Electronic Information Security

Electronic Information Security (also known as data security) is one of the most important aspects of Research Data Management. 

Regardless of your research information classification (sensitivity level), security safeguards should be in place to ensure it is not lost, stolen, or otherwise compromised. At UBC, your research group must ensure the electronic information you collect, process, store, and share meets University security and privacy requirements, as well as applicable provincial, national, and international regulations. 

Before reading this page 

Regardless of the sensitivity of your data, it is strongly recommended that you consult with an Information Security professional when planning a research project that will collect, process, store, and/or share electronic information. This page covers high-level concepts about Information Security, and may not include all information specifically applicable to your research project. 

For assistance, please contact arc.support@ubc.ca 

Classification 

Electronic Information Classification (also known as Data Classification) is a crucial step in building your research projects’ security posture, as it defines the safeguarding requirements that should be in place for your project to be compliant with the university policies.  

To assign a classification to your data, you should: 

  1. Consult UBC Information Security Standard U1(ISS-U1); 
  2. Define the nature of your data; 
  3. Identify the elements you collect, process or store that meets the highest risk in ISS-U1; 
  4. Assign an electronic information classification to your research data based on the result of step 3. 

Note 
Regardless of the amount of information you collect, process, store, or share, the most sensitive element you identified should be the one defining your electronic information classification. 

Processing 

Part of your research project planning is usually to identify how your data will be processed, and which tools you may use. 

Before you start the procurement process, you should make sure the solution you’d like to use meets the UBC Information Security requirements of Policy SC14, and associated Standards. To facilitate this process UBC Advanced Research Computing (ARC) offers free security services, including self-service tools, consultations, and various types of security assessments. 

Take a deeper dive 
To find out more about ARC Security Services, visit https://arc.ubc.ca/securityandprivacy 

If you wish to explore the UBC Information Security Policy and Standards, visit https://cio.ubc.ca

Storage 

Electronic Information storage plays a central role in your Research Data Management lifecycle, as it must be considered from the beginning to the end of a project; and beyond if your research data is stored for long term. 

Properly safeguarding your data when stored is one of the most important aspects of a robust information security plan. When planning for electronic information storage, consider the following: 

Is your data subject to specific regulations? 
Privacy regulations such as FoIPPA may restrict the storage location of certain types of electronic information, like personally identifiable data. Before establishing a data repository, you should ensure its regulation requirements are met. 

Did you know UBC has security requirements for electronic information storage? 
UBC’s Information Security Standard U7 applies to research data, regardless of where it will be stored, and includes location details such as local devices, external hard drives, cloud, and lab servers. Consult UBC Information Security Standard U7 for more information about these requirements, or book a consultation with one of our subject matter expert  

Is your data subject to specific ownership, sharing, or copyright agreement? 
When research data are owned by more than one institution, or are subject to specific agreements, responsibility for safeguarding it, as well as any specific security requirements, may be defined within this agreement. If your data is subject to such agreement, carefully read them before completing your RDM plan. To ensure all security requirements are covered.  

Will your data be in the custody of an external party? 
If your research data will be in the custody of an external party (e.g. solution provider or other institution), the agreement between UBC and this external party should define responsibility for safeguarding the data, as well as any specific security requirements. Visit the University-Industry Liaison Office page for more information. 

Will you be storing your data outside the UBC infrastructure? 
Where possible, it is recommended that your research data be stored within the UBC infrastructure for the duration of your project and for at least five years after the work is published or otherwise presented, regardless of its classification (per the requirements of the Scholarly Integrity Policy_SC6, section 2.1.4) 

For more information about data retention, visit our Research Data Management page 

Note: UBC Electronic Information stored outside the UBC infrastructure is subject to UBC Information Security requirements. 

Sharing 

When sharing data with external collaborators, you will need to consider information management, custody/ownership, and safeguarding requirements. 

For more information about sharing data, visit our Sharing Data page. 


 

Additional Resources 

For more information about Information Security for research, you may also consult:  

Office of the CIO 
https://cio.ubc.ca  
Office of the University Counsel 
https://universitycounsel.ubc.ca/  
PrivacyMatters 
https://privacymatters.ubc.ca/