- What is the data request process at CIHI?
The data request process involves five key steps:
- Submission of inquiry to CIHI
- Assessment by program area
- Finalization of specifications, documentation, and approvals
- Data processing and verification
- Data release (and data destruction, for third party, record-level requests)
- What is the purpose of the data inquiry form?
The intent of the new online data inquiry form is to provide a centralized entry point for data requests and to allow CIHI to assess client needs prior to completion of any formal documentation or approvals.
- What additional documentation needs to be completed for data requests?
For third-party data requests, completion of a formal data request form and signing of a Non-Disclosure/Confidentiality Agreement are required. For the Graduate Student Data Access Program (GSDAP), additional requirements apply (see www.cihi.ca/gsdap).
- What determines the turnaround time to receive the data?
CIHI will begin to process the data request once the client has submitted all of the necessary documents and the data requirements are finalized. The time it takes to compile the data varies depending on the complexity of the request, for example, the number of databases involved and whether the data request requires privacy consultation and approval. Timing also depends on the client’s ability to respond to questions from the database area. Having a good understanding of the research purpose and how CIHI data can answer the research question, as well as knowledge of the CIHI database, will expedite the request.
- Will the data holding area help with my analysis?
CIHI staff can provide advice on the structure and content of the data requested. You should consult a research advisor regarding statistical analysis.
- Does CIHI provide population statistics?
No, population statistics are provided by Statistics Canada. Refer to Statistics Canada’s website at www.statcan.gc.ca.
- What if I don’t know which classification codes (ICD-9, ICD-10 and CCI) relate to the health-related condition of interest to me?
You should consult with a research advisor or a hospital health records department to identify the codes. If you require further assistance, someone from the data holding area will work with you to determine the codes as part of the data specifications process.
- Is there any CIHI data that will not be released?
Yes. Depending on the data holding, some specific data elements cannot be released, for example, for reasons of privacy. For all data holdings, data releases are subject to CIHI review from a privacy perspective to ensure that they are compliant with authoritative requirements set out in legislation, agreements with data providers and internal policies and practices.
- What is personal health information?
Personal health information is health information about an individual that identifies the specific individual; that may be used or manipulated by a reasonably foreseeable method to identify the individual; or may be linked by a reasonably foreseeable method to other information that identifies the individual.
- What is aggregate-level data?
Aggregate-level data is summed and/or categorized data that can answer research questions about populations or groups of organizations. The data has been compiled from record-level data to a level that ensures the identities of individuals or organizations cannot be determined by a reasonably foreseeable method.
- What is record-level data?
Record-level data is data in which each record is related to a single individual or organization.
- How does CIHI de-identify record-level data?
CIHI modifies personal health information records so that the identity of the individuals or institutions cannot be determined by a reasonably foreseeable method. This involves:
- Removing the name (if collected);
- Removing or encrypting identifying numbers, such as a personal health or chart number;
- Truncating the postal code to the first three digits or providing a geographic region;
- Converting the date of birth to month and year of birth, age or age group;
- Converting the date of admission and date of discharge to month and year only; and
- Reviewing the data elements in their totality to ensure they do not permit identification of the individual by a reasonably foreseeable method.
- Methodologies and standards, in addition to those listed above, may be developed to de-identify information to the fullest extent possible.
Data Storage, Retention and Secure Destruction
- How long can I keep and use the data released to me?
According to the Non-Disclosure/Confidentiality Agreement, clients must destroy or return all third-party data, as well as any copies made, within one year of any published work or three years after the receipt of record-level data (whichever comes first). CIHI does not require aggregate data to be returned.
- Is it possible to get an extension to keep the record-level data more than three years?
In exceptional circumstances it may possible for data to be retained for longer than three years; however, this request for extension must be made in writing to CIHI.
- Are there any data use restrictions?
Yes. In compliance with the Non-Disclosure/Confidentiality Agreement, recipients of CIHI data must take all reasonable measures to avoid residual disclosure of the identity of individuals or health facilities.
- Can I use CIHI data in publications?
Yes. Any publications resulting from data provided by CIHI must cite CIHI as the source of the data and must indicate that the results or views expressed are those of the author(s).
- Are there any restrictions on moving or relocating data?
For record-level data, the institution or organization requesting CIHI data is ultimately accountable for protecting the data and complying with the terms and conditions in Section 8 of the Non-Disclosure/Confidentiality Agreement. If, for any reason, the data is to be moved or relocated from the organization/institution, CIHI must be informed in writing prior to the move. CIHI follows up with third-party requestors to ensure secure destruction of record-level data at the end of its term.
