Guiding Principles
to follow throughout the data life cycle
10 Principles
Data life cycle
1. PREPARE, PLAN & COMPLY
Read more
When: Planning & Approval (and continuously thereafter)
Establish a data management plan with a data lifecycle approach for responsibly using, storing, publishing, sharing, archiving or discarding PII. Ensure it identifies the privacy protection measures to be applied (or justifies the lack thereof) and complies with all legal, regulatory, institutional and contractual requirements that may apply.
2. MINIMIZE PII
Read more
When: Planning & Approval | Collection
Only collect or use PII if it is absolutely necessary to advance the legitimate scientific interest of the research project. You can maximize the participant’s privacy and minimize your compliance burden by limiting the PII you collect or not collecting PII in the first place.
3. DE-IDENTIFY DATA
Read more
When: Planning & Approval | Collection
De-identify data to anonymize by default, otherwise further minimize PII.
To maximize privacy protection anonymize/de-identify datasets by default. If removing PII will significantly impair the data’s analytic potential, scientific utility or benefit to the participant, minimize and protect privacy to the extent necessary to achieve the project’s legitimate scientific interests.
4. BEHAVE ETHICALLY
Read more
When: Planning & Approval | Collection
Behave ethically and do no harm
Prioritize the safety of research participants and their communities above all other concerns, irrespective of your immediate compliance requirements. Ensure the benefits of the project clearly outweigh foreseeable risks and strengthen privacy protection where needed to mitigate credible risk of harm.
5. BE TRANSPARENT
Read more
When: Collection | Storage
Be transparent and obtain informed consent
Ensure informed consent with full disclosure of the scientific purpose(s) for which the PII is being collected, the scope of use (how it will be used, protected and transmitted) in the research project as well as subsequently by you and by others, and any risks to the participant or their community.
6. BE CONFIDENTIAL
Read more
When: Storage | Reuse and Transfer
Handle PII confidentially, including for transfer/access by third parties
Ensure appropriate IT & security capabilities are in place for handling PII so as to protect the confidentially and privacy of participants. If removing PII will significantly impair the data’s analytic potential, scientific utility or benefit to the participant, transfer or provide access on a restricted basis subject to appropriate legal and/or technological controls. Rely on pro-privacy analytical tools whenever feasible to do so.
7. USE PII FAIRLY
Read more
When: Storage | Use and Transfer
Use PII fairly and in accordance with the participant’s consent
Check to ensure your use of the data is compatible with the purpose specification and scope consented to by the research participant, including any limitations or authorizations they may have specified or should reasonably expect regarding the use of their PII.
8. PUBLIC VS PRIVATE
Read more
When: Publishing and discovery
Public-use datasets containing PII are the exception
As a general rule, public datasets should be anonymized to maximize privacy and minimize risk. PII should be included only if absolutely necessary to preserve the data’s analytic potential, scientific utility or benefit to the participant, subject to prior informed consent and rigorous risk assessment.
9. ARCHIVE OR DELETE PII
Read more
When: Archiving / Discarding
Keep PII for the minimum possible time and destroy when no longer necessary or archive if necessary to advance the project’s legitimate scientific interests.
10. REVIEW REGULARLY
Read more
When: Continuously
Periodically review the compliance landscape and seek expert support
Privacy protection and ethical research standards are fast evolving to keep pace with the rapid pace of technological change driven by Big Data. Periodically review institutional and other compliance requirements and don’t be shy in seeking support from subject matter experts at your institution. The Big Data Platform may also be able to connect you with knowledge resources or experts to help address any challenges you are facing.
10 Guiding Principles
to follow throughout the data life cycle
1. PREPARE, PLAN & COMPLY
Read more
Establish a data management plan with a data lifecycle approach for responsibly using, storing, publishing, sharing, archiving or discarding PII. Ensure it identifies the privacy protection measures to be applied (or justifies the lack thereof) and complies with all legal, regulatory, institutional and contractual requirements that may apply.
2. MINIMIZE PII
Read more
Only collect or use PII if it is absolutely necessary to advance the legitimate scientific interest of the research project. You can maximize the participant’s privacy and minimize your compliance burden by limiting the PII you collect or not collecting PII in the first place.
3. DE-IDENTIFY DATA
Read more
De-identify data to anonymize by default, otherwise further minimize PII.
To maximize privacy protection anonymize/de-identify datasets by default. If removing PII will significantly impair the data’s analytic potential, scientific utility or benefit to the participant, minimize and protect privacy to the extent necessary to achieve the project’s legitimate scientific interests.
PLANNING & APPROVAL
Click for Tips
REUSE & TRANSFER
Click for Tips
STORAGE & ANALYSIS
Click for Tips
PUBLISHING & DISCOVERY
Click for Tips
10 Guiding Principles
to follow throughout the data life cycle
1. PREPARE, PLAN & COMPLY
When: Planning & Approval
(and continuously thereafter)
Read more
Establish a data management plan with a data lifecycle approach for responsibly using, storing, publishing, sharing, archiving or discarding PII. Ensure it identifies the privacy protection measures to be applied (or justifies the lack thereof) and complies with all legal, regulatory, institutional and contractual requirements that may apply.
2. MINIMIZE PII
When: Planning & Approval | Collection
Read more
Only collect or use PII if it is absolutely necessary to advance the legitimate scientific interest of the research project. You can maximize the participant’s privacy and minimize your compliance burden by limiting the PII you collect or not collecting PII in the first place.
3. DE-IDENTIFY DATA
Read more
De-identify data to anonymize by default, otherwise further minimize PII.
To maximize privacy protection anonymize/de-identify datasets by default. If removing PII will significantly impair the data’s analytic potential, scientific utility or benefit to the participant, minimize and protect privacy to the extent necessary to achieve the project’s legitimate scientific interests.
PLANNING & APPROVAL
Click for Tips
PUBLISHING & DISCOVERY
Click for Tips
ARCHIVING / DISCARDING
Click for Tips
10 Guiding Principles
to follow throughout the data life cycle
1. PREPARE, PLAN & COMPLY
Read more
Establish a data management plan with a data lifecycle approach for responsibly using, storing, publishing, sharing, archiving or discarding PII. Ensure it identifies the privacy protection measures to be applied (or justifies the lack thereof) and complies with all legal, regulatory, institutional and contractual requirements that may apply.
2. MINIMIZE PII
Read more
Only collect or use PII if it is absolutely necessary to advance the legitimate scientific interest of the research project. You can maximize the participant’s privacy and minimize your compliance burden by limiting the PII you collect or not collecting PII in the first place.
3. DE-IDENTIFY DATA
Read more
De-identify data to anonymize by default, otherwise further minimize PII.
To maximize privacy protection anonymize/de-identify datasets by default. If removing PII will significantly impair the data’s analytic potential, scientific utility or benefit to the participant, minimize and protect privacy to the extent necessary to achieve the project’s legitimate scientific interests.