SUMMARY OF A PRIVACY IMPACT ASSESSMENT FOR THE ONTARIO BRAIN INSTITUTE S BRAIN-CODE

SUMMARY OF A PRIVACY IMPACT ASSESSMENT FOR THE ONTARIO BRAIN INSTITUTE S BRAIN-CODE Ontario Brain Institute July 10, 2014

1.0 Introduction and Executive Summary 1.1 Introduction The Ontario Brain Institute (OBI) was established in November 2010 with an initial $15 million investment by Ontario s Ministry of Economic Development and Innovation to focus the province s investments in research and innovation as well as to promote the commercialization of neuroscience research and to leverage private sector funding. OBI was created to become an internationally recognized centre of excellence in brain and neuroscience research, with an emphasis brain and neuroscience research. It focuses on clinical application, commercialization and education/training related to the prevention, early detection, diagnosis and ultimately, control of brain diseases and disorders. On March 5, 2013, the government of Ontario announced additional funding in the amount of $100 million over 5 years. What is unique about this endeavour is that OBI initiates, funds, promotes, stimulates and translates related research across a variety of disciplines. It supports integrated discovery programs (IDPs) that focus on a specific brain disease or disorder, across the health spectrum, conceptually from cradle to grave. OBI s vision is: Converge. Discover. Deliver. To support its work, OBI asked the Integrated Data Organizing Centre Consortium (InDOC, described further in s. 2.1 below) to establish and maintain a comprehensive data management solution. As such, OBI has built a platform to house research data, called Brain-CODE, where CODE stands for Centre for Ontario Data Exploration. Brain-CODE is an extensible informatics platform that manages acquisition and storage of multidimensional data collected from patients with a variety of brain disorders. This solution enables centralized collection and analysis of data from diverse diseases, data sources and geographic locations. InDOC s initial deliverables were to: Collect research program data transfer and functional requirements Deploy database systems Deploy Brain-CODE, the hardware platform which is the engine for the OBI initiative This privacy impact assessment (PIA) analyzes Brain-CODE from the perspective of Ontario privacy legislation, regulations and industry best practices applicable to OBI and its handling of personal health information (PHI). It will raise relevant orders and/or guidelines issued by the Information and Privacy 2

Commissioner/Ontario as applicable. It will provide an overview of key users of Brain-CODE and how information is proposed to flow, to whom, and under what authority. Data flows will be grouped into discrete categories, namely, collections, uses and disclosures, with discussion of OBI s contemplated zonebased infrastructure within which these activities occur. 1.2 Dykeman Dewhirst O Brien LLP Dykeman Dewhirst O Brien LLP (DDO) is a boutique health law firm in Toronto. The work for this project was completed under the leadership of Mary Jane Dykeman; and up to March 31, 2013, with the assistance of her colleague, Abigail Carter-Langford. DDO and Abigail Carter-Langford bring significant legal and privacy experience to this initiative, with particular strengths in health privacy law including the nuances of applicable legislation and data use in health research settings. They have a collective understanding of the health system and framework within which health care and research organizations operate. 1.3 Structure and Objectives of Brain-CODE Brain-CODE is a data management platform created to enable researchers to make a vast array of comparisons across a range of brain-related diseases. It is anticipated that consolidating all of the data in a single platform will help researchers find patterns and trends they may otherwise not see when reviewing data housed in different databases and in the custody and control of various organizations. The intent is to minimize duplication in both research efforts and data storage systems, create much larger patient populations for clinical trials, and offer new perspectives that may ultimately lead to new discoveries. Through its selected vendor, Ontario Cancer Biomarker Network (OCBN), OBI proposes to use specific clinical data management systems to facilitate researcher access to data held securely within Brain-CODE. Access to data will be subject to robust processes including: Research ethics review Legal agreements with applicable hospitals, universities and associated research institutes (including research activity agreements with those 3

