Principle 7: Safeguards

Printer-friendly version

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Population Data BC has established a high level of physical, technical, and organizational security for all Data in its custody, meeting or exceeding well-recognized ISO 27002 requirements for information security. In September 2009, an external third party consultant was engaged to conduct a systems and security review of Population Data BC information security practices and confirmed its security strengths and safeguards against ISO requirements. 

While Population Data BC differentiates between Data that include personally identifying information (or potentially personally identifying information) (i.e. Identifiers) and Data that do not (i.e. Content Data), all Data are considered to be highly sensitive and are protected with appropriate safeguards.

 

Policies

Related Procedures

Policy 7.1

Population Data BC will utilize stringent physical safeguards to protect against loss, theft, unauthorized access, disclosure, copying, use, or modification of Data.

 

Procedure 7.1

Population Data BC maintains a secure physical area with several layers of physical protection, including locked and alarmed premises, monitored electronic access to high security zones, video surveillance at entrances to high security zones, and a separately locked and alarmed server room within a high security zone.

Policy 7.2

Population Data BC will utilize stringent technological safeguards to protect against loss, theft, unauthorized access, disclosure, copying, use, or modification of Data.

Procedure 7.2

  1. Population Data BC protects all Data in a manner that is consistent with evolving best practices for managing sensitive Data.

  2. Population Data BC’s Red Zone network is logically moated. There is no direct connection from the Red Zone network to any other networks.  No Data are able to enter or leave the Red Zone without a two-step authentication process and an audit trail.

  3. Access to Population Data BC facilities, systems and networks are logged electronically.  Logs are monitored on a regular basis for intrusion detection and attempts at unauthorized use.

  4. Access to Data requires two-factor authentication, granted only to specially authorised personnel on a “need to know” basis.

  5. Data are stored on an isolated computer network at Population Data BC, protected by firewalls. Data is stored in encrypted, logical areas, and accessed only by authorised programmers. Authorised access to Content and Identifier Data is logged and monitored. 

  6. All information and Data are backed-up on secure servers and encrypted media, protected by locks and alarms within a high security zone.  Encrypted backup media are also stored in a secure off-site location, as per internal policies and procedures.

Policy 7.3

Population Data BC will utilize stringent organizational safeguards to protect against loss, theft, unauthorized access, disclosure, copying, use or modification of Data.

Procedure 7.3

  1. All Population Data BC personnel must undergo privacy and information security training, annually and upon being newly hired.

  2. Researchers must undergo privacy training prior to gaining access to a Research Extract.

  3. All Population Data BC personnel and Researchers must sign confidentiality agreements.

  4. Population Data BC personnel have access to Data and to secured zones only on an “as needed” basis.  Only the Systems and Security Manager, and a small number of specially trained programmers involved in Data linkage, are authorised to handle the Data.

  5. Access to all Population Data BC systems leaves an audit trail, which is monitored on a regular basis.

  6. Researchers wishing to access Data must sign a Research Agreement binding them to conditions governing use of the Data, security arrangements, assurances regarding disclosure, and requirements to return/destroy any copies of the Data.  

  7. To deter loss, theft, copying, and unauthorised access, Researchers will typically be required to access Research Extracts on Population Data BC’s Secure Research Environment (SRE).  On a case-by-case basis and only as approved by the Data Steward(s), Researchers may be provided with the Research Extract in encrypted form on discs.  In this scenario, Data protection measures similar to those provided by the SRE may be required by the Data Steward(s) of the Researcher(s).

  8. If Population Data BC suspects a breach of the Research Agreement, Population Data BC will investigate and notify the relevant Data Steward(s).

Policy 7.4

Population Data BC enforces stringent safeguards for the transfer of Data, from both Data Stewards into Population Data BC’s secured facilities, and from Population Data BC to Researchers for approved research projects.

Procedure 7.4

  1. All Data transfers to Population Data BC will be via encrypted secure file transmission in accordance with relevant information security procedures.

  2. Researcher access to Research Extracts will be via the SRE, with limited exceptions.  On a case-by-case basis and only as approved by the Data Steward(s), Researchers may be provided with the Research Extract in encrypted form on discs.  In this scenario, Data protection measures similar to those provided by the SRE may be required by the Data Steward(s) of the Researcher(s).


Page last revised: November 3, 2014