THE RESEARCHER S GUIDE TO DATA PRIVACY

Transcription

1 THE RESEARCHER S GUIDE TO DATA PRIVACY PAUL HANCOCK, ACCESS AND PRIVACY MANAGER, OFFICE OF THE UNIVERSITY COUNSEL KAITLYN GUTTERIDGE, LEAD PRIVACY, POLICY AND AGREEMENTS, POPULATION DATA BC

2 Overview Introduction to data privacy and security Researcher checklist (data lifecycle) Planning and project preparation Data collection and analysis Data storage Data destruction and retention Question period

3 Scope Legislation: Freedom of Information and Protection of Privacy Act (FIPPA) Personal Information Protection Act, E-Health Act Policies and Procedures: UBC (Privacy Fact Sheets, Information Security Standards) Affiliated institutions Population Data BC s education and training

4 Is Big Brother Watching You? Personal Information: Pizza Delivery

5 What is Privacy? Our Focus is on Data Privacy: Concerned with establishing rules that govern the collection, handling and disclosure of personal information. Relates to primary, secondary and linked data Personal Information: recorded information about an identifiable individual, not including contact information

6 Examples of Personal Information Name, identifying number, symbol or other particular assigned to an individual (e.g. Social Insurance Numbers, bank account numbers, Student IDs) Race, national/ethnic origin, religion, age, marital status Education, medical, employment or criminal history Personal mailing or address, fingerprints, blood type Personal opinions or views (political, preferences etc.) Private or confidential correspondence

7 Notable privacy headlines Research in the Public Eye

8 Notable privacy headlines Research in the Public Eye

9 Data Lifecycle: The Four Phases Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis

10 Planning and Grant Writing Phase Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis

11 Planning and Grant Writing Phase Plan in advance Write privacy into your budget Hire project team members with privacy experience Provide privacy and information security details in your grant proposal and REB application Review, refresh, understand Legislative requirements UBC s Access and Privacy and Information Security Requirements UBC s Information Security Reporting and Handling Privacy Breaches procedures

12 Planning and Grant Writing Phase Consider your potential privacy landscape Internal Privacy Impact Assessment Risk versus Control Inventory Canadian Standards Association Model Code for the Protection of Privacy Make it a team vision TCPS2 Course on Research Ethics Confidentiality pledge / project agreement Regular team meetings to discuss privacy and security

13 Data Collection Phase Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis

14 Data Collection Phase Consent forms Clearly identify all methods of: Collection, Use, Disclosure, Storage, Linkage Opt-in/out clauses Measurement tools Need to know vs nice to know Electronic measurement tools e.g. GPS, Accelerometer, biometric data

15 Data Storage and Analysis Phase Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis

16 Data Storage and Analysis Phase De-identify immediately Segregate personal information from other data Encrypt crosswalk file that correlates study ID to personal information Secure any paper copies with personal information Electronic data access Provide access based on roles Restrict user accounts and folder permissions Implement logging function to audit access to data

17 Data Storage and Analysis Phase Say NO to the Cloud! No consent = no storage outside Canada Use tools such as: Centralized Servers, UBC s Workspace, PopData s Secure Research Environment Implement requirements for physical and information security controls

18 Data Storage and Analysis Stage DATA SECURITY CONTROLS ENCRYPTION STORAGE ON SERVERS STORAGE ON MOBILE MEDIA & DEVICES TRANSMISSION TELECOMMUTING & REMOTE ACCESS Reduce data to minimum amount necessary Word, Excel & Zip files may be encrypted Devices may also be encrypted (Full Disk Encryption) using strong passwords/passphrases and key escrow Keep data in Canada Try to keep data on campus servers and access it remotely (using VPN, VPI or Workspace) Service providers that store data must have adequate security Storing on mobile media (e.g. USB keys, external hard drives) or mobile devices (laptops) is strongly discouraged. If such storage is necessary, you must encrypt the media/device. Explore alternatives to transmission (i.e. remote access) If you must transmit files by , encrypt them Remote access via VPN, VDI or Workspace is acceptable Beware of Certificate Errors

19 Data Retention and Destruction Phase Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis

20 Data Retention and Destruction Stage Monitor your timelines Consider requirements for archiving your data Make appropriate plans for final destruction Electronic information Paper copies Track and log disposal

21 Stay Tuned Integrating research data privacy and security into research process Issuing comprehensive Information Security Standards

22 QUESTIONS Find the complete checklist: universitycounsel.ubc.ca/data-privacyday