institutions initially contributing data as well as participation agreements with all those who become part of the OBI community) Creation of and adherence to a sound governance framework In effect, Brain-CODE provides a platform to facilitate a single point of storage of and access to study data and for researchers to access a number of applications. The core functionalities of Brain-CODE will provide researchers with the following: Single sign-on to multiple applications Facility to store and access various data types including clinical assessments, registries, MRI, EEG, PET, genomics and proteomics assays as appropriate to the research plan Capacity to encrypt health card numbers at the point of collection in Brain-CODE, while certain limited PHI will remain unencrypted for access by researchers Capacity to store direct identifiers in Brain-CODE in limited circumstances and subject to stringent rules Some of the initial outcomes to be measured by OBI in respect of Brain-CODE will include: Provide safeguards for health and research data while facilitating access to it for legitimate research purposes Improved research insight in a single view through the creation of a standardized, comprehensive, rich and accessible database of clinical and biological assessments and imaging Help scaffold the creation of cross-institutional teams of basic, clinical and applied scientists engaged in multi-disciplinary research Help develop and support partnerships of researchers and clinicians with industry, charitable organizations, industry and government to translate results into improved patient care In addition to the identified research programs above, it is intended that controlled access to limited sets of data in Brain-CODE will be provided to additional approved researchers and organizations joining the OBI community. This will be discussed from a governance perspective in further detail below. 4

2.0 Description of Brain-CODE 2.1 Data Flows and Source Applications OBI has contracted with OCBN for OCBN to assemble and manage a consortium called InDOC, to facilitate the development, maintenance and operations of Brain-CODE. Each of the InDOC members brings complementary capabilities to the Brain-CODE platform: Performance Computing Virtual Lab (HPCVL) at Queen s University with high performance computing hardware and storage Rotman Research Institute (RRI) and Heart and Stroke Foundation Centre for Stroke Recovery (CSR) at Baycrest Centre for Geriatric Care with neuroimaging informatics infrastructure OCBN with management of molecular data and the overall Brain-CODE platform Electronic Health Information Laboratory (EHIL) at the Children s Hospital of Eastern Ontario who have developed a set of deidentification and risk analysis tools that will be applied to data prior to disclosure. The current integrated discovery system programs scheduled to initially populate and leverage the Brain-CODE platform include: Childhood Hemiplegic Cerebral Palsy Integrated Neuroscience Discovery Network (CP-NET) The Epilepsy Discovery Project (Ep-Link) Province of Ontario Neurodevelopmental Disorders Network (POND) Non-Invasive Brain Stimulation plus Pharmacotherapy to restore Self- Regulation in Addicted or At-Risk Populations Ontario Neurodegenerative Disease Research Initiative (ONDRI) Degeneration and developing an informal Database for patients with Concussion in Ontario The Canadian Biomarker Integration Network for Depression (CAN-BIND) Key functional requirements of these initially identified research programs include: the use of clinical data management systems such as Medidata RAVE, OpenClinica Enterprise and REDCap to support electronic data 5

capture (EDC) of clinical assessment and registry data from all research programs - i.e. each program is using one or more of these data management systems for the capture and storage of study clinical data; the use of the Stroke Patient Recovery Research Database (SPReD), a neuroimaging data archiving system based on the open source XNAT framework to support the collection of MRI, PET, and EEG data sets from all research programs; and the use of the BioArray Software Environment (BASE) system to support the collection of genomics and proteomics data sets from all research programs. These software applications are a mix of commercial tools, tools developed by the InDOC participants and open-source applications. Database systems including Medidata RAVE, OpenClinica Enterprise, REDCap, SPReD and BASE were installed in the Brain CODE data centre environment. In some cases, an instance of one of the software applications listed above may be installed at the data collection site. Web based user interfaces for Medidata RAVE, OpenClinica Enterprise, REDCap, SPReD and BASE are available for direct access by research teams for the electronic capture of clinical data, and uploading of neuroimaging (SPReD) and molecular (BASE) data sets. Access to these applications is protected by encrypted and authenticated connections. A critical safeguard is the application of privacy enhancing technologies from EHIL. EHIL is tasked with providing software development services to support the encryption of health card numbers (HCNs) (issued pursuant to the Ontario Health Insurance Plan under the Health Insurance Act 1 ) and the secure comparison and matching of subject records based on encrypted HCN between Brain-CODE and external data sources. It is anticipated that to ensure the Brain-CODE data set is protected against reidentification to the extent possible, the encryption functionality will be applied as necessary should other elements of PHI (name, address, demographics, etc.) be required for collection in Brain-CODE. The data entry forms for the software applications mentioned above have been specifically designed to omit filed that correspond to directly identifying elements. EHIL s Privacy Analytics Risk Assessment Tool (PARAT) will be applied to data from Brain-CODE prior to disclosure to researchers to remove identifying information 1 R.S.O. 1990, c. H.6. 6

