Sensitive data is any data that, if released to the public, would cause potential harm. Some examples of sensitive data include research participants’ personal information like ethnicity or address, ecological data including endangered species nesting sites, sacred indigenous cultural practices, or confidential commercial information. Any research conducted using human participants must go through ethics review by either the McMaster Research Ethics Board (MREB) or the Hamilton Integrated Research Ethics Board (HiREB).
McMaster classifies research data into three levels of risk, Low, Medium, or High, based on the potential for harm if data is leaked or obtained by unauthorized individuals. These risk levels were designed around research involving human participants, although they may apply to other research designs as well.
Low Risk data is Research data that does not contain any sensitive or identifiable information about individuals, organizations, or communities. There is no significant risk from disclosure, loss, or unauthorized release of low risk data. Low risk data does not contain any sensitive information or identifiable information about individual, communities, or organizations.
Examples of low risk data include non-sensitive research documentation, publicly facing information, completely anonymized or de-identified data with no risk of re-identification, or published data intended for public access.
Medium Risk data is research data that may or does contain confidential, sensitive, or identifiable information about individuals, organizations, or communities. Disclosure, loss, or unauthorized release of medium risk data may result in putting participants at risk.
Examples of medium risk data include some sensitive research-related documentation, personally identifiable information, de-identified records of compensation, data and research protocols related to private or sensitive intellectual property, de-identified financial information associated with research payments, identifiable demographic data and/or information about participants’ beliefs, opinions, health, etc., that in the context of the study would be considered medium risk.
High Risk data is research data that contains highly sensitive information about individuals, organizations, or communities. Disclosure, loss, or unauthorized release of high risk data may result in significant risk for the participant, the researcher, and potentially the institution including reputational damage, significant professional or personal disruption, financial consequences and legal liability.
Depending on the study context, examples of high-risk data could include information with regard to racial or ethnic origin; political opinions; religious beliefs or other beliefs of a similar nature; trade union membership; physical or mental health or condition; sexual life; the commission or alleged commission by the data subject of any offence or criminal activity. Other examples of high-risk data may include Personally Identifiable Information (PII) (where a breach of confidentiality would carry a high risk for research participants), Personal Health Information (PHI) and credit card information (PCI).
High-risk data requires very strong controls against unauthorized disclosure, loss, and modification.