agreement are described in Section 10(1) of R.R.O. 1990, Regulation 460 of FIPPA. Also see “Form 1” at the bottom of the link.

Registration 460 also identifies institutions which are subject to FIPPA; see “Schedule.”

Data Use and Disclosure Standard (Cancer Care Ontario)

Data sharing guidelines (NIH)

Data sharing agreements (PCO)

Privacy Office, Secretariat & Office of General Counsel

fippa@uwaterloo.ca

Associate Director, FANS, Office of Research

Mandatory - Ensure you have a research agreement if research involves personal information held by any institution subject to the Freedom of Information and Protection of Privacy Act (MFIPPA)

Mandatory - Review by Research Ethics Board and Research Agreement if research involves personal health information held by any person or organization subject to the Personal health Information Protection Act (PHIPA)

Mandatory - Consider and identify other requirements of legislation in other jurisdictions. Research involving data from other jurisdictions may be subject to local, provincial/state or national privacy protection laws.

Best practices - Consider data minimization; only seek information which is really needed to undertake the research. Segregate the data set or anonymize the data set as soon as possible after collection.

Confidentiality and privacy protection

Mandatory - Ensure you have a research agreement if research involves personal information held by any institution subject to the Freedom of Information and Protection of Privacy Act (FIPPA)

Mandatory - Ensure you have a research agreement if research involves personal information held by any institution subject to the Freedom of Information and Protection of Privacy Act (FIPPA)

Mandatory - Ensure you have a research agreement if research involves personal information held by any institution subject to the Freedom of Information and Protection of Privacy Act (MFIPPA)

Mandatory - Review by Research Ethics Board and Research Agreement if research involves personal health information held by any person or organization subject to the Personal health Information Protection Act (PHIPA)

Mandatory - Consider and identify other requirements of legislation in other jurisdictions. Research involving data from other jurisdictions may be subject to local, provincial/state or national privacy protection laws.

Best practices - Consider data minimization; only seek information which is really needed to undertake the research. Segregate the data set or anonymize the data set as soon as possible after collection.

Best practices - Anonymize the data and store the master key in a separate, secure data