Consent & data sharing

Informed consent and sharing data, in plain terms

Two working checklists for evaluation teams: one for the consent process you offer clients, and one for the agreement you write when a host and its partners share participant information. Each comes with a few short example clauses you can adapt. They are grounded in Canada's Tri-Council Policy Statement (TCPS 2), the national standard for the ethical conduct of research involving humans.

Read this first. The checklists and example clauses below are starting points, not legal advice. Before you use anything here, have your activity reviewed by the people whose job it is to review it. Where the work is research, that means your Research Ethics Board (REB). For privacy and contractual questions, that means your privacy office or legal counsel. The line between quality improvement or program evaluation and research can be genuinely blurry, and you are not the one who decides which side of it your project sits on. An REB or another institutional authority makes that call. TCPS 2 Article 2.5 sets out that some quality assurance and program evaluation activities fall outside REB review, but you should confirm rather than assume that yours does.

On this page: consent for clients · data-sharing between organizations · where to go next

TCPS 2 rests on three core principles: Respect for Persons, Concern for Welfare, and Justice. In practice they mean treating people as capable of deciding for themselves, protecting their wellbeing and privacy, and being fair about who is asked to take part and who carries the burden. Consent under TCPS 2 (set out in Chapter 3) has to be voluntary, informed, and ongoing. Voluntary means free of pressure. Informed means the person understands what they are agreeing to. Ongoing means consent can be revisited and withdrawn at any time.

A consent process is more than a signature on a form. It is a conversation, offered in language the person understands, that gives them a real chance to ask questions and to say no. Use the form to record that conversation, not to replace it.

What the consent process and form should cover

  • Voluntariness. Taking part is the person's choice, and declining carries no penalty. Their care, services, or relationship with the program does not change if they say no.
  • The right to withdraw. They can stop at any time without giving a reason, and the form says plainly what happens to information already collected if they withdraw, including whether it can still be used in summary form.
  • Plain-language purpose. Why the evaluation is being done and what you hope to learn, in everyday words.
  • What is collected and why. The specific information you will gather and the reason for each part of it, so people are not asked to agree to a vague catch-all.
  • Who sees the data and how it is held. Who has access, where it is stored, and how it is secured.
  • Privacy and confidentiality. How you protect identity, including removing or coding identifying details and storing data securely.
  • Limits to confidentiality. The situations where you may have to share information, for example a risk of serious harm or a legal duty to report. People should know these limits before they speak, not after.
  • Foreseeable risks and benefits. An honest account of any discomfort or risk, including that some questions may be sensitive, and of the benefits, which may be to others rather than to the person directly.
  • Retention and destruction. How long the information is kept and how it is securely destroyed afterward.
  • Secondary use and re-contact. Whether the data might be used for a later, related purpose, and whether the person may be contacted again.
  • Accessibility. Plain language, interpretation where it is needed, attention to a person's capacity to consent, and a route for a substitute decision-maker where someone cannot consent for themselves.
  • Who to contact. A named person or role to reach with questions or concerns, including, where the work is research, how to reach the REB.

Example clauses

Short wording to adapt to your program, your population, and your governing privacy law. These are illustrations, not approved text. Keep them brief and have them checked before use.

Example clause (adapt to your program)

“Taking part in this evaluation is your choice. If you decide not to, it will not affect the services you receive or your relationship with our program in any way.”

Example clause (adapt to your program)

“You can stop taking part at any time, without giving a reason. If you withdraw, you can ask us to remove the information we have collected from you, though information already combined into anonymous summaries cannot always be taken back out.”

Example clause (adapt to your program)

“We keep what you tell us confidential and store it securely. There are a few situations where the law or our duty of care may require us to share information, such as when someone is at risk of serious harm. We will tell you if such a situation comes up wherever we can.”

Example clause (adapt to your program)

“We will use your information to understand how our program is working and to report on it. When we report, we use grouped figures and do not identify you. We keep your information for [time period] and then destroy it securely.”

Data-sharing agreement between organizations

When a host program and its partners share information about participants, a written agreement records what is being shared, why, and under whose authority. It protects participants, and it protects the organizations by making each side's responsibilities clear before any data moves. Privacy law in Canada is not uniform, so the agreement has to match the law that applies to your data. Health information is governed provincially, for example PHIPA in Ontario and the Health Information Act in Alberta, while British Columbia's public bodies fall under FIPPA and its private organizations under PIPA. Confirm which statute governs your situation before you draft.

What a data-sharing agreement should cover

  • Parties and roles. Who the agreement is between and what each organization is responsible for.
  • Purpose and lawful authority. The specific purpose of the sharing and the legal basis for it.
  • Exactly what is shared. The precise data fields, limited to the minimum necessary for the purpose, with nothing included out of convenience.
  • Direction and method. Which way the data flows, how it is transferred, and how it is secured while in transit.
  • Identifiability. Whether the data is identifiable, coded, or de-identified, and, if coded, who holds the key that links it back to people.
  • Storage location and jurisdiction. Where the data is stored, kept consistent with Canadian privacy law and any data-residency requirements that apply to you.
  • Access controls. Who may access the shared data, and how that access is limited and recorded.
  • Retention and secure destruction. How long each party keeps the data and how it is securely destroyed or returned when the purpose ends.
  • Breach notification. What counts as a breach, who must be told, how quickly, and who does what in response.
  • Consent basis. The participant consent the sharing relies on, so the agreement does not exceed what people actually agreed to.
  • Term, review, and termination. How long the agreement lasts, when it is reviewed, and how it ends.
  • Compliance with privacy law. A clear statement of the applicable statute, recognizing that it differs by province (for example PHIPA in Ontario, the Health Information Act in Alberta, FIPPA and PIPA in British Columbia).

Example clauses

Short wording to adapt with your privacy office or legal counsel. These are illustrations, not approved text.

Example clause (adapt to your program)

“The shared information will be used only for the purpose described in this agreement and for no other purpose without the written consent of both parties.”

Example clause (adapt to your program)

“The parties will share only the data fields listed in Schedule A, which are the minimum necessary to achieve the stated purpose. No additional personal information will be shared under this agreement.”

Example clause (adapt to your program)

“Each party will protect the shared information with safeguards appropriate to its sensitivity. When the purpose of this agreement ends, each party will securely destroy the shared information or return it, as the parties agree in writing.”

Where to go next

Treat these checklists as a way to prepare for the conversations you need to have, not as a substitute for them. Take your draft consent process and any data-sharing plan to your Research Ethics Board where the work is research, and to your privacy or legal office in any case. For the source itself, the Panel on Research Ethics publishes the full text of TCPS 2 (Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans) and supporting guidance, which is the place to read the principles and the consent requirements in full.