Data Matching and the Creation of Non-Personal Data

UCalgary is required under the Protection of Privacy Act (POPA) to follow certain requirements when engaging in data matching activities to create data derived from personal information and implement a data quality assurance process regarding the creation, use and disclosure of non-personal data.

UCalgary will only be required to comply with these new requirements for institutional initiatives which support an operating program or activity of UCalgary carried out for the purposes of institutional research, planning or program quality assurance, evaluation or improvement. These requirements do not apply to research projects caried out by academic staff members intended to develop or contribute to generalizable knowledge.

For more information regarding these requirements, please review the information below or contact the Access and Privacy Office for guidance.

What is data matching and data derived from personal information?

Data matching means linking personal information between two or more databases or other electronic sources of information. Data derived from personal information means identifiable data created through data matching using personal information already in the custody or under the control of UCalgary.

The UCalgary Data Matching, De-Identification and Data Quality Assurance Standard establishes requirements for data-matching using personal information. It also outlines the restrictions on the use and disclosure of data derived from personal information. UCalgary may only engage in data matching for the purposes of research or analysis, or where it is directly relating to the planning or delivery of an operating program or service and is prohibited from disclosing data derived from personal information except in extremely limited circumstances.

What is non-personal data?

Non-personal data means data created from personal information that has been generated, modified, de-identified or anonymized so that it does not identify any specific individual. This may include institutional data regarding staff or students that has been aggregated for internal use of reporting purposes.

The UCalgary Data Matching, De-Identification and Data Quality Assurance Standard outlines a data quality assurance process consistent with generally accepted best practices for the creation, use and disclosure of de-identified or anonymized non-personal data.

UCalgary may only create data derived from personal information or non-personal data for the purposes of research or analysis, or where it is directly relating to the planning or delivery of an operating program or service. Non-personal data may only be disclosed subject to an information sharing agreement, unless it is being disclosed strictly in aggregate or statistical form as part of a report, summary or other publication. For more information, please see the Guidelines for the Collection of Personal Information.

How can I create non-personal data in compliance with POPA?

POPA requires that each time non-personal data is created, a record must also be created containing:

A description of the personal information used;
The purpose of creating the non-personal data;
The methods of de-identification used; and
A risk assessment that ensures that the identity of any individual who is the subject of the non-personal data cannot be re-identified, the level of risk of re-identification and any security measures taken to reduce such risk.

The Access and Privacy Office has developed a Creation of Non-Personal Data Form in accordance with the UCalgary Data Matching, De-Identification and Data Quality Assurance Standard to assist faculties, departments and administrative units in ensuring that personal information has been de-identified or anonymized in accordance with generally accepted best practices and satisfy the requirements above.

�����Ƶ