1. What is a Data Access Request?

This is a formal process to request access to UBC data.

2. Before, I could request and obtain data by email, call or a submit a ServiceNow ticket. Why do I need to submit a Data Access Request now?

The information you provide on the form informs Data Stewards during their review of the request and decision to approve or deny access. Also, the terms and conditions on the form ensure that you are fully aware of your responsibility to ensure that the data is used and secured appropriately.

UBC takes data protection and regulatory compliance seriously. This process was launched In November 2019 as a UBC Data Governance and Data and Reporting initiative.

3. When do I need to prepare a Data Access Request?

A request is required for any new access to UBC data.

4. Do I need to prepare a Data Access Request for each report, extract, database access or similar request?

Yes, if the data request is for access to new data - i.e. access to the specific data that has not been previously authorized.

For recurring data, the request allows you to specify the frequency required for the data release. Once approved, a new Data Access Request is only required if you are adding or changing the data and revising the frequency of data release.

5. Who can submit a Data Access Request?

Requests can be submitted on behalf of a UBC faculty, school, department or administrative unit, or a non-UBC individual or entity.

Requests submitted by a UBC faculty, school, department or administrative unit are considered "internal". Requests submitted by a non-UBC individual or entity, including a UBC researcher, are considered "external".

6. What do I need in order to submit a Data Access Request?

The following information is needed in the request:

  1. Requestor details, including the name of the faculty, administrative unit, or external entity you are requesting data for
  2. Purpose for the request
  3. Duration of access
  4. Purpose of data usage and data security controls, to confirm your request meets:
  5. For scholarly research:
    • Ethics board approval (you will need to include the Ethics Board Approval number and attachment of the approval)
  6. For API requests:
    • Target system details
    • PIA reference # (where applicable). Go to UBC's PIA site for more information.
7. What questions are asked in the Data Access Request?

There are several sections within the Data Access Request. Each applicable section must be completed. When you move on to the next section, you will not be able to go back to a previous one.

Most questions have an info tip to guide you. Some questions are conditional and dependent on how you respond to a previous one. Refer to the University Glossary for definitions of terms that you come across in the form. If you cannot find the definition in the glossary, or a description in the info tip of the question, please reach out to EDG.

The sections include:

  1. Request Overview
    This section asks overview questions including:
    • Request type
    • Report / project name
    • Request date
    • Requestor's full name, email and CWL
  2. Requesting Organization Details
    This section focuses on:
    • Purpose of the request
    • Requesting organization/unit name, organization details and contact information
    • The function that requires the data
    • The intended use case of the request
    • Research Ethics Board Approval (for scholarly research)
    • Contracts that are in place (for external requests)
    • How the requested data will benefit UBC
  3. Requested Data Details
    This section collects information about the data being requested. In this section, you will be asked to provide:
    • A description or list the data needed
    • The criteria for data required
    • The level of detail i.e. case-level, aggregated or anonymized
    • The frequency of requested data (if applicable)
    • Templates of previous extracts/reports if you have any.
  4. Target System Details (for Developer API Access requests)
    This section asks information about the consuming system for API access requests. You will be asked about:
    • The name of the target (consuming) application
    • The function of the target application
    • Privacy Impact Assessment (PIA) details
  5. API Details (for Developer API Access requests)
    This section asks information about the API needed for access. You will be asked about:
    • The name and version of the API you need access to
    • The endpoint(s) and method(s) needed
    • The attributes and context needed from the API
    • The duration of access
  6. Regulatory Compliance, Data Distribution and Storage
    This section asks questions around how data will be handled. You will be asked:
    • Whether the data will include any Personal Information
    • If you are aware of any legal or compliance requirements other than FIPPA
    • Who will have access to the data
    • What process will be used to communicate or distribute the requested data or the results of analysis
    • If there are any negative consequences associated with the data being made public
    • If there is any actual or perceived conflict of interest
    • If the data will be used in a manner that is consistent with the purpose for which it was collected
    • Authority for data release (for external or scholarly research requests)
    • If the data will be linked with other UBC or non-UBC sources
    • If the data will be propagated with other systems (for Developer API Access requests)
    • If the data will be stored in Canada
    • If the data will be encrypted if stored on a mobile device.

Finally, you will be required to acknowledge a Data Access Acknowledgement before you can submit your request.

8. What is the difference between an internal and an external request?

An internal request is one that is submitted on behalf of a Faculty, central administrative unit or department, for operational or administrative function.

An external request is submitted on behalf of an external organization, scholarly research or private use.

9. What is the difference between a Data Access Request and a Privacy Impact Assessment (PIA)?

A Data Access Request is the mechanism to request access to specific UBC data, whereas a Privacy Impact Assessment (PIA) is used to assess the privacy and related security risk associated with the collection, use, and disclosure of personal information (PI). PIAs are legally required under certain circumstances. Depending on the nature of the Data Access Request, UBC may also require that a PIA be completed. For example, electronic applications or systems used to collect, transmit or store PI generally require a PIA.

When appropriate, Data Stewards may direct the Requester to complete a PIA before the Data Access Request can be approved.

10. Are there overlaps between questions asked in the Data Access Request form and a PIA?

Yes, there can be some overlap between the processes. If you are requested to complete a PIA, you may be asked for some of the same information you have already provided through the Data Access Request process. It is important to ensure that the responses given in the PIA and Data Access Request process are consistent.

11. Does a Data Access Request always require a PIA?

For API requests that include personal information, you will be asked if a PIA has been initiated for the target system.

For other types of data access requests, the use case will be reviewed prior to request for a PIA. If the PI requested introduces elevated risks, shares data externally, or changes use, then a supporting PIA may be requested prior to approval.

For more information on PIA requirements, please see the UBC PIA Process.

12. How long does a Data Access Request take to process?

Depending on the purpose, sensitivity of the requested data and complexity of the fulfillment method, a submitted request can take from a couple of business days to several weeks or months from the moment it is received, reviewed and fulfilled (if approved). Ensure your request is submitted early, and contains all the necessary detail in order to avoid delays.

13. What can I expect after submitting a Data Access Request?

You will receive an IT Service Centre ticket number via email. You can view the request via the View My Records section within the IT Self-Service Portal.

14. Once my Data Access Request is approved, does it have an expiry date?

Yes, the request allows you to specify how long you need the access for. API access or recurring data access requests require renewal at the end of the selected end date.

UBC reserves the right to perform periodic reviews to validate usage and revoke data access where required based on internal information security policies.

15. Is it my responsibility to determine what system the requested data comes from?

No, the Data Governance and Data and Reporting teams will determine what the system of record is for the requested data, as well as to ensure fulfillment of the data release.

16. What APIs are available in the UBC MuleSoft Exchange (UBC API Portal)?

For specific information on available APIs, visit UBC MuleSoft Exchange. Complete the Request API Access Form once you have selected your API.

If you need access to an API not available in the MuleSoft Exchange Portal, complete the UBC Data Access Request Form.

17. What is a data steward, and what is their role in this process?

Data Stewards are university business officials that have direct operational-level responsibility for the management of one or more types of Institutional Data and have authority to make decisions. Within the context of data access, Data Stewards are referred to as Reviewers. They are responsible for reviewing incoming Data Access Requests for data within their charge to ensure UBC data is going to be used in a compliant manner, as well as be able to identify who has access to their data.

To learn more about Data Stewards, visit the Data Governance website.