to the extent possible. PARAT will also be used to ensure the risk for reidentification meets a predetermined threshold while maximizing data granularity. 2 HCNs, which are inherently identifiable, will be encrypted prior to their upload into Brain-CODE, using an algorithm developed by EHIL. Brain-CODE, and all of the data it contains, will be hosted at HPCVL in Kingston, Ontario, with backup provided by a separate secure location at Queen s University, also in Kingston. OCBN currently has a subcontract agreement with Queen's University which provides hosting and related services for Brain-CODE infrastructure and data. Original Purpose of Collection In each instance, PHI is collected for clinical purposes and becomes part of a given research study; the currently identified sources of this information are the studies listed above. These studies have been reviewed and approved by research ethics boards of the respective health information custodians where the PHI originated (i.e., from hospitals collecting PHI from patients for clinical purposes). Data collected for the purposes of these studies have direct identifiers removed, unless approved by an REB, and HCNs are encrypted as described above. The collection and upload of identifying information described in the approved research proposals requires consent of the participants (unless, in rare instances, the applicable research ethics board provides a waiver of consent as permitted under PHIPA 3 ). Consent is also sought to permit the secondary use of de-identified study information for placement in Brain-CODE to enable additional approved research. In some instances, PHI will be held in Brain-CODE for which direct and indirect identifiers cannot be removed. This will be discussed in further detail below. 2.2 Privacy by Design OBI has committed to using a Privacy by Design approach to the development and implementation of the Brain-CODE platform. This is an approach pioneered 2 See: http://www.ipc.on.ca/images/resources/anonymization.pdf for a discussion of the use of de-identification tools to protect personal health information; see also this description: http://www.privacyanalytics.ca/products.asp. 3 PHIPA, s. 44(3)(d) states that, among other considerations, an REB must determine whether obtaining the consent of the individuals whose personal health information is being disclosed would be impractical. 7

by the Information and Privacy Commissioner/Ontario that encourages the use of privacy-enhancing technologies and processes to minimize or address the threats to privacy that technological innovations can pose. The seven principles of Privacy by Design are as follows: 4 Privacy by Design Principle 1. Proactive not Reactive; Preventative not Remedial The Privacy by Design (PbD) approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. 2. Privacy as the Default Setting Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. OBI approach OBI continues to prioritize privacy and security leadership and seek out global best practices to implement. In August 2012, OBI brought together world and local leaders to a symposium intended to generate ideas and best practices in the management and integration of large data sets. This symposium included sessions dedicated to understanding the challenges to privacy and security and generating ideas to address these challenges. These discussions were guided by the Information and Privacy Commissioner /Ontario s instruction on Privacy by Design. OBI continues to meet regularly with the Information and Privacy Commissioner/Ontario to discuss Brain- CODE. To the extent possible, direct identifiers are removed prior to transfer of data into Brain-CODE. This process has been implemented both to ensure compliance with regulatory compliance and to maximize the protection of the information by not collecting identifiable information as the default process. In a few instances, such as with imaging data, this may be necessary and appropriate consents and protections are in place. Software is available that can remove file headers, which may contain direct identifiers, and facial features. 4 http://privacybydesign.ca/about/principles/ (last accessed on: September 3, 2013). 8

