Research Data Management

UWinnipeg's Info Security Policy & Procedures

What is the risk level of my research data?

Generally speaking, the risk level of your data relates to the sensitivity of your data. The following data classifications have been adapted from UWinnipeg's Information Security Policy and Procedures, for the purposes of this guide. The bolded sections below reflect adaptations to the policy and procedures, for the purpose of clarity for the UW research community, and have been reviewed by UWinnipeg's Executive Director, IT Planning and Governance.

From the policy: "...As the University is committed to safeguarding to a high degree the University, the University Community, and third parties against harm, the academic research data of University employees, post-doctoral fellows, visiting scholars, interns, and students is University Data for the purposes of this Policy."

Public: University Data that is freely disclosed to the public or would cause no harm if so disclosed. For example:

Research University Data made available to the public.

Internal: University Data that is not protected by law, agreement, or industry regulation, but may cause minor harm to the University or others if disclosed indiscriminately or beyond a need-to-know basis. For example:

University Data intended for the sole use of the University, e.g.:
- budget and accounting figures;
- office procedures and manuals;
- building plans;
- work cell phone numbers;
employee-specific email addresses, e.g., j.doe@uwinnipeg.ca; and

Sensitive: University Data that must be protected by law, agreement, research protocol, or industry regulation; exposes non-public details of a University system; or may cause moderate harm to the University or others if disclosed to unauthorized individuals. For example:

Anonymous, anonymized, or coded human research data that is deemed sensitive (as defined above);
Personal information that is not classified as Highly Sensitive, such as contact information (ex. name, phone number, and email) of research participants;
Research documents intended for use by only the Principal Investor or research team (ex. signed consent forms).

Highly Sensitive: University Data that must receive a high degree of protection by law, agreement, research protocol, or industry regulation; exposes non-public details of a critical University system; or may cause considerable harm to the University or others if disclosed to unauthorized individuals. For example:

Highly sensitive personal information, e.g.: Personal Health Information, accessibility and counselling information, social insurance number, biometric identifies including finder and voice prints and full-face images, race or ethnic origin, political or religious beliefs or membership, genetic information, sexual orientation or sex life, criminal records checks;
Research University Data is that Highly Sensitive (as defined above).

For questions about the Policy, or questions about the risk level of your data, you can reach out to the Information Security Working Group (ISWG) at ISWG@uwinnipeg.ca or UWinnipeg's Research Data Management Librarian.

How do I securely handle my research data?

How do I securely handle (access, storage, share and delete) my research data?

UWinnipeg's Information Security Procedures outline the following security handing requirements:

Public	Any existing controls to govern access and integrity remain in place; No policy requirements for access, transmission, storage, or destruction; and Use standard operating system utilities to delete files.
Internal	Access: need-to-know basis and revoked when leaving the unit; Storage: storage on a University approved network *[attached service] (ex. Research Storage) or cloud storage system (ex. M365 OneDrive or Teams); for paper records, secure in a locked room or cabinet; Transmission: no requirements when transmitted over a secure network (encrypted & password-protected); encryption recommended over unsecure networks (unsecure networks are networks that are not encrypted or password-protected);** for paper records, protect against incidental reading; and Destruction: delete using an approved deletion program; and o shred.
Sensitive	Access: need-to-know basis and revoked when leaving the unit; Storage: storage on secure network [attached service] required *(ex. OneDrive, Teams, Research Storage); encryption required; for paper records, secure in a locked room or cabinet; Transmission: encryption recommended over secure networks; encryption required over public networks (ex. a public WiFi connection, even if password protected);** for paper records, send in sealed envelope with “confidential” label; and Destruction: delete using an approved deletion program; and shred.
Highly Sensitive	Access: must be approved by the Responsible Administrator; limited to specific named users or positions; need-to-know / least privilege basis; revoked immediately when leaving the unit; Storage: controlled access system required (password protected file or file system); secure network [attached service] required *(ex. M365 OneDrive, Teams or Research Storage); encryption required; for paper records, double locking required (e.g., locked room and locked cabinet); clean desk policy required; Transmission: encryption required over secure networks; encryption required over public networks (ex. a public WiFi connection, even if password protected);** for paper records, send in sealed envelope with “confidential” label; trackable mail/courier recommended; and Destruction: delete using an approved deletion program; and shred.

*UWinnipeg's Research Storage is a research data storage service offered by UWinnpeg's Tech Sector. This service is available to all UWinnipeg researchers. The frontend of this service is NextCloud. For questions, contact UWinnipeg's Tech Sector via MyServiceDesk. Select Service Request -> Research -> Research Storage on the form.

Last Updated: Nov 27, 2025 12:48 PM
URL: https://libguides.uwinnipeg.ca/rdm
Print Page

Subjects: Data