Secure

Data Security

All research data is important, and keeping it secure is essential to preventing loss and unauthorized access or modification. Protecting research data requires a holistic approach, including protection of research and personal computers as well as online user accounts. But some data is especially risky, and could cause harm if released to the public. That is Sensitive Data. A quick rule of thumb is, how embarrased would you be if your data was published on the front page of a major newspaper? If you'd be proud to see your data there, and not concerned about its disclosure, your data is likely not sensitive. On the other hand, if you think you might lose your job over the release of that data, your data is likely high risk. If you have sensitive data, you will face additional requirements for storing and sharing your data. In particular sensitive information should be password protected and encrypted whenever on a device with internet access or stored online. Furthermore, there are additional guidelines when dealing with Indigenous data. Data Security and Privacy for Indigenous data is described in the Indigenous Data Governance and Management Toolkit.

Cyber Security

Secure your Accounts

Your online accounts hold a lot of personal and confidential data and information. If research data is stored in a cloud storage platform, access is mediated through that account. Make sure your online accounts are secure by following these tips.

Use a strong password. A good password is
- Long: MacID passwords must be a minimum of eight characters, but we recommend at least 12 characters for increased security.
- Complex: Your password should not contain common dictionary words or names, and must contain characters from three different character sets, such as upper case, lower case, numbers and symbols.
- Unique: Your MacID password should be used only with your MacID to access McMaster resources. If you have signed up for other services using your McMaster email account, you should use a password there that is different.
- Secret: Don’t share your password with anyone!
If you have too many passwords, try using a Password Manager. You can some tips for using a password manager here.
Enable MFA on your important accounts, especially your email and financial accounts. You can enable MFA on your McMaster Microsoft 365 account here.
Follow McMaster's Cyber Security Checklist.
Beware of Phishing attacks: follow the Identify-Report-Delete steps laid out by McMaster IT Security here.
Check out more McMaster Cyber Security Resources here.

Secure your Systems

Computers and mobile devices keep all the research data and documents, as well as private information about you and potentially others. It's more important than ever to make sure these devices are secure and to use them safely. Some key steps include:

Install security software including antivirus or end-point protection software. McMaster provides free access to TrendMicro Apex One and Cortex XDR.
Make sure operating system security features like Windows Defender and Firewalls are enabled.
Install privacy browser extensions like Privacy Badger to automatically block invisible trackers on the web.
Don't skip software updates! Always accept updates when your computer prompts you and turn automatic updates on wherever they’re available.
- Be careful when you download files - make sure you trust the source and use caution when opening files.
More information about securing your systems can be found at the Government of Canada Get Cyber Safe website
Make sure your wireless home network is secured with a password
When you're on a public wireless network, use the VPN at all times and make sure the websites you connect to are secure by looking for the lock icon in the browser address bar.

For additional information:

Check out the Government of Canada's Safeguarding Your Research and Get Cyber Safe websites.
Take a look at McMaster's IT Security and Cyber Security Resources: Working from Home websites.

Data Risk Assessment

Sensitive data is any data that, if released to the public, would cause potential harm. Some examples of sensitive data include research participants’ personal information like ethnicity or address, ecological data including endangered species nesting sites, sacred indigenous cultural practices, or confidential commercial information. Any research conducted using human participants must go through ethics review by either the McMaster Research Ethics Board (MREB) or the Hamilton Integrated Research Ethics Board (HiREB).

McMaster classifies research data into three levels of risk, Low, Medium, or High, based on the potential for harm if data is leaked or obtained by unauthorized individuals. These risk levels were designed around research involving human participants, although they may apply to other research designs as well.

Low Risk data is Research data that does not contain any sensitive or identifiable information about individuals, organizations, or communities. There is no significant risk from disclosure, loss, or unauthorized release of low risk data. Low risk data does not contain any sensitive information or identifiable information about individual, communities, or organizations.

Examples of low risk data include non-sensitive research documentation, publicly facing information, completely anonymized or de-identified data with no risk of re-identification, or published data intended for public access.

Medium Risk data is research data that may or does contain confidential, sensitive, or identifiable information about individuals, organizations, or communities. Disclosure, loss, or unauthorized release of medium risk data may result in putting participants at risk.

Examples of medium risk data include some sensitive research-related documentation, personally identifiable information, de-identified records of compensation, data and research protocols related to private or sensitive intellectual property, de-identified financial information associated with research payments, identifiable demographic data and/or information about participants’ beliefs, opinions, health, etc., that in the context of the study would be considered medium risk.

High Risk data is research data that contains highly sensitive information about individuals, organizations, or communities. Disclosure, loss, or unauthorized release of high risk data may result in significant risk for the participant, the researcher, and potentially the institution including reputational damage, significant professional or personal disruption, financial consequences and legal liability.

