THE RESEARCHER’S GUIDE TO DATA PRIVACY PAUL HANCOCK, ACCESS AND PRIVACY MANAGER, OFFICE OF THE UNIVERSITY COUNSEL

KAITLYN GUTTERIDGE, LEAD PRIVACY, POLICY AND AGREEMENTS, POPULATION DATA BC

Overview

• Introduction to data privacy and security

• Researcher checklist (data lifecycle) – Planning and project preparation – Data collection and analysis – Data storage – Data destruction and retention

• Question period

Scope

• Legislation: – Freedom of Information and Protection of Privacy Act

(FIPPA) – Personal Information Protection Act, E-Health Act

• Policies and Procedures:

– UBC (Privacy Fact Sheets, Information Security Standards)

– Affiliated institutions – Population Data BC’s education and training

Personal Information: Pizza Delivery

Is Big Brother Watching You?

Our Focus is on Data Privacy: • Concerned with establishing rules that govern the

collection, handling and disclosure of personal information.

• Relates to primary, secondary and linked data

Personal Information: • “recorded information about an identifiable

individual, not including contact information”

What is Privacy?

• Name, identifying number, symbol or other particular

assigned to an individual (e.g. Social Insurance Numbers, bank account numbers, Student IDs)

• Race, national/ethnic origin, religion, age, marital status • Education, medical, employment or criminal history • Personal mailing or e-mail address, fingerprints, blood type

• Personal opinions or views (political, preferences etc.) • Private or confidential correspondence

Examples of Personal Information

Notable privacy headlines Research in the Public Eye

Notable privacy headlines Research in the Public Eye

Data Lifecycle: The Four Phases

Planning and Grant Writing

Data Collection

Data Storage and Analysis

Data Retention and

Destruction

Planning and Grant Writing Phase

Planning and Grant Writing

Data Collection

Data Storage and Analysis

Data Retention and

Destruction

Planning and Grant Writing Phase

• Plan in advance – Write privacy into your budget – Hire project team members with privacy experience – Provide privacy and information security details in your

grant proposal and REB application

• Review, refresh, understand

– Legislative requirements – UBC’s Access and Privacy and Information Security

Requirements – UBC’s Information Security Reporting and Handling

Privacy Breaches procedures

Planning and Grant Writing Phase

• Consider your potential privacy landscape – Internal Privacy Impact Assessment – Risk versus Control Inventory – Canadian Standards Association Model Code for the

Protection of Privacy

• Make it a team vision – TCPS2 Course on Research Ethics – Confidentiality pledge / project agreement – Regular team meetings to discuss privacy and

security

Planning and Grant Writing

Data Collection

Data Storage and Analysis

Data Retention and

Destruction

Data Collection Phase

Data Collection Phase

• Consent forms – Clearly identify all methods of:

• Collection, Use, Disclosure, Storage, Linkage

– Opt-in/out clauses

• Measurement tools – ‘Need to know’ vs ‘nice to know’ – Electronic measurement tools

• e.g. GPS, Accelerometer, biometric data

Data Storage and Analysis Phase

Planning and Grant Writing

Data Collection

Data Storage and Analysis

Data Retention and

Destruction

• De-identify immediately – Segregate personal information from other data – Encrypt crosswalk file that correlates study ID to personal

information – Secure any paper copies with personal information

• Electronic data access

– Provide access based on roles – Restrict user accounts and folder permissions – Implement logging function to audit access to data

Data Storage and Analysis Phase

• Say NO to the Cloud! – No consent = no storage

outside Canada – Use tools such as:

• Centralized Servers, UBC’s Workspace, PopData’s Secure Research Environment

• Implement requirements for physical and information security controls

Data Storage and Analysis Phase

Data Storage and Analysis Stage

ENCRYPTION

• Reduce data to minimum amount necessary • Word, Excel & Zip files may be encrypted • Devices may also be encrypted (Full Disk Encryption) using

strong passwords/passphrases and key escrow

STORAGE ON SERVERS

• Keep data in Canada • Try to keep data on campus servers and access it remotely

(using VPN, VPI or Workspace) • Service providers that store data must have adequate security

STORAGE ON MOBILE MEDIA & DEVICES

• Storing on mobile media (e.g. USB keys, external hard drives) or mobile devices (laptops) is strongly discouraged.

• If such storage is necessary, you must encrypt the media/device.

TRANSMISSION • Explore alternatives to transmission (i.e. remote access) • If you must transmit files by email, encrypt them

TELECOMMUTING & REMOTE ACCESS

• Remote access via VPN, VDI or Workspace is acceptable • Beware of Certificate Errors

DATA SECURITY CONTROLS

Data Retention and Destruction Phase

Planning and Grant

Writing

Data Collection

Data Storage and

Analysis

Data Retention

and Destruction

Data Retention and Destruction Stage

• Monitor your timelines

• Consider requirements for archiving your data • Make appropriate plans for final destruction

– Electronic information – Paper copies

• Track and log disposal

Stay Tuned…

• Integrating research data privacy and security into research process

• Issuing comprehensive Information Security Standards

QUESTIONS… Find the complete checklist:

universitycounsel.ubc.ca/data-privacy-day