PHIPA DECISION 243

The Information and Privacy Commissioner of Ontario (the IPC) received an anonymous complaint from a group of doctors relating to two research databases created from personal health information, UTOPIAN and POPLAR. The complaint alleged that the personal health information used to populate these databases was obtained from health information custodians without patient consent, and without providing sufficient information to the custodians. The complaint raised concerns about the de-identification of personal health information, and the possibility that such information was being sold or otherwise provided to third parties. The complainants contended that the underlying activity of operating a database of the nature of UTOPIAN and POPLAR was not “research” as contemplated by section 44 of the Personal Health Information Protection Act (the Act or PHIPA), and further alleged that even if this was research, the databases did not otherwise meet the requirements of section 44.
The IPC contacted the University of Toronto (the University), the operator of UTOPIAN. The University stated that POPLAR had been taken over by Queen’s University and was not yet operational, which Queen’s independently confirmed to the IPC. Accordingly, this investigation in respect of the University focuses on UTOPIAN only.
The University provided the IPC with extensive documentation regarding the operation of UTOPIAN. During the course of the investigation, the University stated that it continued to operate its database pursuant to a Protocol Completion Report approved by the University of Toronto Research Ethics Board (REB) after the REB approval for its research plan had expired. Later in this investigation, the University reported that it had paused all UTOPIAN activities and was in the process of applying for REB approval for use of the archived UTOPIAN database for research purposes.
In this decision, I find that the University collected personal health information without authorization under the Act during two periods when its REB approval had lapsed. I also find that the University failed to comply with requirements in s. 44 of the Act in that it failed to provide health information custodians copies of the research plan and its approval decision, failed to make regular site visits as required under the applicable research plan, and failed to provide custodians with notice of the 2018 collections of personal health information that occurred without an REB approval in place. Finally, I find that the University did not amend its research agreements by merely sending custodians notice of its proposed changes, and to the extent that the University collected, used, and retained personal health information beyond what was permitted by the applicable research agreement, this collection, use, and retention contravened section 44 of the Act.
The IPC did not find any evidence to substantiate the complainants’ allegations regarding the sale of personal health information, or their de-identification concerns. However, I recommend that in its new application to the REB relating to UTOPIAN data, the University should update its means of notifying patients regarding the UTOPIAN project, conduct a re-identification study to assess the robustness of its de-identification procedures, and exercise greater transparency with contributing custodians. I also recommend that the University ensure that it has research agreements in place with contributing custodians, including any significant amendments hereto, and that it complies with the applicable research agreements.