Data Governance Policy

Effective Date: March 25th, 2025

1. Purpose

The purpose of this policy is to establish a comprehensive governance framework to ensure that data held within the OnSPARK Long-Term Care (LTC) Data Platform is managed ethically, securely, and in compliance with applicable laws. This policy aims to protect the privacy and rights of LTC residents, support quality improvement, and enable research and innovation in long-term care.

2. Scope

This policy applies to:

  • All structured and unstructured data collected, integrated, or stored within the OnSPARK LTC Data Platform.
  • All individuals or entities who seek access to the Platform, including OnSPARK staff, researchers, LTC home staff, and authorized collaborators.

3. Governance Structure

The Platform is governed and operated through the following structure:

3.1 Data Governance Advisory Committee (DGAC)

Provides strategic oversight, reviews project proposals, and ensures alignment with ethical and legal standards. Composed of representatives from each Health Information Custodian (HIC), St. Joseph’s Health System Centre for Integrated Care, McMaster University, and invited experts.

3.2 Strategic Advisory Committee (SAC) and Technical Advisory Committee (TAG)

Provides advice on platform priorities and policy alignment.

3.3 Platform Operations Team

Led by Platform Co-Directors and supported by administrative staff. Manages day-to-day operations, supports DGAC, and liaises with stakeholders.

4. Legal and Ethical Framework

  • Personal Health Information Protection Act (PHIPA, 2004).
  • Relevant federal and provincial privacy statutes.
  • Approved Data Sharing Agreements with each HIC.
  • Research Ethics Board (REB) review and approval for any project.

5. Data Sharing Agreements (DSAs)

  • Define the ownership, custodianship, and permitted uses of data.
  • Specify terms for data sharing, governance, and revocation.
  • Ensure compliance with PHIPA Section 44 on disclosure for research.

6. Data Access and Use

6.1 Permitted Uses

  • Quality improvement initiatives.
  • REB-approved research projects.
  • Public health and policy evaluation, where explicitly permitted.
  • Product Development, where explicitly permitted.

6.2 Prohibited Uses

  • Commercial use without explicit authorization.
  • Attempted re-identification of individuals.
  • Sharing data with unauthorized parties.

6.3 Access Process

  • Applicants are generally invited and must submit a written proposal and plan.
  • Ethics approval from a recognized REB is mandatory for research.
  • Final access requires Operations Team recommendation and HIC approval.
  • Authorized Users sign confidentiality agreements.

7. Data Privacy and Security

  • De-identification and anonymization prior to use.
  • End-to-end encryption during transfer and storage.
  • Role-Based Access Controls (RBAC) for user permissions.
  • Physical and digital safeguards as per McMaster University’s IT security protocols.
  • Regular Privacy Impact Assessments (PIAs) and Threat Risk Assessments (TRAs).

8. Data Quality and Integrity

  • A standardized data model for EMR and staffing records.
  • Continuous processes for validation, curation, and audit logging.
  • Documentation standards for metadata and variable definitions.

9. Transparency and Accountability

  • Publishes its governance model and approved project summaries (where possible).
  • Tracks data use and generates activity reports.
  • Conducts formal biannual DGAC meetings to review policy adherence and propose improvements.

10. Data Retention and Disposition

  • Data are retained for the duration of an approved project and securely destroyed upon expiration unless renewed.
  • Data disposition procedures follow McMaster’s Information Security policy and PHIPA compliance standards.

11. Monitoring and Enforcement

  • All activity is logged and auditable.
  • Breaches are reported to the DGAC, HICs, and McMaster’s Privacy Office.
  • Misuse may result in loss of access, institutional reporting, and legal action.

12. Policy Review

This policy will be reviewed and updated annually by the DGAC to ensure continued alignment with legal requirements, ethical standards, and stakeholder needs.

13. Contact Information

For questions or concerns regarding this policy, contact: onspark@mcmaster.ca