Depending on the study context, examples of high-risk data could include information with regard to racial or ethnic origin; political opinions; religious beliefs or other beliefs of a similar nature; trade union membership; physical or mental health or condition; sexual life; the commission or alleged commission by the data subject of any offence or criminal activity. Other examples of high-risk data may include Personally Identifiable Information (PII) (where a breach of confidentiality would carry a high risk for research participants), Personal Health Information (PHI) and credit card information (PCI).

High-risk data requires very strong controls against unauthorized disclosure, loss, and modification.

Human Participant Data

Research with human participants can be an essential contribution to our society. However, it carries with it critical ethical responsibilities to ensure research participants are protected and respected, to help ensure troubling histories of harmful research practices are not repeated.

In Canada, this is guided by the Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans, also known as TCPS2, which aligns with McMaster University policy. At McMaster, proposals for involving human participants are reviewed and approved by the Hamilton Integrated Research Ethics Board (HiREB) for Health Sciences research, and the McMaster Research Ethics Board (MREB) for all other research. These requirements have implications for research data.

Indigenous Data:

Indigenous Data: Refers to any kind of information collected by, with, or about Indigenous people. This can come in forms such as text, numbers, symbols, images, videos, etc. The data can be about their land, water, or culture. (NCRIS, 2022)

Dealing with Indigenous Data in your research will require additional responsibilites. Some notable guiding principles and resources include:

OCAP, a set of principles set forth by the First Nations Information Governance Centre (FNIGC) which asserts the need for First Nations communities to have ownership, control, access, and possession of data involving them. Not all nations will choose it as a framework for the management of their data. Connecting with Indigenous communities and consulting resources early will help to ensure your project incorporates best practices relating to Indigenous data sovereignty from the start.
OCAS, principles endorsed by the Manitoba Métis Federation, which asserts ownership, control, access, and stewardship for research data.
Inuit Qaujimajatuqangit, ᐃᓄᐃᑦ ᑕᐱᕇᑦ ᑲᓇᑕᒥ (Inuit Tapiriit Kanatami) National Inuit Strategy on Research which ensures Inuit access, ownership, and control over data and information.
CARE, an overarching set of principles highlighting the need for research involving Indigenous communities to have collective benefit. The communities themselves have the authority to control their data, with the goal of conducting responsible and ethical research.

Video Conferencing Platforms

Video Conferencing Platforms enable researchers to connect with participants across great distances. They can also potentially enable high-quality audio collection for focus groups and interviews. However, cloud-based communication and storage are riskier from a cyber security perspective, being connected to the internet.

Ensure consent process make clear the risks to participants and include details on privacy policies to ensure they understand how their data will be used.
Suggest alternative methods for data collection if they would make participants more comfortable.
McMaster guidelines: Using Video Conferencing Platforms for collecting data from Human Participants

Transcription

Online transcription services, especially those using Artificial Intelligence (AI) technology, can save researchers time and money. However, online platforms increase the risk of a data breach and have privacy risks which researchers need to be aware of in order to protect research participants.

In general, online transcription services should only be used for low- and medium -risk data. Offline transcription or professional human transcription with confidentiality agreements should be used for high-risk data and researchers should be personally transcribing in the highest risk situations.

McMaster guidelines: Using Transcription with Data from Human Participants

Data Storage and Security

Although data storage and security are essential for all types of research, keeping human participant data safe can be especially important. If you're working with other humans, learn about specific considerations and regulations for storage and security, including physical, administrative, and technical security measures. Can you store sensitive data on a password-protected laptop? How long should you keep your data? What's the best way to share data with your co-investigators at other institutions? Find out more in this handy all-in-one McMaster-specific resource.

MREB Data Storage and Security Tools

Data Management Language for Informed Consent

Portage Network's Sensitive Data Expert Group has developed the Sensitive Data Toolkit, a collection of tools for Canadian researchers to use in managing sensitive data: a glossary, risk matrix, and most importantly for ethics applications, RDM language for informed consent that provides template language for researchers to use in ethics approval processes and consent forms with deposit-friendly language.

Data Anonymization

Some research data may contain sensitive information, and cannot be shared for legal or ethical reasons. Sensitive information may contain data including:

Personal Identifiers
Personal Health Information
Personal financial information
Confidential business information
Sensitive ecological information
Indigenous cultural practices

Some datasets containing Sensitive information can be anonymized or de-identified, allowing for sharing to happen. De-identification is the process of removing any identifiable data from a dataset. Typically this happens by removing or replacing personal identifiers. With some datasets, it may be impossible to completely anonymize the data, as even when direct identifiers are removed, combinations of other data may make it possible to still identify the individuals in the dataset. Datasets that cannot be completely anonymized should not be shared openly.

