ºìÁì½í¹Ï±¨

Privacy and security

ºìÁì½í¹Ï±¨is committed to protecting the privacy of Canadians and ensuring the security of their personal health information. The personal health information collected by ºìÁì½í¹Ï±¨is governed by CIHI’s Privacy Policy on the Collection, Use, Disclosure and Retention of Personal ºìÁì½í¹Ï±¨ Information and De-Identified Data, 2010 (PDF).

Find out more about our Terms of Use, including the Website Privacy Notice.

Collection, use and disclosure

ºìÁì½í¹Ï±¨is a secondary data collector of health information. Data obtained from hospitals and other health care facilities, long-term care homes, regional health authorities, medical practitioners and governments is disclosed to ºìÁì½í¹Ï±¨under the authority of jurisdictional privacy or health information legislation and is subject to related data-sharing agreements.

ºìÁì½í¹Ï±¨uses health information to conduct analyses on Canada’s health systems and the health of Canadians in a manner consistent with its mandate and core functions, specifically to deliver comparable and actionable information to accelerate improvements in health care, health system performance and population health across the continuum of care. Generally, ºìÁì½í¹Ï±¨uses de-identified record-level data for analytical purposes. Data sets used for internal ºìÁì½í¹Ï±¨analysis purposes do not contain names or direct identifiers, such as health care numbers, dates of birth and full postal codes.

CIHI’s disclosures of health information are made at the highest degree of anonymity possible while still meeting the research and/or analytical purposes. ºìÁì½í¹Ï±¨publicly releases aggregated data in a manner designed to minimize any risk of re-identification and residual disclosure.

Generally, data disclosed to third parties for research purposes is in the form of de-identified record-level data or aggregate data. Data requestors are required to enter into a non-disclosure/confidentiality agreement with CIHI. The agreement establishes privacy and security controls that must be met by the recipient organization.

ºìÁì½í¹Ï±¨does not disclose personal health information except under the following limited circumstances and where the recipients have entered into a data protection agreement or other legally binding instrument(s) with CIHI:

  • The recipient has obtained the consent of the individuals concerned; or
  • The recipient is a prescribed entity under Section 45 of Ontario’s  (PHIPA) for the purpose of analysis or compiling statistical information with respect to the management of, evaluation or monitoring of, allocation of resources to or planning for all or part of the health system, including the delivery of services, provided the requirements of PHIPA and CIHI’s internal requirements are met; or
  • The recipient is a prescribed person under Subsection 13(1) O.Reg.329/04 of Ontario’s PHIPA for the purposes of facilitating or improving the provision of health care, provided the requirements of PHIPA and CIHI’s internal requirements are met; or
  • The disclosure is otherwise authorized by law; or
  • The disclosure is required by law.

Find out more about CIHI, our data holdings and the reports we publish.

Privacy questions, concerns or complaints

Chief Privacy Officer
Canadian Institute for ºìÁì½í¹Ï±¨ Information
495 Richmond Road, Suite 600
Ottawa, Ontario  K2A 4H6

613-694-6526
privacy@cihi.ca
Fax: 613-241-8120

An individual may also direct complaints to the  in which they reside.

Individuals may also direct complaints regarding CIHI’s compliance with Ontario’s PHIPA and its regulation to the Information and Privacy Commissioner of Ontario:

Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario  M4W 1A8

416-326-3333
Toll-free (in Ontario): 1-800-387-0073
Fax: 416-325-9195
info@ipc.on.ca

CIHI’s Privacy Program

Our comprehensive Privacy Program ensures the confidentiality and security of our Canadian health care data holdings. Part of this program is a set of governing privacy and security policies. These policies set out how we collect, store, analyze and disseminate data on Canada’s health care systems. Our program also includes

  • A Privacy and Legal Services department committed to developing a culture of privacy at CIHI
  • An active Privacy, Confidentiality and Security Committee that includes representation from across the organization
  • A chief privacy advisor, who provides advice and counsel on privacy matters
  • A Governance and Privacy Committee of the Board of Directors
  • Mandatory privacy and security training to keep Canadian health care information protection matters front and centre

ºìÁì½í¹Ï±¨adheres to all applicable privacy legislation, including Ontario’s PHIPA. We are a prescribed entity for the purposes of Section 45(1) of the act, which also applies to health information custodians in Ontario, such as the Ministry of ºìÁì½í¹Ï±¨, hospitals and physicians. These entities can disclose personal health information to us without patient consent for the purposes of analysis and compiling statistical information for the management of the health system. This designation and the strict responsibilities that come with it also assure our data partners across the country that

  • Our privacy policies, based on the 10 privacy principles of the Canadian Standards Association’s Model Code for the Protection of Personal Information, and security policies comply with the highest standards
  • Our overall information management practices safeguard the important and sensitive information with which we are trusted

The Information and Privacy Commissioner of Ontario (IPC/ON) reviews our practices and procedures every 3 years. Our privacy policies, practices and procedures were approved by the commissioner first in 2005 and every 3 years thereafter. Documentation related to the 2023 review and approval of ºìÁì½í¹Ï±¨is publicly available on the .

 

CIHI’s Information Security Program

Our comprehensive Information Security Program is dedicated to protecting the privacy of Canadians by ensuring the confidentiality, integrity and availability of our health care information. The physical, technical and administrative safeguards implemented by ºìÁì½í¹Ï±¨follow or exceed industry standards and are designed to protect personal health information against theft, loss and unauthorized use or disclosure and to protect records of personal health information against unauthorized copying, modification or disposal.

ºìÁì½í¹Ï±¨maintains the International Organization for Standardization (ISO) 27001 certification of its Information Security Management System. This certification clearly demonstrates our commitment to protect the personal health information that we maintain, and to continuously improve our information security position. It is an important part of our overall privacy and security programs and provides both our stakeholders and the public with the assurance that we treat data protection seriously. Our program also includes the following components:

  • Information security risk management 
  • Information Security Audit Program
  • A comprehensive suite of policies, procedures and standards designed to protect the confidentiality, integrity and availability of our information 
  • Privacy and Security Incident Management Program
  • Staff training and awareness

Security questions or concerns

Chief Information Security Officer
Canadian Institute for ºìÁì½í¹Ï±¨ Information
4110 Yonge Street, Suite 300
Toronto, Ontario  M2P 2B7

416-481-2002
security@cihi.ca
Fax: 416-481-8120

Privacy impact assessments

Privacy impact assessments (PIAs) evaluate and address the privacy impacts of programs and systems. ºìÁì½í¹Ï±¨is committed to completing PIAs on all its data holdings:

If you would like ºìÁì½í¹Ï±¨information in a different format, visit our Accessibility page.