Embed Size (px)
Citation preview
THE RESEARCHER’S GUIDE TO DATA PRIVACY PAUL HANCOCK, ACCESS AND PRIVACY MANAGER, OFFICE OF THE UNIVERSITY COUNSEL
KAITLYN GUTTERIDGE, LEAD PRIVACY, POLICY AND AGREEMENTS, POPULATION DATA BC
Overview
• Introduction to data privacy and security
• Researcher checklist (data lifecycle) – Planning and project preparation – Data collection and analysis – Data storage – Data destruction and retention
• Question period
Scope
• Legislation: – Freedom of Information and Protection of Privacy Act
(FIPPA) – Personal Information Protection Act, E-Health Act
• Policies and Procedures:
– UBC (Privacy Fact Sheets, Information Security Standards)
– Affiliated institutions – Population Data BC’s education and training
Personal Information: Pizza Delivery
Is Big Brother Watching You?
Our Focus is on Data Privacy: • Concerned with establishing rules that govern the
collection, handling and disclosure of personal information.
• Relates to primary, secondary and linked data
Personal Information: • “recorded information about an identifiable
individual, not including contact information”
What is Privacy?
• Name, identifying number, symbol or other particular
assigned to an individual (e.g. Social Insurance Numbers, bank account numbers, Student IDs)
• Race, national/ethnic origin, religion, age, marital status • Education, medical, employment or criminal history • Personal mailing or e-mail address, fingerprints, blood type
• Personal opinions or views (political, preferences etc.) • Private or confidential correspondence
Examples of Personal Information
Notable privacy headlines Research in the Public Eye
Notable privacy headlines Research in the Public Eye
Data Lifecycle: The Four Phases
Planning and Grant Writing
Data Collection
Data Storage and Analysis
Data Retention and
Destruction
Planning and Grant Writing Phase
Planning and Grant Writing
Data Collection
Data Storage and Analysis
Data Retention and
Destruction
Planning and Grant Writing Phase
• Plan in advance – Write privacy into your budget – Hire project team members with privacy experience – Provide privacy and information security details in your
grant proposal and REB application
• Review, refresh, understand
– Legislative requirements – UBC’s Access and Privacy and Information Security
Requirements – UBC’s Information Security Reporting and Handling
Privacy Breaches procedures
Planning and Grant Writing Phase
• Consider your potential privacy landscape – Internal Privacy Impact Assessment – Risk versus Control Inventory – Canadian Standards Association Model Code for the
Protection of Privacy
• Make it a team vision – TCPS2 Course on Research Ethics – Confidentiality pledge / project agreement – Regular team meetings to discuss privacy and
security
Planning and Grant Writing
Data Collection
Data Storage and Analysis
Data Retention and
Destruction
Data Collection Phase
Data Collection Phase
• Consent forms – Clearly identify all methods of:
• Collection, Use, Disclosure, Storage, Linkage
– Opt-in/out clauses
• Measurement tools – ‘Need to know’ vs ‘nice to know’ – Electronic measurement tools
• e.g. GPS, Accelerometer, biometric data
Data Storage and Analysis Phase
Planning and Grant Writing
Data Collection
Data Storage and Analysis
Data Retention and
Destruction
• De-identify immediately – Segregate personal information from other data – Encrypt crosswalk file that correlates study ID to personal
information – Secure any paper copies with personal information
• Electronic data access
– Provide access based on roles – Restrict user accounts and folder permissions – Implement logging function to audit access to data
Data Storage and Analysis Phase
• Say NO to the Cloud! – No consent = no storage
outside Canada – Use tools such as:
• Centralized Servers, UBC’s Workspace, PopData’s Secure Research Environment
• Implement requirements for physical and information security controls
Data Storage and Analysis Phase
Data Storage and Analysis Stage
ENCRYPTION
• Reduce data to minimum amount necessary • Word, Excel & Zip files may be encrypted • Devices may also be encrypted (Full Disk Encryption) using
strong passwords/passphrases and key escrow
STORAGE ON SERVERS
• Keep data in Canada • Try to keep data on campus servers and access it remotely
(using VPN, VPI or Workspace) • Service providers that store data must have adequate security
STORAGE ON MOBILE MEDIA & DEVICES
• Storing on mobile media (e.g. USB keys, external hard drives) or mobile devices (laptops) is strongly discouraged.
• If such storage is necessary, you must encrypt the media/device.
TRANSMISSION • Explore alternatives to transmission (i.e. remote access) • If you must transmit files by email, encrypt them
TELECOMMUTING & REMOTE ACCESS
• Remote access via VPN, VDI or Workspace is acceptable • Beware of Certificate Errors
DATA SECURITY CONTROLS
Data Retention and Destruction Phase
Planning and Grant
Writing
Data Collection
Data Storage and
Analysis
Data Retention
and Destruction
Data Retention and Destruction Stage
• Monitor your timelines
• Consider requirements for archiving your data • Make appropriate plans for final destruction
– Electronic information – Paper copies
• Track and log disposal
Stay Tuned…
• Integrating research data privacy and security into research process
• Issuing comprehensive Information Security Standards
QUESTIONS… Find the complete checklist:
universitycounsel.ubc.ca/data-privacy-day
