ÃÛÌÒ´«Ã½app

Research Drop-in on Cybersecurity

Sensitive research data classification tool

The goal of the McGill research data sensitivity classification tool is to help McGill researchers to identify, understand, and better manage research data in ways that are consistent with laws, disciplinary norms, and funder and institutional policies. This classification must always be used in conjunction with all additional compliance requirements applicable (e.g., Research Ethics Board requirements, contracts, agreements, applicable laws, ethical conduct, etc.).

All members of the university community are required to:

  • comply with all applicable obligations in their research context;
  • use sensitive human participant data only for the purposes for which they are collected;
  • respect any restrictions for their use, and;
  • collect, store, and dispose of data in ways appropriate to minimize the risk of unintended disclosure or compromised data integrity.

There are four levels in this data sensitivity classification. For descriptions and examples of each level of data sensitivity, please use the tabs on the left.

If you have questions about this tool or require support in determining the sensitivity of or safeguarding your research data, please reach out to the DRS team at drs [at] mcgill.ca.

Ìý

Cloud Directive

When (web-based software where data is sent outside of McGill's network), the proper level of data sensitivity must be determined. Data with different levels of sensitivity can co-exist within the same research project. To evaluate the appropriateness of a Cloud service, researchers must determine the highest sensitivity level of the data that will be sent, stored, processed, or managed on this Cloud service.

Very high sensitivity

Description: The unauthorized disclosure, alteration, unavailability, or destruction of the research data could cause critical harm to the research participants, McGill University, and/or its affiliates. Most of the data at this level of sensitivity are regulated by laws[1].

Security requirements: Very high

Data access and use: Restricted to authorized individuals/roles only


Research data examples

  • Highly sensitive personal information that may bring severe harm and risk to research participants (e.g., criminal records, domestic violence, political dissidents, immigration, etc.)
  • Personal Health Information regulated by laws (e.g., medical health records)
  • Research data that have implications for national security and interests (e.g., Classified Information[2], dual-use data)
  • Research data involving Import/Export Controlled Goods[3]
  • Technical information that could be used to compromise critical systems or facilities
  • Payment card information[4]

Ìý

Negative impacts of a data breach

  • Research participants would be severely harmed (includes emotional, psychological, physical, social, or financial harm)
  • Severe reputational, financial, or legal risk to researchers, McGill, and/or affiliates
  • Loss of major research funding
  • Loss of research competitiveness in a McGill priority research area
  • Severe negative impact on critical research services (e.g., core research facilities, national or international science gateways, or research platforms)
  • Severe negative impact on economic or government sector (e.g., industry disruption or foreign relations)

Notes

[1] Provincial laws such as Bill 64 - 2021 Chapitre 25 - P-39.1; European regulations such as GDPR, etc.

[2] Classified information

[3] Impact/Export Controlled Goods

[4] McGill IT systems used by the community do not meet the compliance requirements for storing Payment card information. This type of information should in no case be stored by research projects.

High sensitivity

Description: The unauthorized disclosure, alteration, unavailability, or destruction of the research data could cause major harm to the research participants, McGill University, and/or its affiliates. Most of the data at this level of sensitivity are regulated by laws[5].

Security requirements: High

Data access and use: Restricted to authorized individuals/roles only


Research data examples

  • Identifiable personal information (e.g., names, ID numbers, home addresses) regulated by laws
  • Research data containing confidential or private information that may require stronger security measures per regulations, contractual, ethical, and/or cultural obligations
  • Research data associated with Intellectual Property or patent applications
  • Research data that are not reproducible or would take significant effort or cost to reproduce
  • Research data that have potential to be used for committing identity theft, fraud, or phishing
  • Research data that are protected under third-party agreements, licenses, and/or other contractual frameworks (e.g., Protected Information[6])
  • Research data with de-identified or anonymized information on human participants that contain indirect identifiers[7] that could facilitate re-identification
  • Video/audio recordings of interviews and focus groups
  • Grants and ethics applications

Ìý

Negative impacts of a data breach

  • Research participants would likely be harmed (includes emotional, psychological, physical, social, or financial harm)
  • Significant reputational, financial, or legal risk to researchers, McGill, and/or affiliates
  • Significant negative impact on research (e.g., loss of Intellectual Property, loss of funding, loss of commercial partnership, or significant disruption on research programs)

Notes

[5] Provincial laws such as Bill 64 - 2021 Chapitre 25 - P-39.1; European regulations such as GDPR, etc.

[6] Protected information

[7] Indirect identifiers refer to information that can reasonably be expected to identify an individual through a combination of such information (e.g., date of birth, ethnicity, place of residence, or unique personal characteristic). (Based on )

Moderate sensitivity

Description: The unauthorized disclosure, alteration, unavailability, or destruction of the research data could cause a moderate level of harm to research participants, McGill University, and/or its affiliates.

Security requirements: Moderate

Data access and use: Restricted to individuals who meet specific access and use criteria


Research data examples

  • Research data that have been de-identified and have a low risk of re-identification
  • Identifiable information where there is no expectation of privacy or confidentiality (e.g., oral histories), but there may be expectations regarding use of data (i.e., it cannot be remixed, reused, transformed)
  • Data with non-open licenses (e.g., CC-BY-ND, CC-BY-NC[8], etc.)
  • Most unpublished research manuscripts
  • Most unpublished data with no human/animal ethics considerations
  • Embargoed published research articles

Ìý

Negative impacts of a data breach

  • Research participants are not likely to be harmed
  • Limited reputational, financial, or legal risk to researchers, McGill, and/or affiliates
  • Limited negative impact on research (e.g., moderate disruption on research programs, loss of publication priority)

Notes

[8] Information about CC licenses available from

Low sensitivity

Description: The unauthorized disclosure, alteration, unavailability, or destruction of the research data is very unlikely to cause any harm to research participants, McGill University, and/or its affiliates.

Security requirements: Moderate

Data access and use: No restrictions for access; potential restrictions for use


Research data examples

  • Identifiable information that is public
  • Identifiable information where the release of this information has no potential risk for constituting an unwarranted invasion of privacy and the individual has consented to open licensing of information (i.e., it can be remixed, reused, transformed)
  • Published research data licensed for reuse
  • Published research articles/reports licensed for reuse
  • Most data collected anonymously from human participants (e.g., anonymous surveys) that are not identifiable given reasonable efforts and when the risk of harm is minimal
  • Openly licensed data available for broad and general use (e.g., data licensed under CC-0 or CC-BY[9])
  • Published open-source software code licensed for reuse

Ìý

Negative impacts of a data breach

  • Minimal impact on research participants, McGill University, and/or affiliates

Notes

[9] Information about CC licenses available from

Back to top