Privacy and Security

Maintaining privacy and confidentiality is essential to the success of the Canadian Paediatric Surveillance Program (CPSP). We are dedicated to improving the health of children and youth in Canada by collecting valuable epidemiological public health surveillance data on rare paediatric medical conditions, while prioritizing the protection of the privacy of patients and participating paediatricians.

The CPSP maintains privacy and security by treating all data in accordance with applicable federal and provincial/territorial legislation, enforcing strict organizational policies and procedures for data protection, and using multiple physical and technical safeguards.

A 2024 privacy impact assessment, led by an independent privacy expert, gave the CPSP top marks for compliance with privacy laws and for properly managing and protecting all data shared with the Program.

Frequently asked questions

Why does the CPSP collect data?

The CPSP, on behalf of the Public Health Agency of Canada, collects data fromparticipating paediatricians and paediatric subspecialists across Canada so that improvements can be made to medical care and health policies for children and youth with rare diseases and conditions. The CPSP also collects data about emerging paediatric health issues so that action can be taken quickly, if needed.

What information does the CPSP collect?

The CPSP collects only non-identifiable information that is necessary for achieving its public health surveillance goals. The data elements are things that are documented as part of routine patient care.

How can the information be used?

The information collected by the CPSP can be used only for the purposes outlined in the study protocol. Every study protocol includes objectives that aim to influence medical practice or public health actions or policy.

How are ethical standards assured?

All CPSP studies and surveys are reviewed by the Program’s Scientific Steering Committee. All studies must receive approval from at least one certified research ethics board, including the Health Canada and Public Health Agency of Canada Research Ethics Board. These reviews help to ensure that the CPSP meets the highest ethical standards and privacy protections.

How is privacy assured?

Information collected through the CPSP is governed in accordance with Canada’s Privacy Act. The CPSP maintains the privacy and the confidentiality of all information collected in the following ways:

  • All data collected through the Program is handled according to applicable federal and provincial/territorial legislation that protects the privacy of personal health information. For more information on federal/provincial/territorial privacy legislation, click here.
  • Strict policies and procedures are followed to keep the data that is collected safe and secure.
  • No direct identifiers, such as the patient’s name, address, or medical record number, are collected for CPSP studies. The Public Health Agency of Canada and study investigators receive only non-identifiable data and the Program does not contact families or children/youth.
  • Only CPSP staff are aware of the names and contact information of participating paediatricians. This information is not shared with the Public Health Agency of Canada or the investigators.
  • Participating physicians may introduce the CPSP and the importance of rare disease surveillance to interested patients and families with the help of this information poster.
  • When CPSP study or survey results are published, they are presented so that patient privacy is protected. Only aggregate data are reported and case counts of fewer than five are suppressed.

Under what authority can the CPSP collect health information?

The Canadian Paediatric Society is contracted by the Public Health Agency of Canada to manage the CPSP to conduct surveillance of rare paediatric diseases/conditions through monthly reporting by Canadian paediatricians, paediatric subspecialists, and other medical specialists, as required. The legal authority for the Program’s surveillance activities is derived from theDepartment of Health Act(Sections 4(1) and 4(2))and thePublic Health Agency of Canada Act (Section 3(15)).

Under what authority can health care providers disclose health information?

The CPSP works with data-sharing stakeholders in each jurisdiction/institution, as needed, so that requirements are met for paediatricians to disclose data to the CPSP.

Paediatricians and other health care providers are authorized by their provincial/territorial health legislation (except Quebec) to disclose personal health information to public health agencies at the local, provincial, and federal levels for surveillance purposes, provided that provincial/territorial privacy legislation requirements are met.

In Quebec, the Ministère de la Santé et des Services sociaux authorizes the CPSP to collect case notifications (including month/year of birth and sex). More detailed case-level information for CPSP studies may also be collected in Quebec from institutions with project-specific research ethics board approval and data transfer agreements.

How is the information kept safe?

Strict policies and procedures ensure that the information collected by the CPSP is kept safe and used only for the surveillance study. The following safeguards are in place:

  • Physical safeguards

    • CPSP monthly notification reports are hosted in Canada by the Canadian Network for Public Health Intelligence (CNPHI) infrastructure. This infrastructure is managed by security-cleared CNPHI team members and all data is stored on secured Canadian servers.

    • Hard-copy monthly reporting forms and clinical questionnaires are stored in Canada in locked, access-controlled cabinets. Strict controls are in place for both access and handling which can be exercised by a small number of authorized, security-cleared personnel.

  • Technical safeguards

    • Data is transmitted using Secure Sockets Layer (SSL) technology.

    • Host servers are protected by firewalls.

    • Role-based user-level security is in place to limit access to electronic data.

    • Regular auditing of user actions is performed.

  • Organizational policies and procedures

    • Access, use, storage, and disposal of all data are controlled by protocol and signed user agreements.

    • CPSP staff members are security cleared.

    • Mandatory staff training on privacy and security protocols is conducted upon hire and as changes occur.

    • Strict procedures govern secure destruction and disposal of data.