We operate one of the most secure data centres in Canada, exceeding all relevant legal, ethical, recommended best practice, and legislative guidelines for data protection and privacy.
Ensuring robust data protection and security is critical to our success and concern for the confidentiality and security of data is embedded into every aspect of business, from the physical environment to new employee training and beyond.
Why trust us with your data?
We have been operating successfully for over 20 years and are trusted by many data providers including federal and provincial government.
A full suite of tried-and-tested security and privacy policies and procedures clearly define our operations.
The UBC Office of University Counsel, the BC Office of the Chief Information Officer and the BC Office of the Information and Privacy Commissioner have reviewed our policies and procedures.
We have successfully completed external audits from the BC Ministry of Health, Grant Thornton and Deloitte.
What are the data storage options for data providers?
Partnering with Population Data BC (PopData) to make your data available for research does not necessarily require that you store your data with us. Options include:
- The data provider maintains data and pulls extracts to fulfill approved projects - PopData coordinates and manages data requests
- The data provider has technical systems allowing PopData to pull extracts to fulfill approved projects - PopData coordinates and manages data requests
- Data are housed and managed by PopData and are extracted to fulfill approved projects - PopData coordinates and manages data requests
How are data protected?
Physical measures
Population Data BC’s secure data facility is a multi-zone environment, with the server room (“Purple Zone”) embedded in a high security area (“Red Zone”) embedded in a medium security area (“Yellow Zone.”)
Elements of the physical security include:
- Special reinforcement in the walls which extend through the false ceiling to the concrete pad above
- High security, reinforced, non-fishable doors
- Alarm system (for non-business hours) with motion activation and door tampering sensors
- Physical entry limited only to those with approved access, controlled by a fob
- All fob accesses are logged
- Video surveillance at the entrance / exit of Red and Purple Zones
- “Red Zone” networked computers, those that have access to data including Personal Information, whether Identifiers or Content Data, have no hard drive or other storage devices
Technical measures
Our information security measures are fully compliant with recognised ISO/IEC 27002 requirements. Network controls include:
- Firewall protection
- Access to Red Zone network, which holds the data, requires dual-factor authentication and is restricted to named personnel
- All access is logged and audited
- Content data and identifying data are stored separately in encrypted logical areas
- Red Zone networks are logically moated and have not direct connection to outside networks
- All stored data, including Personal Information are encrypted
Procedural measures
- Only named researchers have access to data
- Everyone on the research team signs a confidentiality pledge
- Data can only be used for the requested purpose
- Privacy training for researchers is mandatory
- Pre-publication transcripts are reviewed by data providers
- Data extracts are destroyed upon project closure