Privacy by Design Principle 3. Privacy Embedded into Design Privacy by Design is embedded into the design and architecture of IT systems and business practices. Privacy is integral to the system, without diminishing functionality. 4. Full Functionality Positive-Sum, not Zero-Sum Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum win-win manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. 5. End-to-End Security Full Lifecycle Protection Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved strong security measures are essential to privacy, from start to finish. 6. Visibility and Transparency Keep it Open Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to users and providers alike. 7. Respect for User Privacy Keep it User-Centric Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options OBI approach From the initiation of the procurement process to develop Brain-CODE, privacy and security have been a core value and design requirement. Data entry forms have been configured such that the fields corresponding to identifiable information are limited or omitted altogether. Brain-CODE leverages the advanced technology and techniques of EHIL to encrypt health card numbers and to assess the potential risk of reidentification prior to release. This approach maximizes the amount of uniquely identified information available to researchers while mitigating the risk of re-identification to research participants. In addition to being developed and retained in an environment that emphasizes industry leading security protections described in greater detail in the section labelled Safeguards, the Brain-CODE platform leverages industry leading Certificate management processes and technology for authentication. OBI has implemented a robust governance process and tracking processes to oversee the development and operations of Brain-CODE. An independently conducted PIA has been undertaken and the results of this activity will be shared with Information and Privacy Commissioner/Ontario and a commitment made to make the document available publicly to both researchers and participants. Brain-CODE is a consent-based platform where research participants are informed and voluntary contributors and know that by consenting to the research in question, they are agreeing to have their PHI placed in the OBI platform, Brain-CODE. 9

2.3 Goals & Objectives of the PIA This PIA analyzes privacy risks associated with the implementation of Brain- CODE and potential mitigation strategies as required. It will generally: 1. Describe the information flows associated with Brain-CODE (i.e., the anticipated collections, uses, disclosures, retention, destruction and storage of information in Brain-CODE), and comment on whether basic privacy standards are met. 2. Assist OBI in understanding and mitigating any potential privacy challenges associated with the operation of Brain-CODE. 3. Demonstrate OBI s due diligence in using best practice tools to identify and mitigate privacy risks in advance of proceeding with implementation of these new systems. 4. Provide a source of information for key stakeholders, including the Information and Privacy Commissioner/Ontario and future partners including the Institute for Clinical and Evaluative Sciences (ICES). 2.4 Scope of the PIA This PIA is limited to assessing the privacy risks associated with the implementation of Brain-CODE at OBI. As noted above, this PIA does not constitute a PIA of the information systems which interface with Brain-CODE. In addition, this PIA does not constitute a Threat Risk Assessment (TRA) nor Vulnerability Assessment (VA) of these new systems; a Vulnerability Assessment has been conducted and is discussed below (see Safeguards) and a two-step TRA is currently underway (with results of step 1 available by May 2014). 5 The PIA also contemplates the ways in which the risks of re-identification of PHI may be managed. 5 This is in addition to a March 2009 security audit of the HPCVL environment; OBI is cognizant of industry best practices of having a TRA every 5 years. This issue is discussed in greater detail in Safeguards. 10

