ºìÁì½í¹Ï±¨is committed to protecting the privacy of Canadians and ensuring the security of their personal health information. The personal health information collected by ºìÁì½í¹Ï±¨is governed by CIHI’s Privacy Policy on the Collection, Use, Disclosure and Retention of Personal ºìÁì½í¹Ï±¨ Information and De-Identified Data, 2010 (PDF).
Find out more about our Terms of Use, including the Website Privacy Notice.
On this page:
Collection, use and disclosure
ºìÁì½í¹Ï±¨is a secondary data collector of health information. Data obtained from hospitals and other health care facilities, long-term care homes, regional health authorities, medical practitioners and governments is disclosed to ºìÁì½í¹Ï±¨under the authority of jurisdictional privacy or health information legislation and is subject to related data-sharing agreements.
ºìÁì½í¹Ï±¨uses health information to conduct analyses on Canada’s health systems and the health of Canadians in a manner consistent with its mandate and core functions, specifically to deliver comparable and actionable information to accelerate improvements in health care, health system performance and population health across the continuum of care. Generally, ºìÁì½í¹Ï±¨uses de-identified record-level data for analytical purposes. Data sets used for internal ºìÁì½í¹Ï±¨analysis purposes do not contain names or direct identifiers, such as health care numbers, dates of birth and full postal codes.
CIHI’s disclosures of health information are made at the highest degree of anonymity possible while still meeting the research and/or analytical purposes. ºìÁì½í¹Ï±¨publicly releases aggregated data in a manner designed to minimize any risk of re-identification and residual disclosure.
Generally, data disclosed to third parties for research purposes is in the form of de-identified record-level data or aggregate data. Data requestors are required to enter into a non-disclosure/confidentiality agreement with CIHI. The agreement establishes privacy and security controls that must be met by the recipient organization.
ºìÁì½í¹Ï±¨does not disclose personal health information except under the following limited circumstances and where the recipients have entered into a data protection agreement or other legally binding instrument(s) with CIHI:
- The recipient has obtained the consent of the individuals concerned; or
- The recipient is a prescribed entity under Section 45 of Ontario’s (PHIPA) for the purpose of analysis or compiling statistical information with respect to the management of, evaluation or monitoring of, allocation of resources to or planning for all or part of the health system, including the delivery of services, provided the requirements of PHIPA and CIHI’s internal requirements are met; or
- The recipient is a prescribed person under Subsection 13(1) O.Reg.329/04 of Ontario’s PHIPA for the purposes of facilitating or improving the provision of health care, provided the requirements of PHIPA and CIHI’s internal requirements are met; or
- The disclosure is otherwise authorized by law; or
- The disclosure is required by law.
Find out more about CIHI, our data holdings and the reports we publish.
Privacy questions, concerns or complaints
Chief Privacy Officer
Canadian Institute for ºìÁì½í¹Ï±¨ Information
495 Richmond Road, Suite 600
Ottawa, Ontario K2A 4H6
613-694-6526
privacy@cihi.ca
Fax: 613-241-8120
An individual may also direct complaints to the in which they reside.
Individuals may also direct complaints regarding CIHI’s compliance with Ontario’s PHIPA and its regulation to the Information and Privacy Commissioner of Ontario:
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
416-326-3333
Toll-free (in Ontario): 1-800-387-0073
Fax: 416-325-9195
info@ipc.on.ca
CIHI’s Privacy Program
Our comprehensive Privacy Program ensures the confidentiality and security of our Canadian health care data holdings. Part of this program is a set of governing privacy and security policies. These policies set out how we collect, store, analyze and disseminate data on Canada’s health care systems. Our program also includes
- A Privacy and Legal Services department committed to developing a culture of privacy at CIHI
- An active Privacy, Confidentiality and Security Committee that includes representation from across the organization
- A chief privacy advisor, who provides advice and counsel on privacy matters
- A Governance and Privacy Committee of the Board of Directors
- Mandatory privacy and security training to keep Canadian health care information protection matters front and centre
ºìÁì½í¹Ï±¨adheres to all applicable privacy legislation, including Ontario’s PHIPA. We are a prescribed entity for the purposes of Section 45(1) of the act, which also applies to health information custodians in Ontario, such as the Ministry of ºìÁì½í¹Ï±¨, hospitals and physicians. These entities can disclose personal health information to us without patient consent for the purposes of analysis and compiling statistical information for the management of the health system. This designation and the strict responsibilities that come with it also assure our data partners across the country that
- Our privacy policies, based on the 10 privacy principles of the Canadian Standards Association’s Model Code for the Protection of Personal Information, and security policies comply with the highest standards
- Our overall information management practices safeguard the important and sensitive information with which we are trusted
The Information and Privacy Commissioner of Ontario (IPC/ON) reviews our practices and procedures every 3 years. Our privacy policies, practices and procedures were approved by the commissioner first in 2005 and every 3 years thereafter. Documentation related to the 2023 review and approval of ºìÁì½í¹Ï±¨is publicly available on the .
