THE RESEARCHER S GUIDE TO DATA PRIVACY

Similar documents

Privacy Policy on the Responsibilities of Third Party Service Providers

Privacy and Security Protecting Personal Information Kim Hart and Bill Trott

Privacy Incident and Breach Management Policy

Student Visa - confidentiality and Reporting Requirements

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Security Threat Risk Assessment: the final key piece of the PIA puzzle

RELATIONSHIP TO PREVIOUS AGREEMENT(S) / PREVIOUS REQUESTS

How To Ensure Health Information Is Protected

Cloud Service Contracts: An Issue of Trust

ECSA EuroCloud Star Audit Data Privacy Audit Guide

HIPAA ephi Security Guidance for Researchers

Politique de sécurité de l information Information Security Policy

1. Each employee is responsible for managing college records in a responsible and professional manner.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

ONLINE PRIVACY POLICY

MINUTE TAKING TIPS. How to keep your minutes FIPPA friendly

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

APPROPRIATE USE OF INFORMATION TECHNOLOGY SYSTEMS INFRASTRUCTURE RESOURCES

MICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT. Western Student E-Communications Outsourcing

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Applicability: All Employees Effective Date: December 6, 2005; revised January 27, 2009 Source(s):

HIPAA Compliance Evaluation Report

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

16 Electronic health information management systems

Cloud Computing Contracts. October 11, 2012

DATA PROTECTION AND DATA STORAGE POLICY

HIPAA Audit Risk Assessment - Risk Factors

Critical Data Guide. A guide to handling critical information at Indiana University

Strategy for Management in Canadian Jurisdictions

Ministry of Children and Family Development (MCFD) Contractor s Information Management Guidelines

Practice Resource. Cloud computing checklist. Introduction

What is Covered by HIPAA at VCU?

Office 365 Data Processing Agreement with Model Clauses

Policy & Procedure. This policy applies to all records in the custody and control of SMGH.

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Data Security and Extranet

PRIVACY POLICY. Effective: January 1, 2014 Revised: March 19, Privacy Policy Page 1 of 7

Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms. v , rev

How To Protect Your Privacy On A Safari

Page 1. Copyright MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

COLLEGE POLICY MANUAL

INFORMATION UPDATE: Removable media - Storage and Retention of Data - Research Studies

Privacy Impact Assessment for the. Standardized Tracking and Accounting Reporting System- Financial Management System (STARS-FMS)

ADMINISTRATIVE MANUAL Policy and Procedure

Big Data, Big Risk? Data Management and Privacy. Presented by: Timothy Banks, Heather Innes, and Colonel Vihar Joshi

FHFA. Privacy Impact Assessment Template FM: SYSTEMS (SYSTEM NAME)

BOARD POLICY POLICY TITLE. Records and Information Management 1.0 PURPOSE

PRIVACY BREACH! WHAT NEXT?

Using AWS in the context of Australian Privacy Considerations October 2015

Brian Beamish. Commissioner (Acting) Ontario Information and Privacy Commission. Cyber Risk National Conference February 9, 2015

Payment Card Industry Compliance

Copyright 2014 Nymity Inc. All Rights Reserved.

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

Introduction to HIPAA Compliance Checklist:

Personal Health Information Privacy Policy

UNIVERSITY OF MANITOBA POLICY CLOSED CIRCUIT TV (CCTV) MONITORING. Part I Reason for Policy

VIDEO SURVEILLANCE GUIDELINES

HIPAA and Clinical Research

Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates. Reference Manual

PRIVACY POLICY. The effective date of this Privacy Policy is December 15, Last Updated September 29, Overview

Information Security Education and Awareness Training

Data Security Plan Development Guide for Researchers

Data Compliance. And. Your Obligations

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

OIT OPERATIONAL PROCEDURE

I. Introduction to Privacy: Common Principles and Approaches

PRIVACY MANAGEMENT ACTIVITIES

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES

Data Security Considerations for Research

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Moving Information: Privacy & Security Guidelines

Privacy Impact Assessment Of the. Office of Inspector General Information Technology Infrastructure Systems

ARCHIVING YOUR DATA: PLANNING AND MANAGING THE PROCESS

Data Managers Interest Group. Research. April 17, 2012

Dene Community School of Technology Staff Acceptable Use Policy

POLICY TEMPLATE. Date initially approved: November 5, 2013 Date of last revision: same

ISO Controls and Objectives

Information Governance Framework. June 2015

Selected Annotated Bibliography Personal Health Information, Privacy and Access

Storing and securing your data

Sponsored Programs Guidance Cradle to Grave

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

IT Roles in Loss Prevention. Presented by: Ann Ostrander, Director of Loss Prevention Kirkland & Ellis LLP

When HHS Calls, Will Your Plan Be HIPAA Compliant?