Information for this PIA was obtained from a number of sources including directly from the Project Team (both in written documentation and verbal discussions), 6 a security audit report relating to the HPCVL facilities prepared in March 2009, and ongoing project design and governance analysis. System architecture and certain factual information were derived from documents prepared by InDOC and subsequently confirmed with Moyez Dharsee, InDOC s Director, Informatics. 2.5 Description of Brain-CODE Infrastructure Data Centre 2.5.1 Hardware Architecture Computational infrastructure for Brain CODE is provided and maintained by the HPCVL data centre in Kingston, which is part of the Compute Canada HPC consortium. The HPCVL currently supports research teams across Canada, including academic and industry organizations. The Brain CODE data centre provides a robust, scalable, high performance computing platform that can satisfy long term processing and storage requirements of multiple large scale research programs, while enabling secure and seamless open access data sharing. Computing and storage resources are available to the Brain CODE platform to meet known short term requirements, and are scalable to provide additional capacity as demand increases. Currently available resources include: 300 processing cores spanning 30 high end servers capable of running multiple operating systems 300 terabytes of highly available online disk storage, protected by onsite and off site backup to ensure data availability and disaster recovery On demand access to mission critical big iron servers, including access to 9 M9000 systems, each equipped with 64 quad core SPARC VII processors and 2 TB of RAM On demand access to computing servers, including a cluster of 78 Sun Enterprise T5140 servers, each equipped with dual 8 core N2+ processors with 8 threads/core and 32 to 64 GB of RAM 6 The Project Team consists of OBI staff and the InDOC members. 11

2.5.2 Description of User Access to Systems Brain-CODE will have three major user groups: Researchers inputting data sets Researchers accessing data sets OCBN staff and agents developing and maintaining Brain-CODE Researchers inputting data sets Researchers access the platform by signing into web-based database applications deployed at Brain-CODE, including Medidata RAVE, OpenClinica Enterprise, SPReD, BASE. Researchers can also access user interfaces for these applications by signing into the Brain-CODE Portal. Clinical assessment data are being entered into electronic case report forms, while neuroimaging and molecular data sets are uploaded in the form of raw data files, as well as processed data files, in pre-defined formats (e.g. DICOM format for MRI data, CEL format for RNA microarray data). Data can also be transferred into Brain- CODE in non-standard or arbitrary file formats (e.g., comma-separated value format), by uploading such files into individual databases using their respective web interfaces, or by uploading them into the Brain-CODE file repository using the Portal web interface. Data dictionaries for all data entered into Brain-CODE systems will be developed. To each subject record or data set entered into Brain-CODE, researchers are required to attach a Subject Identifier (ID) which must be unique at the study level. These Subject IDs enable integration of data sets between data domains stored across multiple database systems. Researchers enter HCNs from consenting research participants into Brain-CODE by using the Subject Registry web application. The Subject Registry implements the encryption algorithm developed at EHIL, providing client-side encryption of HCNs within the researcher s web browser. A Subject ID is also provided and linked with each encrypted HCN, allowing encrypted HCNs to be associated with clinical, neuroimaging and molecular data sets, and allowing these data to be linked, using EHIL secure linkage and comparison tools, with health databases external to OBI. Encrypted HCNs and Subject IDs are stored in the Subject Registry database within the context of the integrated discovery research project (e.g., CP-NET) and research study from which these identifiers were collected. 12

The Subject Registry, in coordination with other components of the Brain-CODE Data Integration System (DIS), implements mechanisms for synchronizing Subject IDs across individual database systems. For example, when a Subject ID is entered by a researcher into the SPReD system (together with the subject s neuroimaging data set), this identifier is transmitted to and recorded within the Subject Registry database. The Subject Registry, therefore, is a central repository of all Subject IDs provided by researchers to Brain-CODE. This synchronization allows some level of quality control and reconciliation of subject identifiers to be conducted; for example, if the Subject ID is entered incorrectly into SPReD when uploading a neuroimaging data set for a subject, but is correctly entered into OpenClinica when entering clinical assessment information for the same subject, the Subject Registry will detect and flag the disconnected data sets, and notify Brain-CODE database administrators of this mismatch, who can then follow up with the researcher(s) to follow to correct the error. OCBN staff and agents OCBN staff and agents will have access to Brain-CODE, based on role. In order to minimize the risks associated with this role-based access, OCBN is contractually bound to OBI (and further binds its sub-contractors) to safeguard privacy and security. Confidentiality agreements are also required to be signed. Access to production software systems containing research program information, including demographic and study-level information, is restricted to only designated staff and agents who are required to use such systems to conduct data management duties and/or to provide application-level administration for such systems. Authorization and assignment of role-based access to computer servers and virtual machines is obtained by written request to the Brain-CODE Security Officer. In the interim, it is recommended that OCBN continue with work to develop Information Security Policies, including a policy for access control that would document the existing process to limit access to Brain-CODE to appropriately minimal numbers of staff granted through appropriately managed processes and where access is provided to subcontractors by OCBN, that a vendor/supplier access policy and related procedure is implemented. Recommendations and Responses 13

