Tips on Good Data Security Practices
Here are some tips pertaining to good data security practices that we compiled from the Government of Canada’s Panel on Research Ethics (Government of Canada, 2016), the University of Waterloo (Human Research Guidelines and Policies, 2013) and the University of Toronto (Data Security Standards for Confidential Data in Research, 2019):
Personally Identifiable Data May Require Additional Security
Obtaining personally identifiable information/data, particularly health information, from organizations/custodians (e.g., the Canadian Institute for Health Information, a hospital, Local Health Integration Network (LHIN) homecare services, a long-term care facility, or a US federal agency) may necessitate specific security or additional security (e.g., location of computer server, access) measures as outlined in the terms and conditions of an agreement. Researchers need to read agreements carefully to ensure they are compliant with data privacy mandates.
Use Secure Communication
Secure communication techniques recognised by your academic institution must be used when sending identifiable data over the internet. Depending on your institution, email may not always be a safe way to share confidential information.
Devices Must Be Secured
Laptops and portable devices, regardless of operating system, must be safeguarded; the greater potential of theft makes them a substantial concern for identifiable data. Identifiable data gathered on a laptop or other portable device must be encrypted and de-identified as quickly as practicable, or transferred to safe, non-portable storage.
Identity-Only Data Must Be Managed According to the Academic Institution’s Security Standards
Investigators are strongly encouraged to ensure that an identified or identity-only data set is stored in a personal, university-owned or university-maintained, or other-source computer that is professionally administered and managed according to their academic institution’s security standards; for example, by the faculty computer facility. Poor passwords offer little protection for personally sensitive information.
Use Decryption Key Access
The investigators must identify and reveal the individuals who will have valid access to an identified or identity-only data collection, either through secure location key or decryption key access, in the application. To ensure that a data set is not permanently lost, this strategy must include provisions for recovering a lost decryption key.
Secure Areas Where Data Are Stored
Locked filing cabinets and other storage containers should be housed within a locked room; either physical or electronic keys are acceptable.
Follow Proper Data Management Procedures
Investigators acquiring or collecting and storing identifiable data/information should follow proper data management procedures, such as discarding paper copies of information in a confidential manner and restricting access to data/information while working with identifiable data/information.
Understand Your Role in the Research Project
For sponsored research projects, the Principal Investigator or Faculty Supervisor is the Information Steward for the research data/information, while other research team members are Information Custodians. Everyone is expected to be aware of and understand their role’s obligations as specified in your academic institution’s policies. Members of the research team may include: