THE RESEARCHER S GUIDE TO DATA PRIVACY PAUL HANCOCK, ACCESS AND PRIVACY MANAGER, OFFICE OF THE UNIVERSITY COUNSEL KAITLYN GUTTERIDGE, LEAD PRIVACY, POLICY AND AGREEMENTS, POPULATION DATA BC
Overview Introduction to data privacy and security Researcher checklist (data lifecycle) Planning and project preparation Data collection and analysis Data storage Data destruction and retention Question period
Scope Legislation: Freedom of Information and Protection of Privacy Act (FIPPA) Personal Information Protection Act, E-Health Act Policies and Procedures: UBC (Privacy Fact Sheets, Information Security Standards) Affiliated institutions Population Data BC s education and training
Is Big Brother Watching You? Personal Information: Pizza Delivery
What is Privacy? Our Focus is on Data Privacy: Concerned with establishing rules that govern the collection, handling and disclosure of personal information. Relates to primary, secondary and linked data Personal Information: recorded information about an identifiable individual, not including contact information
Examples of Personal Information Name, identifying number, symbol or other particular assigned to an individual (e.g. Social Insurance Numbers, bank account numbers, Student IDs) Race, national/ethnic origin, religion, age, marital status Education, medical, employment or criminal history Personal mailing or e-mail address, fingerprints, blood type Personal opinions or views (political, preferences etc.) Private or confidential correspondence
Notable privacy headlines Research in the Public Eye
Notable privacy headlines Research in the Public Eye
Data Lifecycle: The Four Phases Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis
Planning and Grant Writing Phase Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis
Planning and Grant Writing Phase Plan in advance Write privacy into your budget Hire project team members with privacy experience Provide privacy and information security details in your grant proposal and REB application Review, refresh, understand Legislative requirements UBC s Access and Privacy and Information Security Requirements UBC s Information Security Reporting and Handling Privacy Breaches procedures
Planning and Grant Writing Phase Consider your potential privacy landscape Internal Privacy Impact Assessment Risk versus Control Inventory Canadian Standards Association Model Code for the Protection of Privacy Make it a team vision TCPS2 Course on Research Ethics Confidentiality pledge / project agreement Regular team meetings to discuss privacy and security
Data Collection Phase Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis
Data Collection Phase Consent forms Clearly identify all methods of: Collection, Use, Disclosure, Storage, Linkage Opt-in/out clauses Measurement tools Need to know vs nice to know Electronic measurement tools e.g. GPS, Accelerometer, biometric data
Data Storage and Analysis Phase Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis
Data Storage and Analysis Phase De-identify immediately Segregate personal information from other data Encrypt crosswalk file that correlates study ID to personal information Secure any paper copies with personal information Electronic data access Provide access based on roles Restrict user accounts and folder permissions Implement logging function to audit access to data
Data Storage and Analysis Phase Say NO to the Cloud! No consent = no storage outside Canada Use tools such as: Centralized Servers, UBC s Workspace, PopData s Secure Research Environment Implement requirements for physical and information security controls
Data Storage and Analysis Stage DATA SECURITY CONTROLS ENCRYPTION STORAGE ON SERVERS STORAGE ON MOBILE MEDIA & DEVICES TRANSMISSION TELECOMMUTING & REMOTE ACCESS Reduce data to minimum amount necessary Word, Excel & Zip files may be encrypted Devices may also be encrypted (Full Disk Encryption) using strong passwords/passphrases and key escrow Keep data in Canada Try to keep data on campus servers and access it remotely (using VPN, VPI or Workspace) Service providers that store data must have adequate security Storing on mobile media (e.g. USB keys, external hard drives) or mobile devices (laptops) is strongly discouraged. If such storage is necessary, you must encrypt the media/device. Explore alternatives to transmission (i.e. remote access) If you must transmit files by email, encrypt them Remote access via VPN, VDI or Workspace is acceptable Beware of Certificate Errors
Data Retention and Destruction Phase Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis
Data Retention and Destruction Stage Monitor your timelines Consider requirements for archiving your data Make appropriate plans for final destruction Electronic information Paper copies Track and log disposal
Stay Tuned Integrating research data privacy and security into research process Issuing comprehensive Information Security Standards
QUESTIONS Find the complete checklist: universitycounsel.ubc.ca/data-privacyday