the researcher’s guide to data privacy · the researcher’s guide to data privacy . paul...
TRANSCRIPT
![Page 1: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/1.jpg)
THE RESEARCHER’S GUIDE TO DATA PRIVACY PAUL HANCOCK, ACCESS AND PRIVACY MANAGER, OFFICE OF THE UNIVERSITY COUNSEL
KAITLYN GUTTERIDGE, LEAD PRIVACY, POLICY AND AGREEMENTS, POPULATION DATA BC
![Page 2: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/2.jpg)
Overview
• Introduction to data privacy and security
• Researcher checklist (data lifecycle) – Planning and project preparation – Data collection and analysis – Data storage – Data destruction and retention
• Question period
![Page 3: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/3.jpg)
Scope
• Legislation: – Freedom of Information and Protection of Privacy Act
(FIPPA) – Personal Information Protection Act, E-Health Act
• Policies and Procedures:
– UBC (Privacy Fact Sheets, Information Security Standards)
– Affiliated institutions – Population Data BC’s education and training
![Page 4: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/4.jpg)
Personal Information: Pizza Delivery
Is Big Brother Watching You?
![Page 5: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/5.jpg)
Our Focus is on Data Privacy: • Concerned with establishing rules that govern the
collection, handling and disclosure of personal information.
• Relates to primary, secondary and linked data
Personal Information: • “recorded information about an identifiable
individual, not including contact information”
What is Privacy?
![Page 6: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/6.jpg)
• Name, identifying number, symbol or other particular
assigned to an individual (e.g. Social Insurance Numbers, bank account numbers, Student IDs)
• Race, national/ethnic origin, religion, age, marital status • Education, medical, employment or criminal history • Personal mailing or e-mail address, fingerprints, blood type
• Personal opinions or views (political, preferences etc.) • Private or confidential correspondence
Examples of Personal Information
![Page 7: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/7.jpg)
Notable privacy headlines Research in the Public Eye
![Page 8: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/8.jpg)
Notable privacy headlines Research in the Public Eye
![Page 9: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/9.jpg)
Data Lifecycle: The Four Phases
Planning and Grant Writing
Data Collection
Data Storage and Analysis
Data Retention and
Destruction
![Page 10: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/10.jpg)
Planning and Grant Writing Phase
Planning and Grant Writing
Data Collection
Data Storage and Analysis
Data Retention and
Destruction
![Page 11: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/11.jpg)
Planning and Grant Writing Phase
• Plan in advance – Write privacy into your budget – Hire project team members with privacy experience – Provide privacy and information security details in your
grant proposal and REB application
• Review, refresh, understand
– Legislative requirements – UBC’s Access and Privacy and Information Security
Requirements – UBC’s Information Security Reporting and Handling
Privacy Breaches procedures
![Page 12: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/12.jpg)
Planning and Grant Writing Phase
• Consider your potential privacy landscape – Internal Privacy Impact Assessment – Risk versus Control Inventory – Canadian Standards Association Model Code for the
Protection of Privacy
• Make it a team vision – TCPS2 Course on Research Ethics – Confidentiality pledge / project agreement – Regular team meetings to discuss privacy and
security
![Page 13: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/13.jpg)
Planning and Grant Writing
Data Collection
Data Storage and Analysis
Data Retention and
Destruction
Data Collection Phase
![Page 14: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/14.jpg)
Data Collection Phase
• Consent forms – Clearly identify all methods of:
• Collection, Use, Disclosure, Storage, Linkage
– Opt-in/out clauses
• Measurement tools – ‘Need to know’ vs ‘nice to know’ – Electronic measurement tools
• e.g. GPS, Accelerometer, biometric data
![Page 15: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/15.jpg)
Data Storage and Analysis Phase
Planning and Grant Writing
Data Collection
Data Storage and Analysis
Data Retention and
Destruction
![Page 16: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/16.jpg)
• De-identify immediately – Segregate personal information from other data – Encrypt crosswalk file that correlates study ID to personal
information – Secure any paper copies with personal information
• Electronic data access
– Provide access based on roles – Restrict user accounts and folder permissions – Implement logging function to audit access to data
Data Storage and Analysis Phase
![Page 17: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/17.jpg)
• Say NO to the Cloud! – No consent = no storage
outside Canada – Use tools such as:
• Centralized Servers, UBC’s Workspace, PopData’s Secure Research Environment
• Implement requirements for physical and information security controls
Data Storage and Analysis Phase
![Page 18: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/18.jpg)
Data Storage and Analysis Stage
ENCRYPTION
• Reduce data to minimum amount necessary • Word, Excel & Zip files may be encrypted • Devices may also be encrypted (Full Disk Encryption) using
strong passwords/passphrases and key escrow
STORAGE ON SERVERS
• Keep data in Canada • Try to keep data on campus servers and access it remotely
(using VPN, VPI or Workspace) • Service providers that store data must have adequate security
STORAGE ON MOBILE MEDIA & DEVICES
• Storing on mobile media (e.g. USB keys, external hard drives) or mobile devices (laptops) is strongly discouraged.
• If such storage is necessary, you must encrypt the media/device.
TRANSMISSION • Explore alternatives to transmission (i.e. remote access) • If you must transmit files by email, encrypt them
TELECOMMUTING & REMOTE ACCESS
• Remote access via VPN, VDI or Workspace is acceptable • Beware of Certificate Errors
DATA SECURITY CONTROLS
![Page 19: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/19.jpg)
Data Retention and Destruction Phase
Planning and Grant
Writing
Data Collection
Data Storage and
Analysis
Data Retention
and Destruction
![Page 20: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/20.jpg)
Data Retention and Destruction Stage
• Monitor your timelines
• Consider requirements for archiving your data • Make appropriate plans for final destruction
– Electronic information – Paper copies
• Track and log disposal
![Page 21: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/21.jpg)
Stay Tuned…
• Integrating research data privacy and security into research process
• Issuing comprehensive Information Security Standards
![Page 22: THE RESEARCHER’S GUIDE TO DATA PRIVACY · the researcher’s guide to data privacy . paul hancock, access and privacy manager, office of the university counsel . kaitlyn gutteridge,](https://reader035.vdocument.in/reader035/viewer/2022081517/5fc1756fca0bef05197b69b0/html5/thumbnails/22.jpg)
QUESTIONS… Find the complete checklist:
universitycounsel.ubc.ca/data-privacy-day