Sensitive research data classification

The goal of the McGill research data classification tool is to help McGill researchers to identify, understand, and better manage research data in ways that are consistent with laws, disciplinary norms, and funder and institutional policies. This classification must always be used in conjunction with all additional compliance requirements applicable (e.g., Research Ethics Board requirements, contracts, agreements, applicable laws, ethical conduct, etc.).

All members of the university community are required to:

• comply with these obligations;
• use sensitive data only for the purposes for which they are collected;
• respect any restrictions for their use, and;
• collect, store, and dispose of data in ways appropriate to minimize the risk of unintended disclosure or compromised data integrity.

There are four levels in this data sensitivity classification. For descriptions and examples of each level of data sensitivity, please use the tabs on the left.

If you have questions about this tool or require support in determining the sensitivity of or safeguarding your research data, please reach out to the DRS team at drs [at] mcgill.ca.

Cloud Directive

When acquiring a Cloud solution, the proper level of data sensitivity must be determined. Data with different levels of sensitivity can co-exist within the same research project. To evaluate the appropriateness of a Cloud service, researchers must determine the highest sensitivity level of the data that will be sent, stored, processed, or managed on this Cloud service.

Indigenous data

When conducting research involving First Nations, Métis, and Inuit communities and their data, it is critical to ensure that the unique rights, interests, and circumstances of these communities are acknowledged, affirmed, and respected.

In line with the concept of Indigenous self-determination and in an effort to support Indigenous communities to conduct research and partner with the broader research community, we strongly encourage researchers to discuss and determine the level of data sensitivity in partnership with Indigenous communities for all research projects involving Indigenous knowledge, cultural expressions, and data.

Indigenous research data must be managed in accordance with data management principles developed and approved by these communities, and on the basis of free, prior, and informed consent.

Very high sensitivity

Description: The unauthorized disclosure, alteration, unavailability, or destruction of the research data could cause critical harm to the research participants, McGill University, and/or its affiliates. Most of the data at this level of sensitivity are regulated by laws[1].

Research data examples

• Highly sensitive personal information that may bring severe harm and risk to research participants (e.g., criminal records, domestic violence, political dissidents, immigration, etc.)
• Personal Health Information regulated by laws (e.g., medical health records)
• Research data that have implications for national security and interests (e.g., Classified Information[2], dual-use data)
• Research data involving Import/Export Controlled Goods[3]
• Technical information that could be used to compromise critical systems or facilities
• Payment card information[4]

Negative impacts of a data breach

• Research participants would be severely harmed (includes emotional, psychological, physical, social, or financial harm)
• Severe reputational, financial, or legal risk to researchers, McGill, and/or affiliates
• Loss of major research funding
• Loss of research competitiveness in a McGill priority research area
• Severe negative impact on critical research services (e.g., core research facilities, national or international science gateways, or research platforms)
• Severe negative impact on economic or government sector (e.g., industry disruption or foreign relations)

Notes

[1] Provincial laws such as Bill 64 - 2021 Chapitre 25 - P-39.1; European regulations such as GDPR, etc.

[2] Classified information

[3] Impact/Export Controlled Goods

[4] McGill IT systems used by the community do not meet the compliance requirements for storing Payment card information. This type of information should in no case be stored by research projects.

High sensitivity

Description: The unauthorized disclosure, alteration, unavailability, or destruction of the research data could cause major harm to the research participants, McGill University, and/or its affiliates. Most of the data at this level of sensitivity are regulated by laws[5].

Research data examples

• Identifiable personal information (e.g., names, ID numbers, home addresses) regulated by laws
• Research data containing confidential or private information that may require stronger security measures per regulations, contractual, ethical, and/or cultural obligations
• Research data associated with Intellectual Property or patent applications
• Research data that are not reproducible or would take significant effort or cost to reproduce
• Research data that have potential to be used for committing identity theft, fraud, or phishing
• Research data that are protected under third-party agreements, licenses, and/or other contractual frameworks (e.g., Protected Information[6])
• Research data with de-identified or anonymized information on human participants that contain indirect identifiers[7] that could facilitate re-identification
• Video/audio recordings of interviews and focus groups

Negative impacts of a data breach

• Research participants would likely be harmed (includes emotional, psychological, physical, social, or financial harm)
• Significant reputational, financial, or legal risk to researchers, McGill, and/or affiliates
• Significant negative impact on research (e.g., loss of Intellectual Property, loss of funding, loss of commercial partnership, or significant disruption on research programs)

Notes

[5] Provincial laws such as Bill 64 - 2021 Chapitre 25 - P-39.1; European regulations such as GDPR, etc.

[6] Protected information

[7] Indirect identifiers refer to information that can reasonably be expected to identify an individual through a combination of such information (e.g., date of birth, ethnicity, place of residence, or unique personal characteristic). (Based on TCPS 2 (2022), Chapter 5)

Moderate sensitivity

Description: The unauthorized disclosure, alteration, unavailability, or destruction of the research data could cause a moderate level of harm to research participants, McGill University, and/or its affiliates.

Research data examples

• Research data that have been de-identified and have a low risk of re-identification
• Data with non-open licenses (e.g., CC-BY-ND, CC-BY-NC[8], etc.)
• Most unpublished research manuscripts
• Most unpublished data with no human/animal ethics considerations
• Embargoed published research articles

Negative impacts of a data breach

• Research participants are not likely to be harmed
• Limited reputational, financial, or legal risk to researchers, McGill, and/or affiliates
• Limited negative impact on research (e.g., moderate disruption on research programs, loss of publication priority)

Notes

[8] Information about CC licenses available from Creative Commons

Low sensitivity

Description: The unauthorized disclosure, alteration, unavailability, or destruction of the research data is very unlikely to cause any harm to research participants, McGill University, and/or its affiliates.

Research data examples

• Published research data licensed for reuse
• Published research articles/reports licensed for reuse
• Most data collected anonymously on human participants (e.g., anonymous surveys) that are not identifiable given reasonable efforts and when the risk of harm is minimal
• Openly licensed data available for broad and general use (e.g., data licensed under CC-0 or CC-BY[9])
• Published open-source software code licensed for reuse

Negative impacts of a data breach

• Minimal impact on research participants, McGill University, and/or affiliates

Notes

[9] Information about CC licenses available from Creative Commons

McGill University

McGill ITS have extensive cybersecurity tools and resources for researchers, students, and university staff. A good place to start is on the McGill Secure your Journey page. The McGill Cloud Directive page will help you understand the different types of research data and how to perform due diligence before sending data to external tools and services in order to ensure our data is safe and to respect laws and regulations. As Data Trustees for research data, researchers are responsible to assess cloud solutions for compliance and risks. If you need assistance to perform this due diligence, please consult the How-to section of the Cloud Directive pages or drs [at] mcgill.ca (subject: Cloud%20Service%20Assessment) (contact us).

Government of Canada

Research organizations are increasingly targeted by espionage and foreign interference activities. The Canadian government is actively developing strategies towards the safeguarding research assets and monitoring how this is done in the rest of the world. More information can be found below:

• Safeguarding your research
• Research Security Policy Statement – Spring 2021 (from ISED)
• Canadian Security Intelligence Service - Public Report 2020
• Cybersecurity resource links from Tri-Council
• Policy on Sensitive Technology Research and Affiliations of Concern

CANARIE

CANARIE, Canada's National Research and Education Network, leads a national Cybersecurity Initiative Program which funds initiatives that will strengthen the whole sector through their regional partners.