All participating networks that makeup the Canadian Primary Care Sentinel Surveillance Network (CPCSSN) meet Privacy by Design Principles, developed by the Information and Privacy Commissioner of Ontario. These principles have been adopted by government ministries and privacy commissioner offices throughout the world as the standard for privacy and security of personal and health information. CPCSSN complies with the privacy legislation in each province and territory by meeting the Information Standards Organization (ISO) 27001/2 [WS1] that governs information system security and the Tri-Council Policy Statement of the Ethical Conduct of Research Involving Humans (TCPS3) [WS2] that governs the use of health information for research purposes.

CPCSSN has completed Privacy Impact Assessments and Threat Risk Assessments across its participating networks. Each network receives a comprehensive report of findings after an information handling audit and there is a privacy compliance checklist that enables each network to take steps to mitigate any identified privacy risks and conduct their own compliance monitoring. Each participating network is required to complete an annual ethics renewal through their host institution and the pan-Canadian CPCSSN also completes an annual renewal for a Health Canada research ethics board certificate of ethics approval. CPCSSN was awarded the 2013 International Association of Privacy Professionals Privacy Innovation Award.

CPCSSN data are anonymized. The data are then further encrypted and after this process the risk of this data being re-identified is very low. The data are then stored in a secure repository which meets all requirements under the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Information Protection Act (PIPA).

CPCSSN does NOT extract all patient data. CPCSSN extracts mainly structured data (e.g. lab values, blood pressure) and not notes or PDFs contained within electronic medical records. Only data managers who have undergone confidentiality training are able to view the de-identified data from your clinic.

Before releasing anonymous and encrypted CPCSSN data to authorized researchers, a regional data manager and central information and technology manager will apply further de-identification software. CPCSSN was awarded the 2013 International Association of Privacy Professionals Privacy Innovation Award.