Privacy Policy

Effective Date: March 25th, 2025

1. Introduction

OnSPARK (Ontario Supporting Partnerships to Advance Care and Knowledge) is committed to protecting the privacy, confidentiality, and security of personal health information (PHI) and all data collected, processed, and used within our platform.

This Privacy Policy outlines how we collect, use, store, and safeguard information in compliance with the Personal Health Information Protection Act (PHIPA, 2004, S.O. 2004, c.3, Sched. A) and other applicable Canadian privacy laws.

By accessing or using OnSPARK’s services, you agree to the terms of this Privacy Policy.

2. What Information We Collect

OnSPARK collects and processes de-identified health and administrative data from participating long-term care (LTC) homes to support quality improvement, research, and policy development. Types of data collected include:

  • Resident health data (de-identified), including clinical assessments, diagnoses, treatment history, medication prescriptions, administration records, immunization status, hospitalizations, emergency transfers, and care outcomes.
  • Facility-level data, such as staffing patterns, disease surveillance, infection control measures, quality indicators, and operational performance metrics.
  • Research and analytical data, including aggregated and anonymized datasets for research and policy analysis, as well as de-identified longitudinal data to monitor LTC trends over time.

OnSPARK does not collect direct identifiers such as names, addresses, or personal contact details, social insurance numbers (SINs), financial information, or unauthorized surveillance or tracking data.

3. How We Use the Data

OnSPARK does not sell or share personal health information (PHI) for commercial purposes unless by consent and oversight by Health Information Custodians (HICs).

Permitted uses include:

  • Improving resident care and quality outcomes by providing LTC homes with data-driven insights.
  • Supporting approved comparative effectiveness studies and clinical trials research in LTC.
  • Providing evidence-based insights for policymakers to improve LTC regulations.
  • Assisting LTC operators in staffing optimization and resource allocation.

Prohibited uses include:

  • Marketing or commercial exploitation of resident data.
  • Data linkage without explicit ethics board approval.
  • Re-identification of de-identified data.

4. Data Security and Protection Measures

OnSPARK employs industry-leading security protocols to protect data from unauthorized access, breaches, and misuse.

Security measures include:

  • End-to-end encryption for all data in transit and at rest.
  • Secure data hosting at McMaster University, ensuring compliance with institutional and provincial security policies.
  • Role-based access control (RBAC) to ensure that only approved users with necessary permissions can access specific datasets.
  • Regular Privacy Impact Assessments (PIAs) conducted by the McMaster University Privacy Office.
  • Threat and Risk Assessments (TRA) performed by McMaster’s Information Security Office.

5. Data Access and Sharing

OnSPARK operates under a strict data governance framework to ensure responsible data sharing for research and quality improvement.

Eligible to access OnSPARK data include:

  • LTC home operators for facility-level performance reports and resident care insights.
  • Approved researchers who meet eligibility requirements and obtain Research Ethics Board (REB) approval.
  • Policymakers and public health authorities to support evidence-based decision-making.

Unauthorized parties, including third-party companies, insurance providers, and private-sector organizations, are not permitted to access OnSPARK data.

6. Compliance with PHIPA and Privacy Regulations

OnSPARK fully complies with the Personal Health Information Protection Act (PHIPA, 2004) and all applicable privacy laws.

Measures taken to ensure PHIPA compliance include:

  • Strict limitations on data use, ensuring it is only available for approved research and quality improvement projects.
  • Anonymization and de-identification of all resident-level data before analysis.
  • Governance approvals required before any data is shared or linked.

7. Rights and Data Removal

OnSPARK upholds residents’ rights to data protection and transparency.

Rights include:

  • Transparency in understanding how de-identified data is used.
  • The ability of LTC homes to review and manage their data contributions.
  • The ability to request audits or removal of data (see Data Removal Policy).

8. Changes to This Privacy Policy

OnSPARK regularly updates its privacy practices to reflect new security measures, regulatory changes, and best practices in health data management.

Policy updates will be announced on our website, and LTC home partners and researchers will be notified in advance of any modifications.

9. Contact Us

For questions regarding OnSPARK’s privacy policies, data security, or governance framework, contact: privacy@onspark.ca