Skip to main content Link Menu Expand (external link) Left Arrow Right Arrow Document Search Copy Copied

When and Why to Encrypt Your Data

In this chapter we will discuss scenarios where data encryption may be beneficial or even necessary.

Table of Contents

Lesson Objectives

  • Discuss the importance of encryption for secure data management

What is sensitive data?

Sensitive data refers to any information that must be protected from unauthorized access due to ethical, legal, or institutional requirements. This kind of data, if exposed, could lead to harm, identity theft, reputational damage, legal consequences, or breaches of trust.

Examples include:

  • Protected Health Information (PHI): Includes any data about an individual’s health, treatment, or health insurance, including medical records, lab results, etc. Under laws like HIPAA (Health Insurance Portability and Accountability Act), PHI must be protected
  • Confidential Research Data: Includes unpublished findings, proprietary methodologies, or personally identifiable information (PII) from research participants
    • Personally indentifiable information (PII): includes participants’ names, student or employee ID numbers, dates of birth, SIN, etc.
    • Confidential or licensed commercial data: includes intellectual property (IP), data under non-disclosure agreements (NDAs), proprietary methods, etc.
    • High-risk data: Data where disclosure could result in harm such as reputational damage, professional or personal disruption, financial consequences, physical or psychological harm, and legal liability
  • Ecologically sensitive information, (e.g. endangered species location)
  • Student Records: Academic performance, disciplinary records, and financial information must be kept confidential under laws like FERPA (Family Educational Rights and Privacy Act)
  • Financial Information: Banking details, grant disbursement records, or donor information
  • Classified government data: Confidential or classified information from a government agency (defence, education, etc.), or data which could pose a security risk
    • Dual use (military and civilian application) data
    • Technologies that could be used to advance a foreign state’s military, intelligence, or surveillance capabilities (nuclear, chemical, biological, radiological, space, critical minerals, infrastructure, etc.)
  • Indigenous data: Information by, and collected with, Indigenous researchers, participants, and communities

Encryption is a primary safeguard for these data types.

In Canada, PIPEDA (and in Ontario, PHIPA) require encryption as an appropriate safeguard for personal and health data. Failure to encrypt may result in a breach of legal obligations and mandatory notification in case of compromise.

Under TCPS 2, McMaster’s REBs enforce ethical standards requiring confidentiality and integrity of human participant data. For medium- and high-risk data, encryption is a considered a necessary security measure.

For European collaborators, GDPR effects a global shift toward encryption as standard protocol for personal data protection.

Institutional policies on data encryption

As mentioned, Institutional Review Boards (IRBs) and research ethics boards often require encryption for storing or transmitting data involving human subjects. For more information, look at McMaster’s Research Ethics Board (MREB) Data Storage and Security Tools.

McMaster’s Research Data Management Strategy emphasizes responsible and secure handling of research data throughout its lifecycle, aligning with Tri‑Agency expectations of confidentiality, transparency, and reuse.

McMaster’s Research Data Management team clarifies what constitutes sensitive data (e.g., PHI, identifiable info, IP, Indigenous cultural knowledge) and sets a clear standard:

  • Any medium- or high-risk data stored on internet-connected devices should be encrypted
  • Any medium- or high-risk data stored on cloud services like OneDrive or Dropbox must be encrypted

Interactive activity

Case Study Analysis: Do You Need to Encrypt?

For each scenario:

  • Decide whether encryption is required, recommended, or not necessary.
  • Briefly explain your reasoning.
  • Reflect on how institutional policy and ethical responsibility factor into your decision.

Scenario 1:
You're a graduate student conducting interviews for a research project on healthcare access. You store the audio recordings and transcripts on your personal laptop.



Scenario 2:
You’re a staff member sending a spreadsheet with student GPA and contact info to a colleague in another department via email.



Scenario 3:
You're using a university-approved cloud storage solution to back up anonymized survey data with no personal identifiers.



Key Points / Summary

  • Sensitive data includes PHI, confidential research data, student records, and financial information.
  • Encryption helps prevent unauthorized access, whether data is in transit (e.g., being emailed) or at rest (e.g., stored on a device).
  • Various laws and regulations (PIPEDA, PHIPA, GDPR) may require or strongly encourage encryption.
  • Failing to encrypt sensitive data can result in legal penalties, reputational harm, or ethical breaches.