Attached is a table that outlines 27 recommendations for Brain-CODE and the accompanying responses or any actions that have been or will be taken. Where action is required, this PIA will be updated as necessary. 14

# Description Rating OBI Response 1 General Statutory Analysis 1. OBI should formally implement a policy that: a requires the inclusion of directly identifiable data elements in Brain-CODE only as necessary (e.g. imaging data where direct and indirect identifiers may not be stripped out). b requires that consent from participants is obtained prior to collection of participant information in Brain- CODE unless an REB waiver is obtained. 2. OBI should implement an agreement with participating health information custodians clarifying OBI s role in the provision of Brain-CODE and requiring health information custodians to agree to the proposed zonebased structures and various roles undertaken by OBI. 3. OBI should consider application for prescribed registry status in the event that: a. The express consent model in current use results in a sufficient rate of consent being declined that the objectives of the research are potentially compromised or, b. Future research objectives require more routine use of PHI under circumstances where it is impractical to obtain consent (the standard review by a research ethics board would apply). Low a - OBI has established an Informatics Governance Policy outlining that directly identifiable elements will be held in Brain-CODE only as necessary and the architecture to allow for the secure transfer, storage, and handling of this data has also be been developed in accordance to the Informatics Governance Policy. b - It is a requirement that any participants from whom data are to be collected and input into Brain-CODE provide express consent (unless in a rare situation an REB has provided for consent waiver). OBI has, as a schedule to the Research Activity Agreement (RAA) with participating Health Information Custodians (HIC), has created a Participation Agreement (PA) that clarifies OBI s role in the provision of Brain-CODE and OBI s activity as a Health Information Network Provider or Electronic Service Provider, as appropriate. As outlined in Section 3.3 and upon signing the RAA and PA, HICs agree to these roles undertaken by the OBI and the zone-based infrastructure. It is anticipated that both Agreements will be signed by March 31 st. At the present time, application for a prescribed registry status is out of OBI s scope. A process to monitor rates of consent is under development; and will be incorporated into future development cycles for the Subject Registry and Portal system. Although prescribed registry status may not be appropriate for OBI at this point, it can be revisited in the future should there be (a) a sufficient rate of declined consent or (b) more routine use of PHI under circumstances where obtaining consent is impractical. Date of Resolution (Actual or Expected) February 2014 March, 2014. Process to monitor consents: July 2014 4. To facilitate decision-making regarding application for Medium The ability to monitor consents is in process, as Process to

