DATA SECURITY AND PRIVACY

What data types does your government have, and how do you decide what level of protection is needed for different types of data? A good place to begin your data security and privacy efforts is by developing a system to classify your existing data according to levels of sensitivity and implementing appropriate safeguards for each level.

In the development of a data management plan, your government should assess what the potential damage is to an individual in the event of a data breach. Your government should consider analyzing risk throughout the data lifecycle to understand what risks may exist for personal information under their stewardship.

Your government should maintain a data security breach communications policy. The policy will indicate steps to take in response to a breach, including the who, how, and when of communicating with the individuals who have lost personal data. See an example of data security breach policies in the BCFNDGI Privacy and Security Policy Manual.

In the downloadable resource documents “Data Security and Privacy – Key Concepts” and “Data Security and Privacy – Best Practices,” we introduce key concepts and best practices that will help you understand privacy and security risks.

This document covers:

• Data security
• Privacy
• Confidentiality
• Integrity
• Availability
• Authenticity
• Accountability and auditability

This document covers:

• Using a privacy notification when personal information is collected.
• Limiting access to personal information among staff.
• Data residency.
• Staff security and confidentiality agreements.
• Keeping a data retention schedule.

This downloadable resource describes the following security and privacy principles that should be considered in developing a data management system:

• Least privilege
• Fail-safe defaults
• Economy of mechanism
• Complete mediation
• Open design
• Minimization of risk
• Least common mechanism
• Psychological acceptability
• Defense in depth

Data management plans have traditionally focussed on the prevention of unwanted access and the protection of data. However, systems still fall victim to data loss and unwanted access because users (authorized and unauthorized) can find their way around security safeguards. Although access restrictions are a vital part of data protection, these protections can still fail due to a lack of monitoring and communication. In many cases, an organization may not even know something has been compromised or accessed.

This downloadable resource introduces a three part system to be considered in data management plans (prevention, detection, response). It discusses key areas to maintain data privacy and security in a system.

Other Resources

The Portage DMP Assistant, which is based on internationally accepted standards and best practices, helps develop data management plans. This tool has been prepared and is maintained by a group of research data management experts from research libraries across Canada.

DMPTool provides the core structure for developing a data management plan. It is a template developed by multiple institutions in the United States.

Inter-university Consortium for Political and Social Research (ICPSR) provides a sample data management plan that can be used as a starting point. The ICPSR is an international consortium of more than 750 academic institutions and research organizations that provides leadership and training in data access, curation, and methods of analysis for the social science research community.

Access and use refer to how data is accessed by internal and external parties. Appropriate access and use rules are critical to protecting data privacy.

This downloadable resource discusses:

• Access logging and auditing (i.e., logging who has accessed data and system resources).
• Controlling access (i.e., safeguards to control who has access to the system and who can make modifications).
• Authorization and authentication (i.e., who is permitted access to the system, what resources are they permitted to access, and verifying their identity).

Your government will need policies and plans on:

• Security and privacy breaches, including a breach communications policy.
• Data loss management.
• Internal and external access to data.
• Password policies.
• Key management strategies for encryption.
• Network management.
• Secure transfer of data to and from external parties.
• Data destruction.
• Data classification.

Example Policies

Refer to the BCFNDGI Privacy and Security Policy Manual for a set of policy templates.

Statistics Canada’s Compendium of Management Practices for Statistical Organizations from Statistics Canada’s International Statistical Fellowship Program – Chapter 4.6: Respecting privacy and protecting confidentiality provides an introduction to privacy and confidentiality issues for statistics offices and a list of measures for respecting privacy and protecting confidentiality.

Examples of government policies which may be useful as a reference include:

• The Government of Canada’s Policy on Privacy Protection provides direction to comply with the Privacy Act.
• The Government of BC’s Privacy Management and Accountability Policy is the framework for the Province of BC’s privacy management program.
• The Government of BC’s FOIPPA Policy & Procedures Manual includes all of the policies related to the Freedom of Information and Protection of Privacy Act.

Public institutions such as health authorities and universities are a good source for tools to support confidentiality and security:

• The Nisga’a Valley Health Authority Privacy Policy
• The Shared Health Organizations Portal (SHOP) is a central access point for policies of the Provincial Health Services Authority, Vancouver Coastal Health, and Providence Health Care in BC. There are many privacy and confidentiality-related tools stored in SHOP. For example:
  • Vancouver Coastal Health Information Privacy & Confidentiality Policy.
  • BC Transplant Confidentiality Agreement for employees or affiliated individuals.
• The University of British Columbia’s Office of the University Counsel has guidelines on protection of privacy and access to information to help staff and faculty comply with the Freedom of Information and Protection of Privacy Act (FOIPPA). These documents contain best practices and protocols. See the following:
  • Privacy Fact Sheet: Collecting Personal Information
  • Privacy Fact Sheet: What is Personal Information?
  • Privacy Fact Sheet: Conducting Surveys
  • Privacy Fact Sheet: Handling Privacy Breaches
  • Security and Confidentiality Agreements for external individuals
  • Access and Privacy at UBC: A Guide for Faculty and Staff

Consider implementing a training program to promote a culture of data security and privacy awareness amongst staff. Training can include:

• Common threats and impacts to business.
• Clean desk policies.
• Locking inactive systems.
• Concealing valuables.
• Risk on sharing credentials.
• Not clicking on suspicious links and attachments.
• Reporting security incidents.

Security and privacy awareness training should be conducted on an annual basis and forms a key component of the data management plan. The Province of BC Information Security Awareness website provides introductory level materials on information security designed for the public. There is also a free online training self-directed course on information security available from this site.

The Organisation for Economic Co-operation and Development (OECD) privacy framework provides guidance for the development of privacy frameworks and the flow of personal data.