Introduction
McMaster community members require access to information to fulfill their roles and responsibilities within the community. Some information may be high value or sensitive, including personally identifiable information, personal health information, and intellectual property.
It is the responsibility of all members of the McMaster community to exercise appropriate care and discretion when accessing digital information, and to protect the information they access, use, or store. Failure to store information securely may lead to unauthorized access to personally identifiable information, disclosure of intellectual property, unauthorized disclosure of McMaster University information, reputational damage and monetary loss.
The guidelines in this document outline storage options available and recommended for the secure storage of high value and sensitive information and provides information storage options and alternatives to mitigate risks related to the protection of personal privacy, intellectual property and copyrighted materials, as well as safeguarding the reputation of the University. These guidelines apply to any information stored by McMaster community members on behalf of the University.
When deciding where to store information,
consider the following questions:
- What is the value or sensitivity of the information? Does the information contain personally identifiable data, personal health information, or intellectual property?
- What is the status of the information? Is this a draft, a final document, or somewhere in between?
- Who needs to access the information? Are collaborators internal or external? Do they need to edit the information, or just view it?
- Is the information encrypted? Should it be?
The following outlines various information types including examples,
acceptable storage options and additional considerations.
Storing Unrestricted Data
The following are examples, acceptable storage options, and considerations to consider when storing unrestricted data.
Teaching and Learning
– General course/program information which does not contain any information about students etc.
Research
– Research data that does not contain any sensitive or personally identifiable information (if in doubt, assume that data is sensitive)
– Non sensitive research documentation and forms (e.g. blank consent forms and information sheets)
Administration
– Brochures, News releases
– Marketing material
– Staff/faculty business contact info
– Policies
– Local hard drive (e.g., C: drive, “My Documents”)
– Removable storage media (e.g., USB drives, portable hard drives, etc.)
– University provided on-premises file sharing and storage (e.g., UTS hosted shared network drives)
– Department provided on premises file sharing and storage (e.g., department shared network drives)
– University provided on-premises cloud-based storage (e.g., MacDrive, MacDrop, MCloud, Dataverse)
– University provided off-premises cloud-based storage (e.g., Office365, including OneDrive, Teams and Sharepoint)
– Department provided off premises cloud-based storage (e.g., DropBox for Business)
– University applications for student, financial, and human resources information (e.g., Mosaic)
– No special handling required.
– Official versions of course documents such as course outlines should be posted on provided University applications such as Avenue to Learn.
– Research data should be stored according to protocols approved by the appropriate Research Ethics Board
– Information intended for public consumption and posted to a public forum (e.g., website) must conform to University Brand Policies and Visual Identity guidelines
– Use of personal off premises cloud-based storage (e.g., Google Drive, Dropbox, etc.) is discouraged
Storing Internal Data
The following are examples, acceptable storage options, and considerations to consider when storing internal data.
Teaching and Learning
– Routine correspondence
Research
– Research proposals
Administration
– Routine correspondence
– Employee newsletters
– Inter-office memoranda
– Internal policies and procedures
– Purchasing information
– Purchasing requisition
– Local hard drive (e.g., C: drive, “My Documents”)
– Removable storage media (e.g., USB drives, portable hard drives, etc.)
– University provided on-premises file sharing and storage (e.g., UTS hosted shared network drives)
– Department provided on-premises file sharing and storage (e.g., department shared network drives)
– University provided on-premises cloud-based storage (e.g., MacDrive, MacDrop, MCloud, Dataverse)
– University provided off-premises cloud-based storage (e.g., Office365, including OneDrive, Teams and Sharepoint)
– Department provided off-premises cloud-based storage (e.g., DropBox for Business)
– University applications for student, financial, and human resources information (e.g., Mosaic)
– Reasonable precautions to prevent access by non-authorized persons.
– Encryption encouraged however not required.
– Use of personal cloud storage (e.g., Google Drive, Dropbox, etc.) is strictly prohibited
Storing Confidential Data
The following are examples, acceptable storage options, and considerations to consider when storing confidential data.
Teaching and Learning
– Elements of the Student Record, (e.g., offer letters, transcripts, etc.)
– Exams
Research
– Research data that may or does contain sensitive or identifiable information (e.g., human participant data)
– Sensitive research-related documentation (e.g., signed consent forms)
– Intellectual property (e.g., patents)
Administration
– Personally identifiable information (PII)
– Credit card information (PCI)
– Financial documents
– Human Resource records (e.g., faculty and staff employment record)
– Tax forms and T4 slips
– Passwords
– Vendor Contracts
– Local hard drive (e.g., C: drive, “My Documents”).
– University provided on-premises file sharing and storage (e.g., UTS hosted shared network drives).
– Department provided on-premises file sharing and storage (e.g., department shared network drives).
– University provided on-premises cloud-based storage (e.g., MacDrive, MacDrop, MCloud, Dataverse).
– University provided off-premises cloud-based storage (e.g., Office365, including OneDrive, Teams and Sharepoint)
– University applications for student, financial, and human resources information (e.g., Mosaic)
– Access to confidential information must be restricted to authorized individuals only.
– Encryption is strongly recommended and should be used wherever technically possible.
– Research data is subject to the TCPS2 which states “identifiable data obtained through research that is kept on a computer and connected to the Internet should be encrypted.”
– Use of removable storage media (e.g., USB drives, portable hard drives, etc.) with encryption is discouraged, and without encryption is strictly prohibited.
– Use of Department provided off premises cloud-based storage (e.g., DropBox for Business) is discouraged
Storing Restricted Data
The following are examples, acceptable storage options, and considerations to consider when storing restricted data.
Research
– Research data that contains restricted or highly sensitive information
Administration
– Personal Health Information (PHI)
– Critically sensitive information
– Strategic organizational plans and/or financial information
– Sensitive meeting minutes
– Local hard drive (e.g., C: drive, “My Documents”)
– University provided on premises file sharing and storage (e.g., UTS hosted shared network drives).
– Department provided on premises file sharing and storage (e.g., department shared network drives).
– University applications for student, financial, and human resources information (e.g., Mosaic).
– Cloud-based storage solutions, including University provided on premises cloud-based storage solutions, are not appropriate locations to store restricted information.
– Must never be stored in any unsanctioned storage location.
– Use of removable storage media (e.g., USB drives, portable hard drives, etc.) is strictly prohibited.
– Use of University provided off premises cloud-based storage (e.g., Office365, including OneDrive, Teams and Sharepoint) is strictly prohibited.
– Use of Department provided off premises cloud-based storage (e.g., DropBox for Business) is strictly prohibited
Storage Guidelines for Recommended Use
Storage Device Security
Access to any storage device (i.e. computer, phone, etc.) must be password protected and, if working with Confidential or Restricted information, it must also be encrypted.
Removable storage devices (e.g., USB drives, portable hard drives, etc.) can be easily lost or stolen. Use of portable storage media to store University information that is not otherwise publicly available is discouraged. University sanctioned cloud storage, such as MacDrive, is recommended for collaboration and transportation/syncing between devices.
If removable media must be used, please follow the guidelines above. Avoid storing confidential information on mobile devices. When disposing of equipment that may have been used to store any University related information, it must be cleaned appropriately: all information deleted with appropriate tools.
Final Documents
Final versions of university documents such as policy, procedure, contract, etc. should be
moved to a sanctioned University hosted network share if it is needed to be kept long term.