Image by Pete Linforth from Pixabay
BC: Freedom of Information and Protection of Privacy Act (FOIPPA)
Douglas College:
Canada: The Privacy Act
Tri-Agencies:
Digital Research Alliance of Canada (formerly Portage Network):
| NOTE: Research partners in other jurisdictions are bound by their own privacy laws and institutional requirements. If you intend to share your unredacted data with partners outside of Douglas College, make sure you are familiar with their privacy and data security policies/obligations and ensure that they do not conflict with your own. |
| As noted above, if your project will require that you collect personally identifying information (PII) and/or sensitive information you are bound by legal, institutional, and funder requirements to protect your data from unauthorized access - both during the active phase of your research and in your publication/data deposit future. |
Note: one of the simplest ways to protect personally identifying information is not to collect it at all. Determine what is essential for your research project and collect only that.
Start by conducting your own Privacy Impact Assessment (PIA).
This refers to any information that would allow an unauthorized party to identify your research subject(s). PII can be directly identifiable information such as:
|
NOTE: "It is sometimes possible to infer the identity of someone participating in a research study even when the data for the study do not contain any explicit identifiers. (Princeton University. Research Data Security). |
This situation most commonly arises when it's possible to associate a number of different variables with a specific research participant - even if none of those individual variables are personally identifying, such as:
Example scenario: One of your participants lives in a small town and works at the only car dealership in a 50km radius. He is 31 years old and everyone on staff knows that he recently earned his PhD in marketing. If your dataset allows users to see how many 18 - 35 year old men from your study have earned a Phd, work in car sales AND reside in that town or region, everyone at his place of employment will be able to identify that participant.
Some types of private data are also sensitive. While BC’s Freedom of Information & Protection of Privacy Act (FIPPA) and Personal Information Protection Acts (PIPA) do not have a formal definition for ‘sensitive data,’ think of it as information that, if exposed to unauthorized persons, could cause harm to the participant, the College, and/or your research partners. Clearcut examples include:
It's not always obvious, however, as seemingly harmless information may be sensitive in some contexts. For example, principle 4.3.4 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA) notes that a list of the magazines a participant subscribes to could be sensitive data depending on the topic areas of those publications.