AVÐÇÇò

Privacy and security

AVÐÇÇò is committed to protecting the privacy of Canadians and ensuring the security of their personal health information. The personal health information collected by AVÐÇÇò is governed by AVÐÇÇò’s Privacy Policy on the Collection, Use, Disclosure and Retention of Personal Health Information and De-Identified Data, 2010 (PDF).

Find out more about our Terms of Use, including the Website Privacy Notice.

Collection, use and disclosure

AVÐÇÇò is a secondary data collector of health information. Data obtained from hospitals and other health care facilities, long-term care homes, regional health authorities, medical practitioners and governments is disclosed to AVÐÇÇò under the authority of jurisdictional privacy or health information legislation and is subject to related data-sharing agreements.

AVÐÇÇò uses health information to conduct analyses on Canada’s health systems and the health of Canadians in a manner consistent with its mandate and core functions, specifically to deliver comparable and actionable information to accelerate improvements in health care, health system performance and population health across the continuum of care. Generally, AVÐÇÇò uses de-identified record-level data for analytical purposes. Data sets used for internal AVÐÇÇò analysis purposes do not contain names or direct identifiers, such as health care numbers, dates of birth and full postal codes.

AVÐÇÇò’s disclosures of health information are made at the highest degree of anonymity possible while still meeting the research and/or analytical purposes. AVÐÇÇò publicly releases aggregated data in a manner designed to minimize any risk of re-identification and residual disclosure.

Generally, data disclosed to third parties for research purposes is in the form of de-identified record-level data or aggregate data. Data requestors are required to enter into a non-disclosure/confidentiality agreement with AVÐÇÇò. The agreement establishes privacy and security controls that must be met by the recipient organization.

AVÐÇÇò does not disclose personal health information except under the following limited circumstances and where the recipients have entered into a data protection agreement or other legally binding instrument(s) with AVÐÇÇò:

  • The recipient has obtained the consent of the individuals concerned; or
  • The recipient is a prescribed entity under Section 45 of Ontario’s  (PHIPA) for the purpose of analysis or compiling statistical information with respect to the management of, evaluation or monitoring of, allocation of resources to or planning for all or part of the health system, including the delivery of services, provided the requirements of PHIPA and AVÐÇÇò’s internal requirements are met; or
  • The recipient is a prescribed person under Subsection 13(1) O.Reg.329/04 of Ontario’s PHIPA for the purposes of facilitating or improving the provision of health care, provided the requirements of PHIPA and AVÐÇÇò’s internal requirements are met; or
  • The disclosure is otherwise authorized by law; or
  • The disclosure is required by law.

Find out more about AVÐÇÇò, our data holdings and the reports we publish.

Privacy questions, concerns or complaints

Chief Privacy Officer
Canadian Institute for Health Information
495 Richmond Road, Suite 600
Ottawa, Ontario  K2A 4H6

613-694-6526
privacy@cihi.ca
Fax: 613-241-8120

An individual may also direct complaints to the  in which they reside.

Individuals may also direct complaints regarding AVÐÇÇò’s compliance with Ontario’s PHIPA and its regulation to the Information and Privacy Commissioner of Ontario:

Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario  M4W 1A8

416-326-3333
Toll-free (in Ontario): 1-800-387-0073
Fax: 416-325-9195
info@ipc.on.ca

AVÐÇÇò’s Privacy Program

Our comprehensive Privacy Program ensures the confidentiality and security of our Canadian health care data holdings. Part of this program is a set of governing privacy and security policies. These policies set out how we collect, store, analyze and disseminate data on Canada’s health care systems. Our program also includes

  • A Privacy and Legal Services department committed to developing a culture of privacy at AVÐÇÇò
  • An active Privacy, Confidentiality and Security Committee that includes representation from across the organization
  • A chief privacy advisor, who provides advice and counsel on privacy matters
  • A Governance and Privacy Committee of the Board of Directors
  • Mandatory privacy and security training to keep Canadian health care information protection matters front and centre

AVÐÇÇò adheres to all applicable privacy legislation, including Ontario’s PHIPA. We are a prescribed entity for the purposes of Section 45(1) of the act, which also applies to health information custodians in Ontario, such as the Ministry of Health, hospitals and physicians. These entities can disclose personal health information to us without patient consent for the purposes of analysis and compiling statistical information for the management of the health system. This designation and the strict responsibilities that come with it also assure our data partners across the country that

  • Our privacy policies, based on the 10 privacy principles of the Canadian Standards Association’s Model Code for the Protection of Personal Information, and security policies comply with the highest standards
  • Our overall information management practices safeguard the important and sensitive information with which we are trusted

The Information and Privacy Commissioner of Ontario (IPC/ON) reviews our practices and procedures every 3 years. Our privacy policies, practices and procedures were approved by the commissioner first in 2005 and every 3 years thereafter. Documentation related to the 2023 review and approval of AVÐÇÇò is publicly available on the .

 

AVÐÇÇò’s Information Security Program

Our comprehensive Information Security Program is dedicated to protecting the privacy of Canadians by ensuring the confidentiality, integrity and availability of our health care information. The physical, technical and administrative safeguards implemented by AVÐÇÇò follow or exceed industry standards and are designed to protect personal health information against theft, loss and unauthorized use or disclosure and to protect records of personal health information against unauthorized copying, modification or disposal.

AVÐÇÇò maintains the International Organization for Standardization (ISO) 27001 certification of its Information Security Management System. This certification clearly demonstrates our commitment to protect the personal health information that we maintain, and to continuously improve our information security position. It is an important part of our overall privacy and security programs and provides both our stakeholders and the public with the assurance that we treat data protection seriously. Our program also includes the following components:

  • Information security risk management 
  • Information Security Audit Program
  • A comprehensive suite of policies, procedures and standards designed to protect the confidentiality, integrity and availability of our information 
  • Privacy and Security Incident Management Program
  • Staff training and awareness

Security questions or concerns

Chief Information Security Officer
Canadian Institute for Health Information
4110 Yonge Street, Suite 300
Toronto, Ontario  M2P 2B7

416-481-2002
security@cihi.ca
Fax: 416-481-8120

Privacy impact assessments

Privacy impact assessments (PIAs) evaluate and address the privacy impacts of programs and systems. AVÐÇÇò is committed to completing PIAs on all its data holdings:

If you would like AVÐÇÇò information in a different format, visit our Accessibility page.