We have been operating successfully for over 20 years and are trusted by many data providers, including federal and provincial government.
We operate one of the most secure data centres in Canada, meeting and exceeding all relevant legal, ethical, recommended best practice, and regulatory or legislative guidelines for data protection and privacy. A full suite of tried-and-tested security and privacy policies and procedures clearly define our operations.
The UBC Office of University Counsel, the BC Office of the Chief Information Officer and the BC Office of the Information and Privacy Commissioner have reviewed our policies and procedures. We have successfully completed external audits from the BC Ministry of Health, Grant Thornton and Deloitte.
How are data protected?
Physical measures
Population Data BC’s secure data facility is a multi-zone environment, with the server room (“Purple Zone”) embedded in a high security area (“Red Zone”) embedded in a medium security area (“Yellow Zone.”)
Elements of the physical security include:
- Special reinforcement in the walls which extend through the false ceiling to the concrete pad above
- High security, reinforced, non-fishable doors
- Alarm system (for non-business hours) with motion activation and door tampering sensors
- Physical entry limited only to those with approved access, controlled by a fob
- All fob accesses are logged
- Video surveillance at the entrance / exit of Red and Purple Zones
- “Red Zone” networked computers, those that have access to data including Personal Information, whether Identifiers or Content Data, have no hard drive or other storage devices
Technical measures
Our information security measures are fully compliant with recognised ISO/IEC 27002 requirements. Network controls include:
- Firewall protection
- Access to Red Zone network, which holds the data, requires dual-factor authentication and is restricted to named personnel
- All access is logged and audited
- Content data and identifying data are stored separately in encrypted logical areas
- Red Zone networks are logically moated and have not direct connection to outside networks
- All stored data, including Personal Information are encrypted
Procedural measures
- Only named researchers have access to data
- Everyone on the research team signs a confidentiality pledge
- Data can only be used for the requested purpose
- Privacy training for researchers is mandatory
- Pre-publication transcripts are reviewed by data providers
- Data extracts are destroyed upon project closure