Security Requirements for Data
The following table of minimum security requirements for electronic data/information is reproduced directly from the Office of Research Ethics at the University of Waterloo (Human Research Guidelines and Policies, 2013).
Type of Information/Data | Security Procedures Needed |
Information/data with direct identifiers Identity-only dataset | Encryption and secure location. If highly identifiable and sensitive data, also store at high level of security (e.g. on stand-alone servers, special protection for remote electronic access). |
Identified information, with permission for identification | Password-protected access |
Coded or anonymized personal health information/data (PHI), as defined under PHIPA | Encryption and secure location (or as required by providing health information custodian). |
Coded information/data (not personal health information (PHI) as defined under PHIPA) | Password-protected access and secure location. Encryption and secure location if high risk of re-identification through indirect identifiers and is sensitive information. |
Information with only indirect identifying information, yet risk of re-identification is greater than low (not PHI as defined under PHIPA) | Password-protected access and secure location. Encryption and secure location if high risk of re-identification and sensitive information. |
Anonymized information (not PHI as defined under PHIPA) | Password-protected access |
Anonymous information (low or very low risk of re-identification of individuals through indirect identifiers) | Password-protected access |
Anonymized or anonymous information with no risk of re-identification through indirect identifiers or the risk has been removed | Password-protected access |