10 Tips for Privacy, Security, and Records Management in Research
-
- Plan in advance
Just as you spend a lot of time before a project working out the protocol, grant opportunities and data available, you should also consider information management issues (privacy, security and records management) in advance. Privacy and security controls work best when they are preventative rather than a remedy for a weakness you’ve discovered. Make sure you will have the funds and resources to adequately protect and manage the data you will be using. Consider having a member of your team with privacy experience. Where necessary, identify appropriate funds in your grant proposals to resource privacy and security controls and scans, such as a Privacy Impact Assessment. Public bodies providing personal information may require a Privacy Impact Assessment. Don’t wait to think about privacy and security – if it’s “too late” - it means you’ve experienced a data privacy or security incident. - Encrypt
Privacy Commissioners and experts are increasingly recommending that encryption be mandatory for any devices storing, accessing, using, or transferring personal information. Encryption technology is widely available and personal information should be encrypted. That includes back-ups and working copies, as well as during transfer. Encryption ensures that the data is unreadable if accessed or intercepted by unauthorized individuals. - Limit the amount of personal information you collect
This is one of the most important principles of privacy. Don’t collect personal information you don’t need “just in case”. Only request the data that is necessary to answer your research questions. To reduce the potential risks involved in collecting sensitive information, use personal information that has been de-identified wherever possible. The more you limit the information you have, the less data potentially exposed in a breach. It will also ensure that you use the information only for the purposes for which you collected it. - Limit the number of people accessing the data
Only give data access to project team members who will be analyzing it. Keep the data segregated and provide access based on peoples’ roles. Don’t give access to data because it’s in the same folder as outputs or papers. The fewer people who have access, the fewer opportunities there are for error. - Don’t proliferate the data, keep it central
The more copies that exist of the data, the higher the likelihood that it will be inadvertently disclosed or accessed through loss or theft. Multiple copies also make it more difficult to track authorized access and usage. The best case scenario for data storage is a central server (such as the servers provided by University Systems) with remote VPN access for authorized users. An example of such a system can be found at Population Data BC (PopData), which offers Secure Research Environment rental opportunities. Guidelines, instructions and suggestions for creating your own secure central server can also be found online. Think carefully before putting data on a mobile device and if you do, make sure it’s encrypted.
- Organize your records for retention
Consult your research, data or funding agreement to ensure data that must be retained is easily distinguished and organize and name your data accordingly. Do periodic maintenance to remove duplicate or draft information (transitory records). Establish agreed-upon naming conventions that address file and folder identification, version control and permit sorting in a logical sequence. Be aware of your obligations to retain, transfer or dispose of the data (contained in your agreements). Consult with the Office of Research Services (Research Partnerships and Knowledge Mobilization Contracts Staff – contract@uvic.ca) for help in determining which agreements apply to your project and for assessing what obligations are contained in such agreements. - Know the rules, read the agreements
Ignorance is not bliss! Look at the legislation governing the use of your data; if you are working with or receiving data from a B.C. public body, consult the Freedom of Information and Protection of Privacy Act (FIPPA). If you are unsure what legislation applies, contact XXX. However, legislation is only one piece of the puzzle. Make sure that you have read and understood your: research or data agreement; funding, service or other agreement; confidentiality pledge; terms of use; or other documents governing your research. Research contracts and other agreements in the name of UVic may only be signed by designated signing officers and should be reviewed for compliance with UVic policy so contact Office of Research Services (Research Partnerships and Knowledge Mobilization Contracts Staff – contract@uvic.ca) if you are asked to sign a research agreement on behalf of UVic. Know what you are responsible for, and if you have questions ask them early on. - Train your team, pass on the knowledge
Quite often a principal investigator will sign an agreement that no one else on the team will see, but this agreement may have requirements for everyone. Make sure these obligations are communicated, and make sure that all the members of the team who are accessing the research data learn about privacy and the rules surrounding their access to the data. It is the principal investigator’s responsibility to train their project team members. - Build on existing privacy and security resources
The Office of the Information and Privacy Commissioner for British Columbia (link) and the BC Government’s Office of the Chief Information Officer (link) are resources for those interested in privacy and security - ask their offices for templates, guidelines and other documents that will help you develop a privacy program for your project. Talk to other researchers about what tools they used and if they can share them. Perhaps you can pool resources as well! Contact the university’s Chief Privacy Officer or Information Security Officer, if you have questions. Or, if you don’t have the resources to manage your own security and privacy use PopData’s Secure Research Environment. If you’re using secondary, administrative data PopData can also manage your data access request for you. - Pay attention to how you transfer personal information.
Use secure transmission methods to transfer personal information e.g. post information on a secure website or use secure file transfer protocol (SFTP). Be aware that for data governed by FIPPA most personal information must not be accessed from or stored outside of Canada (unless the disclosure is in accordance with a research agreement).
- Plan in advance
-
Researchers need to consider privacy and security because research often involves collecting and using personally identifiable information. Well managed privacy and security helps protect intellectual property and the investment made in research.
Don’t cut corners; invest in privacy, security and records management.