Physical Records

• When sending confidential data by mail:
  • Use registered or tracked mail services.
  • The inner envelope must be clearly marked “Confidential”.
  • The outer envelope must only display the recipient’s address.
• Hand delivery must be performed by authorized personnel and documented.
• Access to file cabinets must be restricted to trained, authorized staff.
  • Access to be determined by Data Steward according to Western University MAPP 1.23
• Access logs must be maintained and reviewed periodically.
• A chain of custody should be documented when records are transferred between individuals or departments.
• A Data Sharing Agreement (DSA) is required when sharing with third parties or external collaborators. The DSA must define at least the following:
  • Purpose and scope of data use.
  • Security responsibilities.
  • Retention and disposal terms.
• Any unauthorized sharing or suspected breach must be reported immedately to the appropriate authority according to Western's Breach Notification Process.

Electronic Records

• Data must only be shared with authorized individuals on a need-to-know basis.
  • Access to be determined by Data Steward according to Western University MAPP 1.23
• Access permissions must be time-limited and reviewed regularly.
• Confidential data must be transmitted using encrypted communication channels (e.g., HTTPS, SFTP, VPN).
• Email transmission must include end-to-end encryption.
• External email services (e.g., Gmail, Yahoo) must not be used to send or receive confidential data.
• Sharing through Western's OneDrive must be done with restricted access and a timeline must be applied to shared access.
• A Data Sharing Agreement (DSA) is required when sharing with third parties or external collaborators. The DSA must define at least the following:
  • Purpose and scope of data use.
  • Security responsibilities.
  • Retention and disposal terms.
• All data sharing activities must be logged and auditable.
• Any unauthorized sharing or suspected breach must be reported immedately to the appropriate authority according to Western's Breach Notification Process.

Physical Records

• When sending sensitive data by mail:
  • Use tracked or registered mail services when feasible.
  • The inner envelope must be clearly marked “Sensitive”.
  • The outer envelope must only display the recipient’s address.
• Access to file cabinets must be restricted to trained personnel.
• Access logs should be maintained and reviewed periodically.
• A chain of custody should be documented when records are transferred between individuals or departments.

Electronic Records

• Data must be shared only with authorized individuals on a need-to-know basis.
• Access permissions should be time-limited and reviewed periodically.
• Sensitive data must be transmitted using encrypted communication channels (e.g., HTTPS, SFTP, VPN).
• If email is used, data should be sent via secure institutional email with end-to-end encryption.
• Avoid using external email services (e.g., Gmail, Yahoo) for sending or receiving sensitive data.
• Sharing through Western's OneDrive must be done with restricted access and a timeline should be applied to shared access.
• Access logs to the storage location must be maintained and reviewed periodically.
• A Data Sharing Agreement (DSA) is recommended when sharing with third parties or external collaborators. The DSA must define at least the following:
  • Purpose and scope of data use.
  • Security responsibilities.
  • Retention and disposal terms.
• Any unauthorized sharing or suspected breach must be reported promptly.
• Systems should support basic alerting for unusual access or sharing activity.

Physical Records

No restriction on how data is shared.

Electronic Records

No restriction on how data is shared.