Several software packages exist which can help with de-identification of data. For a full review of the different packages, see the Portage De-Identification Guidance document. The recommended tools are Amnesia, and sdcMicro. Amnesia is considerably easier to use but sdcMicro has a more powerful feature-set.

The Portage Network de-identification guidance document also outlines strategies and approaches for de-identifying research data. Another helpful reference might be the De-identification Guidelines for Structured Data from the Information and Privacy Commissioner of Ontario.

An Endangered Species Data Sharing Assessment may be relevant to researchers de-identifying sensitive ecological information.

2023 McGill Data Anonymization Workshop Series:

Workshop 1 - Reducing risk: An introduction to data anonymization (Kristi Thompson) - English | French | Slides
Workshop 2 - ARX: Anonymising data in theory and practice (Fabien Prasser) - English | French | Slides
Workshop 3 - Ethically sharing qualitative data (Sebastian Karcher) - English | French | Slides
Workshop 4 - Qualitative data sharing: A roadmap and resources to facilitate responsible and ethical data sharing (Jessica Mozersky, Albert Lai, Sara Britt) - English | French | Slides

Portage Reducing Risk Webinar:

Encryption

Encryption is a process of transforming information so that it is only readable to a person with the correct authorization. Typically this authorization takes the form of a password but it can involve a hardware security key such as a YubiKey or MobiKey.

You might see the phrases “encryption at rest” or “encryption in transit”. “Encryption at rest” means data is encrypted when it is being stored, and “Encryption in transit” means that data is encrypted while it is being transmitted from your devices to the storage provider.

Data that is medium or high risk and stored on a device connected to the internet should be encrypted. That data must be encrypted if it is stored on a cloud storage platform such as OneDrive or Dropbox.

Warning: if you lose your password to an encrypted drive or file there is NO WAY to access the encrypted data.

Encryption Options:

RDM Specialist Isaac Pratt demonstrates a step-by-step walkthrough of encryption at a file and folder level, as well as working with VeraCrypt in the video recording for How to Implement Encryption to Protect your Research Data Online.

Full Disk Encryption: Windows or MacOS computers can use full disk encryption, where the operating system encrypts the whole hard drive or SSD that the computer is using. See the following links for details:

MacOS

Windows

Encrypt a USB drive:

MacOS

Note: this method will produce drives running the Apple Protocol File System - Encrypted (APFS-encrypted), which requires 3rd party paid software to read on Windows computers. These drives cannot be written to on Windows.

Windows

Buy a pre-encrypted USB drive:

Products like the Kingston Datatraveler, Kingston Ironkey, Apricorn Aegis Secure Key, or ISTORAGE Datashur Pro come pre-encryped with their own secure access software.

Encrypt individual files:

An easy way to work with data while keeping it encrypted is to create an encrypted virtual disk. This virtual disk can be mounted similar to a USB key or other external drive and will appear in the list of drives similar to a normal drive (in windows it will have a drive letter like K:). When the drive is mounted the files will be accessible for work, and when the drive is unmounted the files will be encrypted and unable to be accessed without the password. These virtual disks can be stored and shared on normal file storage services such as OneDrive or MacDrive.

MacOS can create encrypted ‘disk image’ files with the .dmg extension. Disk Images are files which act as containers for other files.

Microsoft Office can encrypt individual documents

Windows can easily encrypt individual files or folders.

Veracrypt is a third party free open source encryption software package for MacOS, Windows, and Linux.

Secure

Secure

Data Security

Recommended Resources

Cyber Security

Secure your Accounts

Secure your Systems

Data Risk Assessment

Human Participant Data

Indigenous Data:

Video Conferencing Platforms

Transcription

Data Storage and Security

Data Management Language for Informed Consent

Recommended Resources

Data Anonymization

Encryption

Encryption Options:

RDM Funder Requirements

Research Security Links

Government of Canada Research Security

McMaster Research & Innovation

Secure

Secure

Data Security

Data Security

Recommended Resources

Cyber Security

Cyber Security

Secure your Accounts

Secure your Systems

Data Risk Assessment

Sensitive Data

Human Participant Data

Human Participant Data

Indigenous Data:

Video Conferencing Platforms

Transcription

Data Storage and Security

Data Management Language for Informed Consent

Recommended Resources

Data Anonymization

Data Anonymization

Encryption

Encyption

Encryption Options:

RDM Funder Requirements

Research Security Links

Government of Canada Research Security

McMaster Research & Innovation