LONDON PUBLIC LIBRARY POLICY

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

Cloud computing and the legal framework

UCS Level 2 Report Issued to

TRUE TITLE BEST PRACTICES

RECORDS AND INFORMATION MANAGEMENT AND RETENTION

Maximum Global Business Online Privacy Statement

UW Platteville Credit Card Handling Policy

Overview. What are operational policies? Development, adoption, implementation

Accountable Privacy Management in BC s Public Sector

Transcription:

THE RESEARCHER S GUIDE TO DATA PRIVACY PAUL HANCOCK, ACCESS AND PRIVACY MANAGER, OFFICE OF THE UNIVERSITY COUNSEL KAITLYN GUTTERIDGE, LEAD PRIVACY, POLICY AND AGREEMENTS, POPULATION DATA BC

Overview Introduction to data privacy and security Researcher checklist (data lifecycle) Planning and project preparation Data collection and analysis Data storage Data destruction and retention Question period

Scope Legislation: Freedom of Information and Protection of Privacy Act (FIPPA) Personal Information Protection Act, E-Health Act Policies and Procedures: UBC (Privacy Fact Sheets, Information Security Standards) Affiliated institutions Population Data BC s education and training

Is Big Brother Watching You? Personal Information: Pizza Delivery

What is Privacy? Our Focus is on Data Privacy: Concerned with establishing rules that govern the collection, handling and disclosure of personal information. Relates to primary, secondary and linked data Personal Information: recorded information about an identifiable individual, not including contact information

Examples of Personal Information Name, identifying number, symbol or other particular assigned to an individual (e.g. Social Insurance Numbers, bank account numbers, Student IDs) Race, national/ethnic origin, religion, age, marital status Education, medical, employment or criminal history Personal mailing or e-mail address, fingerprints, blood type Personal opinions or views (political, preferences etc.) Private or confidential correspondence

Notable privacy headlines Research in the Public Eye

Notable privacy headlines Research in the Public Eye

Data Lifecycle: The Four Phases Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis

Planning and Grant Writing Phase Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis

Planning and Grant Writing Phase Plan in advance Write privacy into your budget Hire project team members with privacy experience Provide privacy and information security details in your grant proposal and REB application Review, refresh, understand Legislative requirements UBC s Access and Privacy and Information Security Requirements UBC s Information Security Reporting and Handling Privacy Breaches procedures

Planning and Grant Writing Phase Consider your potential privacy landscape Internal Privacy Impact Assessment Risk versus Control Inventory Canadian Standards Association Model Code for the Protection of Privacy Make it a team vision TCPS2 Course on Research Ethics Confidentiality pledge / project agreement Regular team meetings to discuss privacy and security

Data Collection Phase Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis

Data Collection Phase Consent forms Clearly identify all methods of: Collection, Use, Disclosure, Storage, Linkage Opt-in/out clauses Measurement tools Need to know vs nice to know Electronic measurement tools e.g. GPS, Accelerometer, biometric data

Data Storage and Analysis Phase Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis

Data Storage and Analysis Phase De-identify immediately Segregate personal information from other data Encrypt crosswalk file that correlates study ID to personal information Secure any paper copies with personal information Electronic data access Provide access based on roles Restrict user accounts and folder permissions Implement logging function to audit access to data

Data Storage and Analysis Phase Say NO to the Cloud! No consent = no storage outside Canada Use tools such as: Centralized Servers, UBC s Workspace, PopData s Secure Research Environment Implement requirements for physical and information security controls

Data Storage and Analysis Stage DATA SECURITY CONTROLS ENCRYPTION STORAGE ON SERVERS STORAGE ON MOBILE MEDIA & DEVICES TRANSMISSION TELECOMMUTING & REMOTE ACCESS Reduce data to minimum amount necessary Word, Excel & Zip files may be encrypted Devices may also be encrypted (Full Disk Encryption) using strong passwords/passphrases and key escrow Keep data in Canada Try to keep data on campus servers and access it remotely (using VPN, VPI or Workspace) Service providers that store data must have adequate security Storing on mobile media (e.g. USB keys, external hard drives) or mobile devices (laptops) is strongly discouraged. If such storage is necessary, you must encrypt the media/device. Explore alternatives to transmission (i.e. remote access) If you must transmit files by email, encrypt them Remote access via VPN, VDI or Workspace is acceptable Beware of Certificate Errors

Data Retention and Destruction Phase Planning and Grant Writing Data Retention and Destruction Data Collection Data Storage and Analysis

Data Retention and Destruction Stage Monitor your timelines Consider requirements for archiving your data Make appropriate plans for final destruction Electronic information Paper copies Track and log disposal

Stay Tuned Integrating research data privacy and security into research process Issuing comprehensive Information Security Standards

QUESTIONS Find the complete checklist: universitycounsel.ubc.ca/data-privacyday