CIHI’s Information Security Program
Our comprehensive Information Security Program is dedicated to protecting the privacy of Canadians by ensuring the confidentiality, integrity and availability of our health care information. The physical, technical and administrative safeguards implemented by ºìÁì½í¹Ï±¨follow or exceed industry standards and are designed to protect personal health information against theft, loss and unauthorized use or disclosure and to protect records of personal health information against unauthorized copying, modification or disposal.
ºìÁì½í¹Ï±¨maintains the International Organization for Standardization (ISO) 27001 certification of its Information Security Management System. This certification clearly demonstrates our commitment to protect the personal health information that we maintain, and to continuously improve our information security position. It is an important part of our overall privacy and security programs and provides both our stakeholders and the public with the assurance that we treat data protection seriously. Our program also includes the following components:
- Information security risk management
- Information Security Audit Program
- A comprehensive suite of policies, procedures and standards designed to protect the confidentiality, integrity and availability of our information
- Privacy and Security Incident Management Program
- Staff training and awareness
Security questions or concerns
Chief Information Security Officer
Canadian Institute for ºìÁì½í¹Ï±¨ Information
4110 Yonge Street, Suite 300
Toronto, Ontario M2P 2B7
416-481-2002
security@cihi.ca
Fax: 416-481-8120
Privacy and Information Security policies and protocols
- ºìÁì½í¹Ï±¨ Data Collection Standard (February 2020) (PDF)
- Information Security Policy (June 2024) (PDF)
- Personal Information Privacy Policy (August 2023) (PDF)
- Policy on ºìÁì½í¹Ï±¨ Facility Identifiable Information (September 2022) (PDF)
- Policy on Privacy and Security Risk Management (August 2022) (PDF)
- Policy on the Security of Confidential Information and Use of Mobile Devices/Removable Media (September 2023) (PDF)
- Privacy and Security Framework, 2010 (October 2022) (PDF)
- Privacy and Security Incident Management Protocol (October 2022) (PDF)
- Privacy and Security Risk Management Framework (August 2020) (PDF)
- Privacy and Security Training Policy (September 2022) (PDF)
- Privacy Audit Policy (November. 2022) (PDF)
- Privacy Impact Assessment Policy (August 2022) (PDF)
- Privacy Policy on the Collection, Use, Disclosure and Retention of ºìÁì½í¹Ï±¨ Workforce Personal Information and De-Identified Data, 2011 (June 2011) (PDF)
- Privacy Policy on the Collection, Use, Disclosure and Retention of Personal ºìÁì½í¹Ï±¨ Information and De-Identified Data, 2010 (Updated November 2022) (PDF)
Privacy impact assessments
Privacy impact assessments (PIAs) evaluate and address the privacy impacts of programs and systems. ºìÁì½í¹Ï±¨is committed to completing PIAs on all its data holdings:
- Canadian Joint Replacement Registry: Privacy Impact Assessment, (March 2021) (PDF)
- Canadian Multiple Sclerosis Monitoring System (CMSMS) (September 2013) (PDF)
- Canadian Organ Replacement Register (CORR) (September 2023) (PDF)
- Canadian Patient Cost Database (CPCD) (January 2019) (PDF)
- Canadian Patient Experiences Reporting System (CPERS) (August 2020) (PDF)
- ºìÁì½í¹Ï±¨Portal (Oct. 2020) (PDF)
- Clinical Administrative Databases (August 2019) (PDF)
- Continuing Care Reporting System (CCRS) (June 2022) (PDF)
- Home Care Reporting System (HCRS) (June 2022) (PDF)
- Insured Persons Registry Privacy Impact Assessment (June, 2022) (PDF)
- Integrated interRAI Reporting System (IRRS) Privacy Impact Assessment (August 2021) (PDF)
- National Prescription Drug Utilization Information System (NPDUIS) Database (April 2024) (PDF)
- National Rehabilitation Reporting System (NRS) Privacy Impact Assessment (2022) (PDF)
- National System for Incident Reporting (NSIR) (March 2022) (PDF)
- Nursing Database, ºìÁì½í¹Ï±¨ Human Resources Database and ºìÁì½í¹Ï±¨ Workforce Database (August 2019) (PDF)
- Patient-Reported Outcome Measures (PROMs) Program for Hip and Knee Arthroplasty: Privacy Impact Assessment, September 2019 (Updated February 2020) (PDF)
- Ontario Mental ºìÁì½í¹Ï±¨ Reporting System (OMHRS) (June 2022) (PDF)
- Patient-Level Physician Billing Repository (PLPB) (June 2022) (PDF)
- Population Grouping Methodology Privacy Impact Assessment (June 2023) (PDF)
- Primary ºìÁì½í¹Ï±¨ Care Database Privacy Impact Assessment (March 2023) (PDF)
- Primary ºìÁì½í¹Ï±¨ Care Voluntary Reporting System (PHC VRS) (January 2013) (PDF)
- Reabstraction Studies (November 2020) (PDF)
- Secure Access Environment Privacy Impact Assessment (June 2021) (PDF)
- Trauma Registries Privacy Impact Assessment (May 2019) (PDF)
- Your ºìÁì½í¹Ï±¨ System: Insight (December 2021) (PDF)