Sensitive research data classification tool
The goal of the 平特五不中 research data sensitivity classification tool is to help 平特五不中 researchers to identify, understand, and better manage research data in ways that are consistent with laws, disciplinary norms, and funder and institutional policies. This classification must always be used in conjunction with all additional compliance requirements applicable (e.g., Research Ethics Board requirements, contracts, agreements, applicable laws, ethical conduct, etc.).
All members of the university community are required to:
- comply with all applicable obligations in their research context;
- use sensitive human participant data only for the purposes for which they are collected;
- respect any restrictions for their use, and;
- collect, store, and dispose of data in ways appropriate to minimize the risk of unintended disclosure or compromised data integrity.
There are four levels in this data sensitivity classification. For descriptions and examples of each level of data sensitivity, please use the tabs on the left.
If you have questions about this tool or require support in determining the sensitivity of or safeguarding your research data, please reach out to the DRS team at drs [at] mcgill.ca.
听
Cloud Directive
When (web-based software where data is sent outside of 平特五不中's network), the proper level of data sensitivity must be determined. Data with different levels of sensitivity can co-exist within the same research project. To evaluate the appropriateness of a Cloud service, researchers must determine the highest sensitivity level of the data that will be sent, stored, processed, or managed on this Cloud service.
Very high sensitivity
Description: The unauthorized disclosure, alteration, unavailability, or destruction of the research data could cause critical harm to the research participants, 平特五不中, and/or its affiliates. Most of the data at this level of sensitivity are regulated by laws[1].
Security requirements: Very high
Data access and use: Restricted to authorized individuals/roles only
Research data examples
- Highly sensitive personal information that may bring severe harm and risk to research participants (e.g., criminal records, domestic violence, political dissidents, immigration, etc.)
- Personal Health Information regulated by laws (e.g., medical health records)
- Research data that have implications for national security and interests (e.g., Classified Information[2], dual-use data)
- Research data involving Import/Export Controlled Goods[3]
- Technical information that could be used to compromise critical systems or facilities
- Payment card information[4]
听
Negative impacts of a data breach
- Research participants would be severely harmed (includes emotional, psychological, physical, social, or financial harm)
- Severe reputational, financial, or legal risk to researchers, 平特五不中, and/or affiliates
- Loss of major research funding
- Loss of research competitiveness in a 平特五不中 priority research area
- Severe negative impact on critical research services (e.g., core research facilities, national or international science gateways, or research platforms)
- Severe negative impact on economic or government sector (e.g., industry disruption or foreign relations)
Notes
[1] Provincial laws such as Bill 64 - 2021 Chapitre 25 - P-39.1; European regulations such as GDPR, etc.
[3] Impact/Export Controlled Goods
[4] 平特五不中 IT systems used by the community do not meet the compliance requirements for storing Payment card information. This type of information should in no case be stored by research projects.
High sensitivity
Description: The unauthorized disclosure, alteration, unavailability, or destruction of the research data could cause major harm to the research participants, 平特五不中, and/or its affiliates. Most of the data at this level of sensitivity are regulated by laws[5].
Security requirements: High
Data access and use: Restricted to authorized individuals/roles only
Research data examples
- Identifiable personal information (e.g., names, ID numbers, home addresses) regulated by laws
- Research data containing confidential or private information that may require stronger security measures per regulations, contractual, ethical, and/or cultural obligations
- Research data associated with Intellectual Property or patent applications
- Research data that are not reproducible or would take significant effort or cost to reproduce
- Research data that have potential to be used for committing identity theft, fraud, or phishing
- Research data that are protected under third-party agreements, licenses, and/or other contractual frameworks (e.g., Protected Information[6])
- Research data with de-identified or anonymized information on human participants that contain indirect identifiers[7] that could facilitate re-identification
- Video/audio recordings of interviews and focus groups
- Grants and ethics applications
听
Negative impacts of a data breach
- Research participants would likely be harmed (includes emotional, psychological, physical, social, or financial harm)
- Significant reputational, financial, or legal risk to researchers, 平特五不中, and/or affiliates
- Significant negative impact on research (e.g., loss of Intellectual Property, loss of funding, loss of commercial partnership, or significant disruption on research programs)
Notes
[5] Provincial laws such as Bill 64 - 2021 Chapitre 25 - P-39.1; European regulations such as GDPR, etc.
[7] Indirect identifiers refer to information that can reasonably be expected to identify an individual through a combination of such information (e.g., date of birth, ethnicity, place of residence, or unique personal characteristic). (Based on )
Moderate sensitivity
Description: The unauthorized disclosure, alteration, unavailability, or destruction of the research data could cause a moderate level of harm to research participants, 平特五不中, and/or its affiliates.
Security requirements: Moderate
Data access and use: Restricted to individuals who meet specific access and use criteria
Research data examples
- Research data that have been de-identified and have a low risk of re-identification
- Identifiable information where there is no expectation of privacy or confidentiality (e.g., oral histories), but there may be expectations regarding use of data (i.e., it cannot be remixed, reused, transformed)
- Data with non-open licenses (e.g., CC-BY-ND, CC-BY-NC[8], etc.)
- Most unpublished research manuscripts
- Most unpublished data with no human/animal ethics considerations
- Embargoed published research articles
听
Negative impacts of a data breach
- Research participants are not likely to be harmed
- Limited reputational, financial, or legal risk to researchers, 平特五不中, and/or affiliates
- Limited negative impact on research (e.g., moderate disruption on research programs, loss of publication priority)
Notes
[8] Information about CC licenses available from
Low sensitivity
Description: The unauthorized disclosure, alteration, unavailability, or destruction of the research data is very unlikely to cause any harm to research participants, 平特五不中, and/or its affiliates.
Security requirements: Moderate
Data access and use: No restrictions for access; potential restrictions for use
Research data examples
- Identifiable information that is public
- Identifiable information where the release of this information has no potential risk for constituting an unwarranted invasion of privacy and the individual has consented to open licensing of information (i.e., it can be remixed, reused, transformed)
- Published research data licensed for reuse
- Published research articles/reports licensed for reuse
- Most data collected anonymously from human participants (e.g., anonymous surveys) that are not identifiable given reasonable efforts and when the risk of harm is minimal
- Openly licensed data available for broad and general use (e.g., data licensed under CC-0 or CC-BY[9])
- Published open-source software code licensed for reuse
听
Negative impacts of a data breach
- Minimal impact on research participants, 平特五不中, and/or affiliates
Notes
[9] Information about CC licenses available from