Planning Research with Security and Privacy in mind

Introduction 

It is very complicated to place cybersecurity at any specific point in the lifecycle of a research project, as will often impact at every step, from planning to delivery and operations, and even beyond if the project involves long term electronic information storage. UBC, as well as industry good practices recommend that cybersecurity considerations be evaluated from the earliest stage (planning), to ensure the project timeline is not compromised, or altered by a missing requirement, or incident. 

This page will provide key cybersecurity considerations for researcher to keep in mind during the planning phase of their research projects.  

Before you read this page 

Regardless of the sensitivity of your data, it is strongly recommended that you consult with an Information Security professional when planning a research project that will collect, process, store, and/or share electronic information. This page covers high-level concepts about Information Security, and may not include all information specifically applicable to your research project. 

For assistance, please contact arc.support@ubc.ca  

Identify your research data  
  • The following questions may help identifying your data
  • What is (will be) the nature of your data (e.g.: clinical imaging data)? 
  • Who is the owner of the data? 
  • Is the data subject to a specific regulation, or bound by a data sharing agreement?  
  • Does it includes any information that would allow an individual (or group of) to be identified? 
  • Does it includes Intellectual Property? 
Classify your research data 

When considering the security of your electronic research information, one of the first actions you should take is identify its classification. Electronic Information Classification (also known as Data Classification) is a crucial step in building your research projects security posture, as it defines the safeguarding requirements that should be in place, to ensure your research data remains safe, and compliant. Electronic Information Classification is also a requirement of UBC Information Security Policy SC14, and is defined in Standard U1 (ISS-U1). 

To assign a classification to your data: 

  1. Consult UBC Information Security Standard U1(ISS-U1)
  2. Define the nature of your data;  
  3. Identify the elements you collect, process or store that meets the highest risk in ISS-U1; 
  4. Assign an electronic information classification to your research data based on the result of step 3. 

Note: Regardless of the amount of information you collect, process, or store, the most sensitive element you identified should be the one defining your electronic information classification.    

Identify your project requirements 

Now that you’ve identified your data classification, it is important that you evaluate what your project requirements are, to facilitate planning on how, when and where it will be handled. Here are a few key considerations: 

  • What is the expected dataset size? 
  • Who will need access to the dataset? 
  • How will the data be collected?  
  • How will the data be analyzed/processed? 
  • Will a third party be involved in the collection, processing, or storage? 
  • What will happen to the data after the research is completed? 
  • How long will the data be retained? 

  For more information, visit our Research Data Management page 

Identify Security and Privacy Requirements 

Security and Privacy requirements can be divided into three segments: 

UBC Security Requirements: 

UBC Electronic Information must be protected following the requirements of UBC Information Security Policy SC14 and associated Standards. To facilitate the compliance verification process, you may complete our Security Compliance Checklist, or visit our Information Security page.  

UBC Privacy Requirements:    

Based on the nature of the data your project will be working with, and the risk involved, you may be required to complete a Privacy Impact Assessment. Visit our Information Privacy page for more information. 

Other Security and Privacy Requirements: 

If you will be working with regulated data, or data that is bound by a data-sharing agreement, you will likely be required to meet specific security and privacy requirements that will be defined by the regulation, or agreement. It is recommended that your review any regulation, and/or agreement to identify any security and privacy requirements. Need help? Contact us at arc.support@ubc.ca. 

Find the right storage  

You’ve identified your data, what you plan to do with it, and what are the safeguarding requirements. The next step is to find where it should live during and after the completion of the research project. UBC offers a number of storage solutions, and the best-suited solution will vary depending on the requirements identified in the previous steps. For assistance with information storage, contact us at arc.support@ubc.ca.  

Find the right collection and analysis tools 

How to find the right solution for data collection, and/or processing/analysis? What should you be looking for, or avoid? How can you ensure it meet the security and privacy requirements associated with your project? Visit our The do’s and don’t of research tool [coming soon] finding page for more information. 

Create a Data Management Plan 

Your Data Management Plan (DMP) will cover the entire lifecycle of the data, from planning to long term preservation of data deliverables after the research investigation has concluded. From a cybersecurity perspective, the DMP will allow you to identify where in the lifecycle of your project, security will be required.  

For more information, visit our Research Data Management section.   

Create your procedures  

Regardless of how your data is collected, processed, and stored, you should have procedures in place to ensure it is properly safeguarded during its entire lifecycle. Here are a few recommended procedures: 

  • On-Boarding and Off-Boarding procedures 
  • Responsible, Accountable, Consulted, Informed (RACI) chart 
  • User Access review and audit procedure 
  • Participant Consent Withdrawal procedure 
  • Data transfer and sharing procedures 
  • Data backup and restore procedures 
  • Incident Response Plan 

Additional Resources 

For more information about Information Privacy for research, you may also consult:  

Office of the CIO 
https://cio.ubc.ca  

Office of the University Counsel 
https://universitycounsel.ubc.ca/  

PrivacyMatters 
https://privacymatters.ubc.ca/