- Are there requirements for the destruction of record-level data?
Yes. The requirements with respect to the secure destruction of CIHI record-level data are set out as part of the data request process. Question 8 of CIHI’s record-level data request form requires the recipient of CIHI data to outline the approach (and/or methods) that will be used to securely destroy the data.
At the end of the retention period, data must be securely destroyed in compliance with the Non-Disclosure/Confidentiality Agreement. Recipients of CIHI data, supervisors (in the case of GSDAP students) and ultimately the institution or organization will be asked to provide CIHI with a certificate of destruction, which certifies the completion of the secure destruction activity and sets out the date, time, location and method of secure destruction employed. A template for the certificate of destruction is available upon request from CIHI.
- What is secure destruction and how is this standard met?
Secure destruction of record-level data refers to the destruction of the data in such a manner that reconstruction is not reasonably foreseeable in the circumstances, as defined in Section 19 of the Non-Disclosure/Confidentiality Agreement. Industry best practices for the secure destruction of data are constantly evolving; this is particularly true for data in electronic format. For general information with respect to secure destruction methods, please review the fact sheet available on the website of the Information and Privacy Commissioner of Ontario (www.ipc.on.ca/images/Resources/up-fact_10_e.pdf ). This fact sheet includes suggested best practices for the destruction of personal information. More information about CIHI’s current secure destruction requirements is available upon request.
The Graduate Student Data Access Program
- Who is ultimately responsible for the protection and ultimate destruction of data received from CIHI for GSDAP recipients?
The university at which the GSDAP applicant was enrolled when the data was originally provided is ultimately accountable for protecting the data and complying with the terms and conditions stated in Section 8 of the Non-Disclosure/Confidentiality Agreement.
- Do all graduate student requests for data need to go through the complete GSDAP application process?
No, students should first refer to existing published CIHI reports and Quick Stats on the CIHI website to see if the data are already publicly available. If the data request requires customized work, then students should contact the GSDAP coordinator.
- Are Canadian students studying abroad at universities eligible to apply to the GSDAP?
Yes. Canadian graduate students studying abroad are eligible to apply. Priority will be given to Canadian students studying at Canadian universities. In all cases, CIHI does not disclose identifiable personal health information to entities located beyond Canadian borders. As is the case for all GSDAP applicants, data must remain in the custody and control of the university to which the data was originally provided.
- Can non-Canadian students apply for data under the GSDAP?
Data will not be provided to non-Canadian residents studying at non-Canadian universities. Non-Canadian graduate students studying at Canadian universities are eligible to apply. Data must remain in the custody and control of the university to which the data was originally provided.
- Are undergraduate students eligible to apply for data through the GSDAP?
No. The GSDAP is for graduate students needing data to fulfill graduate requirements (for example, master’s thesis, PhD dissertation or medical research fellow requirements).
- Does the GSDAP provide data to students who have received funding and/or grants to support access to data for research related to degree requirements?
No. If you or your supervisor received funding and/or grants to support access to data, you will not be eligible to receive data through the GSDAP. You can apply directly to the data holding area to access data for a fee.
- Is there any other way that I can access data if I don’t qualify for the GSDAP?
Yes. You can request data directly from a CIHI data holding. CIHI responds to custom data requests from researchers and others on a cost-recovery basis.
- Are there restrictions on how long record-level data can be kept?
Yes. The Non-Disclosure/Confidentiality Agreement for record-level data indicates that data can be retained up to one year after any published work for graduate requirements or three years after the receipt of record-level data, whichever comes first, after which it and any copies must be securely destroyed. CIHI does not typically require the return or destruction of aggregate data. (Refer to your signed agreement for terms and conditions.)
- I am working on a study for my research advisor—can I apply for data through the GSDAP and then provide this data to my research advisor for further use once I complete my project?
No. The intent of the GSDAP is to provide data to graduate students to fulfill degree requirements. Students should not be applying for or requesting data on behalf of their research advisors. In compliance with the terms and conditions stated in the Non-Disclosure/Confidentiality Agreement for record-level data, the data is released solely for the purposes set out in the request form and for no other purposes. If the research advisor wants to use the data for another purpose, then the advisor must go through CIHI’s formal data request process.
- Can I use data received through the GSDAP for another use, for example, ad hoc projects with my research advisor?
No. The data set you receive is for graduate requirements stated in the project objectives submitted in the application. Any other use is not permitted, unless authorized by CIHI.