registry status, OBI should monitor from the outset rates of consent in the research studies associated with Brain- CODE and require the disclosure of rates of consent, in de-identified form by researchers to OBI. 5. Mechanisms must be adopted to ensure that no researchers use external data sources to re-identify or seek to decrypt the health card numbers, provisions specifically prohibiting researchers or health information custodians from re-identifying Brain-CODE data sets or linking Brain-CODE data sets with external data sources for this purpose. These mechanisms might include terms in Research Activity Agreements, and other OBI policies and agreements. 2 Accountability 6. OBI should ensure that OCBN and its subcontractors are also contractually restricted from using or disclosing confidential Brain-CODE information and ensure that the contractual requirements for OCBN are at the standard that would be expected and required in the event that the data resident in Brain-CODE is identifiable. 7. In order to ensure that a comprehensive accountability structure is in place, OBI should continue with its policy work and ensure this work is complete and implemented prior to the population of data. 8. OBI should continue to work closely with OCBN to ensure that security and privacy policies, particularly in respect of incident management are aligned and provide described above. At the present time, OBI has concluded that application for prescribed registry status is unnecessary. Mechanisms are put in place for researchers who wish to access data on Brain-CODE for studies that they are not a part of. As per Section 1.2.7 in the Informatics Governance Policy, it is prohibited for data users to attempt, by any means, to re-identify participants. This is made explicit in Participation Agreements signed by such external parties, and in a Data Use Agreement that precedes access to any data in Brain-CODE. De-identification tools and the zone-based infrastructure that permits the functional separation of sensitive data have been put in place to minimize the risk of re-identification. The master service level agreement between OBI and OCBN provides for such restrictions under sections 15.1. Article 13 of subcontracts between OCBN and subcontractors mirrors the master service level agreement sections related to Confidentiality. Subcontractor agreements have been executed. In addition to OBI s general Governance Policy, an Informatics Governance Policy has been developed that comprises five sections: Definitions and Framework, Terms of Reference, Data Sharing Policy, Privacy Policy and Privacy Breach Policy. A Data Use Agreement is in development. The Informatics Governance Policy will continue to be monitored to ensure the required accountability structure is in place. OBI has weekly meetings with OCBN and monthly meetings with the InDOC consortium to ensure alignment and progress. An Information Security monitor consents: July 2014 March, 2014 Data Use Agreement: Under review, to be complete before end of July 2014. May 2014 Informatics Governance Policy: February 2014 Data Use Agreement: Under review, to be complete before end of July 2014. Meetings with OCBN/InDOC: Ongoing; 16

for clear accountability between OBI, OCBN and other members of the InDOC consortium as required. 9. OBI should ensure the implementation of a policy that addresses the requirements of limiting collection and make amendment to research agreements as required. 3 Limiting Use, Disclosure & Retention 10. OBI should conclude and implement the governance framework described above at its earliest opportunity and prior to facilitating access to extracted data sets. 4 Accuracy 11. Use of the probabilistic matching algorithm should be limited to specific purposes with appropriate oversight of the Data Access Committee or the President and Scientific Director. 12. InDOC should conduct extensive data quality testing to ensure that the algorithm is performing as expected to produce accurate matches. Medium Policy has been completed, and is aligned with the Privacy Breach Protocol, which outlines in Sections 1.4.1 and 1.4.2 the steps that are to be taken by HPCVL in the event of a Privacy Breach. This recommendation has been incorporated into the Participation Agreement and is also reflected in the Privacy Policy as part of the Informatics Governance Policy posted on-line. An Informatics Governance Policy has been completed and posted on OBI s website. A Data Use Agreement will be developed by Spring 2014 before any data can be extracted by third parties. Currently the probabilistic matching algorithm is in development and not in use. Once ready, there will be robust testing and validation carried out and it will be limited to specific purposes only when ready for us. The President and Scientific Director will oversee the implementation of the probabilistic matching algorithm as recommended. Deterministic linkage, which, will be the primary mode of matching has been in use for many years and is an industry standard approach. When used appropriately, there is a 100% match rate. Upon the development of a probabilistic linking algorithm rigorous testing will be conducted to ensure the accuracy of the returned matches. Information Security Policy: completed January, 2013 March, 2014 (signed Participation Agreements) Informatics Governance Policy: Complete. Data Use Agreement: Under review, to be complete before end of July 2014. The use of the probabilistic algorithm has been delayed until after the deterministic pilot. Pilot underway, to be completed by September, 2014 5 Safeguards 13. OBI should ensure that the Information Security Policy An Information Security Policy has been completed, 17

