Skip to Main Content

Research Data Management Guide: Confidential Information

How should confidential information be protected?

Data management must be done in accordance with the Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans – TCPS 2 (2022). The Statement provides guidance with regard to aspects of research data management that involve humans, such as consent, privacy, and confidentiality; Indigenous rights; use of secondary data; and data linkage.

Any identifiable information—including a combination of information—about a person, or information that could allow a person to be identified, must be treated as confidential and may not be disclosed without the person's consent. In addition, information that is sensitive to security, commercial, or strategic issues may be declared confidential. Ideally, such information should not be stored on the cloud!

Key Protection Components

Designing a participant consent form
  • Obtain participants’ consent for the collection and storage of confidential information about them or disclosed by them that is necessary to carry out the research (specifying the elements involved).
  • Allow for the use of confidential information by project researchers once they have provided a signed commitment not to disclose said information and to take all necessary measures to protect it.
  • Specify how long confidential information is to be preserved, protection measures, measures to be taken in the event of a data breach, and limits of liability.
Anonymization and access control procedures
  • Implement anonymization and access control procedures to protect confidential information.
Controlling access to confidential information
  • Protect confidential information by restricting access to trusted personnel and giving them access only to the sections they need for their work.
Confidentiality
  • Obtain a commitment from each person with access to confidential information not to divulge it and to take all necessary measures to protect it, as well as to immediately notify the project manager of any breach/if a breach were to occur.