Confidential information in research should be protected from loss, destruction or unauthorized access. Confidentiality arises from law, policy or practice, and covers personal or third party data, or information which is provided in confidence, for example by government.
The following confidentiality principles are consistent with Toronto Academic Health Science Network (TAHSN) policy principles for personal health information security in research. These principles should be followed along with applicable requirements of all involved institutions, conditions in research agreements and other legal, policy and practice requirements.
- Work with de-identified data at all times unless this is not possible for your work and you have explicit Research Ethics Board (REB) or other official University approval to work with identifiable data. Code data as early as possible and keep the key separate (in a physically separate space or in a separate electronic file) from the data
Working with Identifiable or Other Confidential Data
- Avoid using hard copy media for storing identifiable or confidential data if possible
- If you must use hard copy media for identifiable or confidential data, keep the data in a secure institutional environment with restricted access and lockup capability
- Only take hard copy media with identifiable or confidential data offsite if absolutely necessary and permitted by REB approvals and research agreements
- If you must take hard copy media outside a secure institutional environment, take all reasonable security precautions consistent with protection of a high-value asset
- If collecting identifiable data in the field, maintain the minimum amount possible securely on your person until you return to a secure location. De-identify the data as soon as possible. As consent forms include personal information, verbal consent in some research situations may be preferable to protect research subjects. Please consult your REB
Working with Electronic Data
- Keep data in a secure server environment. Only access it securely (virtual private network or encrypted remote desktop). Ensure that data are not cached or otherwise stored outside a secure server environment, for example on a desktop or laptop computer.
- Keep any identifiable data which are outside a secure server environment encrypted at all times except to the extent that you need to decrypt them during use.
General Requirements
- Do not store or disclose personally identifiable or confidential data other than as necessary for your research and consistent with explicit REB or other official University approval.
- Keep an accurate and up-to-date log detailing your use of personally identifiable and/or confidential data and specific security and privacy protection measures that you apply.
- Immediately report privacy concerns (like possible data loss) to the University FIPP Office.
- Ensure that records are retained only as long as is required to accomplish research purposes and satisfy legal and policy retention requirements.
- Ensure the secure destruction of all personally identifiable or confidential information at the end of applicable retention periods.
For details about security principles, see App. 1; TAHSN Principles for Development of Policy and Guidelines on Security of Personal Health Information Used for Research Purposes” (TAHSN Principles) and the University’s General and Administration Access and Privacy Practices. Certain specific details of the TAHSN Principles address Personal Health Information Protection Act and may not apply to all confidential data. The Information and Privacy Commissioner/Ontario (IPC) produces detailed materials on personal health information, security and privacy, including Safeguarding Personal Health Information and Encrypting Personal Health Information on Mobile Devices.