UBC Information Security Standards

UBC’s Chief Information Officer has published Information Security Standards, which each lab must carefully consider and adhere to when choosing data sharing and storage services. The documents most pertinent to the purposes of this white paper are listed below and are outlined in the following sections.

1. Policy 104, Acceptable Use and Security of UBC Electronic Information and Systems
2. Information Security Standard #01: Security Classification of UBC Electronic Information
3. Information Security Standard #03: Transmission and Sharing of UBC Electronic Information

Obtaining Informed Consent

Please see Sensitive Data Toolkit for Researchers Part 3: Research Data Management Language for Informed Consent

Security Classification of UBC Electronic Information

UBC Electronic Information is “electronic information needed to conduct University Business” as defined in Policy 104, Acceptable Use and Security of UBC Electronic Information and Systems.

The relevant precautions and standards depend on the nature of the data and is outlined in Information Security Standard #01: Security Classification of UBC Electronic Information. It is therefore crucial for data to first be classified before actions are taken to store and/or share it. The Information Security Classification Model has four levels: Low Risk, Medium Risk, High Risk, and Very High Risk. Research data that is non-personal and non-proprietary is considered Low Risk, while non-personal and proprietary is Medium Risk. Employee IDs and home addresses fall under Personal Information and are therefore considered High Risk. Very High Risk UBC Electronic Information include biometric data, date of birth, and personally identifiable genetic data.

Note

The classification of data may change over time, hence the method of data sharing and/or storage being used can also be changed as other options become permissible or more desirable.

Transmission and Sharing of UBC Electronic Information

There are two sections of note in this standard. The table under Section 9 provides the method of transmission(s) appropriate for each information security classification. To ensure compliance, Table 2 categorizes the major services presented in this paper by method of transmission, however note that the classifications made here have not been approved by the Office of the Chief Information Officer.

Section 11 must also be heeded for decisions regarding data storage and sharing. It is as follows:

Subject to section 9, if the User is using personal accounts or other information sharing tools to share UBC Electronic Information, they are responsible for ensuring that a copy of this information is stored on UBC Systems, in addition to any desktop computers and mobile devices, at all times.

UBC Systems include but is not limited to Compute Canada, Teamshare, Educloud, FRDR, Dataverse, and servers and computer systems in UBC. Hence, it is recommended that data is stored and/or shared on UBC Systems first if other services are to be used.

Please be advised that sharing of Very High, High, and Medium Risk UBC Electronic Information through personal email is not permitted under Policy 104, Acceptable Use and Security of UBC Electronic Information and Systems. Contact information of UBC faculty and staff is considered low risk information and is not recommended for sharing through personal email. It is therefore highly recommended for members of the lab to secure and use a UBC email account for University Business.

Major data sharing and storage platforms classified according to Information Security Standard #03: Transmission and Sharing of UBC Electronic Information