work is completed prior to population of the platform and further that the security policies align to the ISO security domains. 14. A procedure to ensure timely management of security incidents detected after-hours should be implemented. 15. A policy for sub-contractor access to Brain-CODE either physically or by remote electronic connection should be established. Greater supervision or a policy for determining trusted status should be clarified within the scope of the policy. 16. Appropriate training materials, supported by an appropriate use agreement and related policy should be implemented for researchers prior to access to the Brain-CODE application. 17. A policy for granting access to OCBN personnel should be developed and implemented. 18. A policy for registering and validating users to the platform should be developed and implemented 19. A Threat Risk Assessment should be conducted prior to the population of the Brain-CODE platform. Medium Medium and HPCVL considers the Information Security Policies for Brain-CODE and associated procedures to be adequately aligned with and have sufficient coverage against the security management standards specified in ISO security domains. There will be prompt notification to personnel once detection mechanisms at HPCVL are engaged. Afterhours support is in place, where security breach containment processes will be initiated within 3 hours. This process is outlined in the Privacy Breach Policy, the Information Security Policy and in OBI s contract with OCBN. A policy that outlines sub-contractor access to Brain- CODE is part of the Information Security Policy. A policy for determining trusted status for users of Brain-CODE is also outlined in the Information Security Policy. Users will either be members of the ID Programs, or external users, each of whom will undergo a verification to gain trusted status. All access will be granted and revoked by the Security Officer. Training materials for specific applications used for data entry and data management in Brain-CODE have been developed by InDOC. A separate User s Manual for Brain-CODE and a Data Use Agreement are in development. This has been addressed in the Information Security Policy. All access will be granted and revoked by the Security Officer. A workflow describing the types of users has been developed, and the process by which accounts are validated is outlined in the Information Security Policy. A Threat Risk Assessment (TRA) was carried out at HPCVL in March of 2011, no additions or changes January 2013 January 2013 January 2013 March 2014; training materials developed and provided to users upon training. January 2013 January 2013 Stage 1 completed May 18

20. OCBN should establish a password policy and ensure that it is consistently applied across the applications on the Brain-CODE platform. 21. OCBN should consider implementing a Test Environment Policy to ensure that test systems will only contain test data, never actual participant data. 6 Openness 22. OBI should post specific information on its website regarding privacy and security of Brain-CODE and its governance structure. 23. OBI should consider posting a finalized copy of this PIA or a summary of it to the website. 24. OBI should proceed as planned to make available this PIA to the IPC and other stakeholders. 7 Individual Access 25. OBI should ensure that procedures for redirecting access and correction requests are addressed in its policies and agreements with health information Low Medium were requested to how HPCVL conducts business following the completion of this assessment. A second two-stage TRA is currently underway by an independent organization that was recommended for their experience with organizations that handle data of similar sensitivity. The first stage will assess the current state of the system, the second will be carried out at a later date. Thereafter, a TRA will be routinely carried out every few years, and particularly upon a significant change in the security, architecture and/or purposes to which Brain-CODE is put. A general policy on passwords is outlined within the Brain-CODE Access Control Policy in the Information Security Policy. A Development and Test Environment Policy is outlined in the Information Security Policy, which states To the extent possible, only simulated or publicly accessible data will be used for testing of application software. Recommendation accepted. Summaries of the Information Security Policy and TRA will be posted, in addition to the Informatics Governance Policy which currently available online. 2014 January 2013 January 2013 Information Security Policy Summary and Posted June 2014; we have been advised to not post TRA. Low Recommendation accepted. March 2014 Recommendation accepted. March 2014 This has been included in Section 1.3.9 of the Informatics Governance Policy, the informed consent language, and Research Activity Agreements. It is February 2014 19

custodians. 26. OBI should update its website to clarify OBI s role in assisting individuals to address requests for access to their information via the source health information custodian. 8 Challenging Compliance 27. OBI should continue to monitor its policy for managing incidents and complaints and update it as necessary. Low also available on the Brain-CODE web portal. This has also been specifically addressed in the informed consent forms and is outlined in Section 1.3.10 of the Informatics Governance Policy. Directions on whom to contact in the event of an incident are listed in Section 1.4.1 of the Informatics Governance Policy (Privacy Breach Protocol) and the Information Security Policy. The Informatics Governance Policy as a whole will be amended, as needed. February 2014 Competed February 2014 20