Section 35 - Disclosure for Research or Statistical Purposes
Section 35 of the Freedom of Information and Protection of Privacy Act
- (a) the research purpose cannot reasonably be accomplished unless that information is provided in individually identifiable form or the research purpose has been approved by the commissioner,
- (a.1) the information is disclosed on condition that it not be used for the purpose of contacting a person to participate in the research,
- (b) any record linkage is not harmful to the individuals that information is about and the benefits to be derived from the records linkage are clearly in the public interest,
- (c) the head of the public body concerned has approved conditions relating to the following:
- (d) the person to whom that information is disclosed has signed an agreement to comply with the approved conditions, this Act and any of the public body’s policies and procedures relating to the confidentiality of personal information.
This section recognizes that, in limited circumstances, a public body may need to consider releasing personal information to assist an applicant in conducting research activities. This need arises when either the nature of the research itself, or the condition, volume and/or make-up of the records containing the requested personal information, make severing unfeasible. All five conditions imposed under section 35 must be met before any disclosure of personal information may take place.
- A public body is permitted to disclose personal information for a research purpose under section 35; however, it is not obliged to do so. The public body has the final responsibility in administering research agreements under this section and is the final authority on approvals. If the public body is not completely satisfied a researcher will comply with the provisions of a research agreement, it will refuse to provide approval.
- The public body must be satisfied that all five requirements of section 35 are met before approving a research agreement.
- A public body shall only authorize a research agreement for a bona fide research project. Access privileges are granted only to the person(s) who enters into the research agreement and only for the purpose stated in the agreement. The research agreement is not to be used as a means to ‘browse’ records.
- Record linkages for administrative purposes are not permissible under paragraph 35(b). Personal information sets cannot be matched or compared with one another to make a decision about a particular person’s entitlement to, or eligibility for, a job, benefit or service. See Interpretation Note 3 below for further details.
- The head of the public body must be satisfied that, without prior approval of the head, the recipient will not disclose or share the personal information with any other party, except as specified in the research agreement, and will destroy any personal identifiers in the information as soon as possible. For example, without prior approval of the head, the researcher may not use the information for another study, use the information to sell products or services to the subjects of the study or sell or give the information to a charity or solicit donations. See Interpretation Note 4 below for further details.
- The head of the public body must be satisfied that adequate security measures are in place to ensure the physical security of the personal information from unauthorized access, disclosure, theft or other danger. Adequate security may require such measures as locked filing cabinets, computer access codes, restricted access to work areas and encryption (the encoding of data). See section 30 (Protection of personal information).
- Research agreements shall be time limited and drafted for the minimum amount of time required to conduct the research or study. Research agreements shall not be ongoing or "open-ended" but may be renewed as required.
- The public body should confirm and document that the applicant requires access to records containing personal information in individually identifiable form in order to achieve his or her research purpose. The personal information must be directly related to the research being undertaken. This may occur where the applicant needs to see the information in personally identifiable form for their research but does not need to provide the results of their research or analysis in a personally identifiable form.
- In cases where the researcher does not need access to the personal information in the records, but it would be impracticable to sever it, the research purpose must be approved by the Information and Privacy Commissioner prior to release of the personal information.
- The researcher must sign a detailed research agreement which describes the nature of the research, the type of personal information which will be disclosed, how it will be used, any terms and conditions for the disclosure, and the procedural safeguards that the researcher will use for its protection. Only the researcher, or an authorized agent of the researcher, may sign a research agreement.
- The public body should inspect the premises/facilities and/or electronic storage medium (if indicated) of the researcher to ensure that security provisions are adequate.
- The public body should conduct periodic audits of researchers with whom it has signed agreements to satisfy itself that the terms and conditions of the agreement are being met and that the agreement is current. Contravention of the terms and conditions of the research agreement may lead to the withdrawal of research privileges. The public body may take legal action to prevent any further disclosure of the personal information concerned.
"Research" is a systematic investigation into and study of materials or sources in order to establish facts and reach new conclusions [OED]. In order for a disclosure of personal information for a "research purpose" to be permissible, the researcher must intend to use the personal information to investigate and ascertain facts or verify theories.
"Statistics" is the science of collecting and analysing numerical data, especially large quantities of data and usually inferring proportions in a whole from proportions in an representative sample; any systematic collection or presentation of such facts [OED].
"Statistical research" is any research based on these methods using quantifiable personal information, for example, to study trends, extrapolate from the data and/or draw conclusions. Statistical research is often done in demographics (e.g., to study the incidence of disease), to evaluate the success of training or health programs or to study other social issues and trends.
