Security Requirements for Data

sign, security, protection-1086702.jpg Security Requirements for Data
The following table of minimum security requirements for electronic data/information is reproduced directly from the Office of Research Ethics at the University of Waterloo (Human Research Guidelines and Policies, 2013).

Type of Information/Data Security Procedures Needed 
Information/data with direct identifiers
Identity-only dataset
Encryption and secure location.
If highly identifiable and sensitive data, also store at high level of security (e.g. on stand-alone servers, special protection for remote electronic access).
Identified information, with permission for identification Password-protected access 
Coded or anonymized personal health information/data (PHI), as defined under PHIPA Encryption and secure location (or as required by providing health information custodian).
Coded information/data (not personal health information (PHI) as defined under PHIPAPassword-protected access and secure location.
Encryption and secure location if high risk of re-identification through indirect identifiers and is sensitive information.
Information with only indirect identifying information, yet risk of re-identification is greater than low (not PHI as defined under PHIPA) Password-protected access and secure location.
Encryption and secure location if high risk of re-identification and sensitive information. 
Anonymized information (not PHI as defined under PHIPA) Password-protected access 
Anonymous information (low or very low risk of re-identification of individuals through indirect identifiers) Password-protected access 
Anonymized or anonymous information with no risk of re-identification through indirect identifiers or the risk has been removedPassword-protected access