Data Removal Policy
1. Purpose
The purpose of this policy is to define the principles, procedures, and responsibilities related to the removal, deletion, or destruction of data from the OnSPARK LTC Data Platform. It supports compliance with applicable legislation, maintains data stewardship, and ensures that Health Information Custodians (HICs) retain appropriate control over the use of their data.
2. Scope
This policy applies to:
- All data stored within the OnSPARK LTC Data Platform, including clinical, operational, and workforce records.
- All Authorized Users of the Platform.
- All data provided by participating Health Information Custodians (LTC and retirement home operators).
3. Governing Framework
All data removal procedures shall comply with:
- PHIPA (2004, S.O. 2004, c.3)- specifically Section 44 on data for research.
- The terms of executed Data Sharing Agreements (DSAs) between McMaster University and HICs.
- Decisions made by the Data Governance Advisory Committee (DGAC).
- Institutional policies of McMaster University related to data security and privacy.
4. Grounds for Data Removal
Data may be removed from the OnSPARK Platform under the following conditions:
4.1 At the Request of a Health Information Custodian (HIC)
- A HIC may formally request removal of its data in writing.
- The Platform will acknowledge and respond within 15 business days.
- Removal is subject to verification of legal rights and obligations under the DSA.
4.2 Project Completion or Termination
- Upon the conclusion or early termination of an approved project, access to project-specific datasets will be revoked.
- Residual copies (e.g., exports) held by Authorized Users must be securely deleted in accordance with McMaster’s data disposal protocols.
4.3 Breach of Terms
- In cases of data misuse, breach of confidentiality, or non-compliance with ethics approvals, the DGAC may suspend access and mandate full data removal.
4.4 Consent-Based or Ethical Revisions
- If an ethics board, HIC, or affected persons determines that data must be removed due to privacy concerns or withdrawal of participation (e.g., in cases of prospective data collection), the Platform will securely delete the relevant records.
5. Procedure for Data Removal
5.1 Request Submission
Requests must be made in writing to the OnSPARK Operations Team. The request should include:
- Data type(s) and time period to be removed
- Rationale for removal
- Legal or ethical documentation (if applicable)
5.2 Review and Verification
The Platform Co-Directors with the Privacy Officer will:
- Confirm the identity and authority of the requestor
- Assess the impact of removal on ongoing projects
- Review obligations under the relevant DSA and ethics protocols
5.3 Decision and Execution
If removal is authorized, the Platform will:
- Log the removal request and decision
- Isolate and delete the specified data from all active and backup systems
- Revoke access permissions for related project users
- Notify the requestor upon completion
5.4 Timelines
- Initial acknowledgment: within 7 business days
- Completion of removal: within 30 business days (unless otherwise required)
6. Data Retention Considerations
Data that is required for regulatory, legal, or institutional purposes may not be subject to removal as part of this policy. Such data will be retained in compliance with McMaster’s data retention protocols and the Data Sharing Agreements.
7. Monitoring and Enforcement
All data removal activities will be logged and audited by the Platform Operations Team. Any misuse or failure to comply with this policy will be addressed by the DGAC, which may include suspension of platform access and potential legal action.
8. Policy Review
This policy will be reviewed annually by the Data Governance Advisory Committee (DGAC) to ensure that it remains aligned with changing regulations and best practices in data privacy and governance.
9. Contact Information
If you have any questions regarding this Data Removal Policy, please contact: onspark@mcmaster.ca