The information is in "individually identifiable form" if it is released in such a form that unique identifiers (name, address, Social Insurance Number or another identifier associated with only one person) are attached to the information; that is, the information clearly pertains to a particular person (see also Individual Identifier).
This provision allows public bodies to disclose personal information for research purposes in circumstances other than those in which the researcher needs access to the information in individually identifiable form. This might occur in cases where the researcher is not interested in the personal information found in a set of records needed for the research but it would be impracticable to sever the personal information. This might occur for example, because of the volume of records or the time constraints on the research project. The fact that the Commissioner must approve the research purpose ensures that it is subject to impartial scrutiny.
"Record linkage", also called "data matching", is the systematic comparison of sets of information (usually information banks or data banks) for any of a variety of reasons, including research or administrative purposes.
A "record linkage for research purposes" is the matching of sets of personal information with no intention of making decisions about the subjects’ rights or privileges. The matching is the means of linking the right information to the right people in the representative group under study.
- A sociologist exploring the link between mental illness and poverty wishes to find out what percentage of persons who have received treatment at a hospital have received benefits under an act. To do this, the researcher must compare a list of persons admitted to the hospital in the last year against a list of people who have received benefits under the act in the last five years.
This is in contrast to a "record linkage for administrative purposes", where the sets of personal information are matched or compared with one another to make decisions about a particular person’s entitlement to or eligibility for a job, benefit or service. As with any record linkage, identifiers are needed to ensure that the right information is linked to the right people.
This kind of record linkage (administrative purpose) can have profound consequences, favourable or adverse, on a person’s privacy, rights and livelihood. The proliferation of ever smaller and more powerful computers has dramatically increased the scale on which data matching can be done and with it, the potential for invading personal privacy.
Record linkages for administrative purposes are not permissible under paragraph 35(b).
For the linkage not to be harmful it must not result in:
- adverse decisions about the persons whose information is disclosed;
- damage to their reputations;
- the invasion of their privacy; nor,
- any other injury.
Some significant good must come from the research. The benefits of the research must override the invasion of privacy that occurs with the disclosure of the personal information to the researcher and the public interest must be served generally, not just the interests of one or two individuals.
The disclosure may take place only if the head is aware of and has approved the researcher's proposed practices for handling the personal information.
"Security" measures define the physical protection or guarding from unauthorized access or disclosure, theft or other danger. Good security may require such measures as locked filing cabinets, computer access codes, restricted access to work areas and encryption (the encoding of data).
The researcher must make the information anonymous by deleting the name, address or other identifiers or by destroying the identifiers in whatever way is appropriate to the medium on which the information is stored.
An "individual identifier" is information such as a person’s name, Social Insurance Number (or other number unique to the person such as driver’s license number, employee number or health card number), address, date of birth (usually used in combination with other identifiers such as name to distinguish between people with the same name but different birth dates) or any other discrete element of personal information that would enable a third party to deduce the identity of the person concerned.
- A researcher studying the incidence of lung cancer in miners needs to be certain that the John Smith whose medical information is found in hospital records is the same John Smith who worked as a miner for ABC coal mine for 20 years and not the John Smith who worked in the office of ABC coal mine for 5 years. To distinguish between the two John Smiths, the researcher needs not only the two men's names but also their dates of birth or other unique identifiers.
- A researcher studying the treatment of elderly persons in mental hospitals wishes to gather statistics which will show the background of those receiving treatment, including age, sex, place of birth, family status and former occupation. To collect this data, which the researcher will use only in aggregate form, the researcher must have access to hospital registers which list patients by name to determine which patients fit into the study group. The researcher also needs access to individual case files in order to gather the data on place of birth, family status and former occupation.
The "earliest reasonable time" will vary with the circumstances of the case and the comparisons the researcher must make between sets of data. The researcher must strip the identifiers once all the different sets of information have been combined for analysis.
Any subsequent use or disclosure of that information ... without the express authorization of the head of that public body
The researcher may not further use or disclose the personal information for any other research or statistical purpose other than that for which the information was originally disclosed, unless the head of the public body explicitly authorizes it.
Without prior approval, the researcher may not, for example:
- use the information for another study;
- use the information to sell products or services to the subjects of the study; or,
- sell or give the information to a charity to solicit donations.
The researcher must sign a detailed research agreement which describes the nature of the research, the type of personal information which will be disclosed, how it will be used, any terms and conditions for the disclosure and the procedural safeguards that the researcher will use for its protection.
The research agreement is a detailed document which outlines the terms and conditions of the legal agreement between the researcher and the public body. It is treated as a legal agreement by both parties.
For orders organized by the Act's section numbers, Click here.
For a summary of Commissioner's orders and policy interpretation of key points, Click here.
Last updated: July 24, 2007