Weak or reused passwords are one of the most common ways attackers gain access to accounts. A single compromised password can expose your research data, email, and university systems — especially if you use the same password across multiple accounts. The Canadian Centre for Cyber Security recommends using passphrases or complex passwords of at least 12 characters.

Use Passphrases: A passphrase is a sequence of mixed words (with or without spaces) that's easier to remember than random characters. Your passphrase should be at least 4 words and 15 characters. Example: Scan a room and describe what you see — "Closet lamp Bathroom Mug" becomes a strong, memorable passphrase.

Password Best Practices

All Lakehead systems (myEmail, myCourseLink, myInfo, WebAdmin, Library Proxy) require passwords that meet the Strong Password Standard. For maximum security:

• Minimum 12 characters — The Canadian Centre for Cyber Security recommends at least 12 characters. Longer is always better.
• Mixed case + numbers + symbols — Use uppercase (A-Z), lowercase (a-z), digits (0-9), and special characters (!@#$%^&*)
• Use a passphrase — String together 4+ random words ("correct-horse-battery-staple")
• Create an acronym — Turn a memorable phrase into a password. "My jersey number when I played soccer was 27!" becomes "Mj#wIpsw27!"
• Never reuse passwords — Use a different password for each account, especially sensitive ones like banking

Common Mistakes to Avoid

• No easily guessed passwords — Avoid "password", "let me in", "1234", or character substitutions like "p@ssword"
• No personal details — Don't use birthdays, hometowns, pet names, or information from social media
• Never use "Lakehead" — Don't include "Lakehead", "LU", "Thunderwolves", or any variation in your password — attackers target these first
• No common expressions — Avoid song lyrics, movie titles, or famous quotes
• No vendor defaults — Always change passwords assigned by hardware or software vendors
• Don't enter passwords on public Wi-Fi — Wait until you're on a secure network or use VPN
• Never share passwords — Don't give out passwords online, over the phone, or even to family

The Problem with Password Reuse:

Attackers use "brute force" (trying common passwords) and "rainbow tables" (precompiled password lists) to crack short or simple passwords. Shorter passwords are much easier to hack. Using lengthy passphrases or complex passwords makes it significantly harder for threat actors to access your accounts.

Check If Your Email Has Been Breached

Data breaches happen constantly, and your email address may already be exposed. Use this free service to check:

Have I Been Pwned? — Enter your email to see if it appears in known breaches.

If your email shows up, change the password for that account immediately — and any other accounts where you used the same password.

Get Future Alerts: Sign up for "Notify Me" to receive alerts about future breaches.

Use a Password Manager

A password manager stores all your passwords securely and generates strong, unique passwords for each account. You only need to remember one master password.

How it works: The manager stores credentials in an encrypted vault, auto-fills passwords on websites, generates random strong passwords, and syncs across all your devices.

Trusted password managers:

• Bitwarden — Free, open-source, highly regarded
• 1Password — Popular paid option with excellent usability
• Google Password Manager — Built into Chrome (already in your Lakehead Google account)

Two-factor authentication (2FA) adds a second layer of security beyond your password. Even if someone steals your password, they cannot access your account without the second factor. The Canadian Centre for Cyber Security strongly recommends 2FA for all accounts.

Important — Three Areas to Secure:

You need to enable 2FA in multiple places to be fully protected:

1. Duo Security — Protects all Lakehead Single Sign-On (SSO) services (myInfo, D2L, library resources, and any software that uses your Lakehead login)
2. Google 2-Step Verification — Protects your Lakehead Google account (Gmail, Drive, Calendar) separately from Duo
3. Other Software & Services — Manually enable 2FA on any other accounts you use (personal email, banking, social media, research tools)

How SSO Works: When you log into any service or software using your Lakehead account credentials (Single Sign-On), Duo Security will prompt you for 2FA. This includes D2L, library databases, Microsoft 365, and many research tools. If you see a Lakehead login page, Duo is protecting that service.

A. Duo Security (Lakehead SSO Systems)

Lakehead uses Duo Security for two-factor authentication on all university Single Sign-On (SSO) systems. Any service or software that authenticates through your Lakehead account is protected by Duo. You have three options depending on what device you want to use:

• Built-in Computer: Windows Hello (fingerprint, face, or PIN — recommended if available)
• Phone: Duo Mobile app
• USB Key: YubiKey (physical security key)

Configure at least two authentication methods to avoid being locked out if you lose a device.

Duo Initial Setup Steps

1. Go to lakeheadu.login.duosecurity.com/devices
2. Login with your Lakehead username and password
3. Accept the 2FA enrolment terms and click Submit
4. Click Next through the Welcome screens
5. Select your authentication method:
   1. Windows Hello — Uses your computer (recommended if available)
   2. Duo Mobile — Uses your phone
   3. Security Key — Uses a YubiKey (USB)

Option A: Windows Hello (Built-in Computer)

Windows Hello uses security features built into your Windows computer — no phone or external device needed. If your computer has a fingerprint reader, facial recognition camera, or you've set up a Windows PIN, you can use it as your second factor.

First, ensure Windows Hello is set up on your computer:

1. Go to Settings → Accounts → Sign-in options
2. Set up at least one Windows Hello method:
   1. Fingerprint recognition (if your device has a fingerprint reader)
   2. Facial recognition (if your device has a Windows Hello camera)
   3. PIN (available on all Windows devices)

Then, add Windows Hello to Duo:

1. Go to lakeheadu.login.duosecurity.com/devices
2. Click Add a device
3. Select Windows Hello (marked as "Recommended" if your computer supports it)
4. Authenticate with your fingerprint, face, or PIN when prompted
5. Name the device (e.g., "Work Laptop - Windows Hello")

Why use Windows Hello?

No phone required, no USB key to carry. Just use your fingerprint, face, or PIN when Duo prompts you. Fast and convenient if you primarily work from one computer.

Important: Windows Hello only works on the specific computer where it's registered. Set up Duo Mobile as a backup for when you're on other devices or travelling.

Option B: Duo Mobile App (Phone)

Duo Mobile is a free app for your smartphone. When you log in, you'll receive a push notification to approve — or you can use a one-time code if you're offline.

Download Duo Mobile: Android | iOS

1. Select Duo Mobile during setup
2. Open the app on your phone and press + Add
3. Select Use QR code and scan the code on your computer screen

Travel Tip: Duo Mobile works offline using one-time codes — ideal for international travel when you may not have cell service.

Option C: Security Key / YubiKey (USB)

A YubiKey is a small physical security key that plugs into your computer's USB port. When Duo prompts you, simply touch the key to authenticate.

1. Select Security Key during setup
2. Plug your YubiKey into a USB port and click OK
3. Touch the gold contact on the key when prompted

Interested in a YubiKey? Contact the TSC Desktop team to see if they have any available.

Need help? See the full Duo Setup Guide or contact TSC.

B. Google 2-Step Verification (Lakehead Google Account)

Your Lakehead Google account (@lakeheadu.ca) has its own 2-Step Verification that is separate from Duo.

1. Go to myaccount.google.com/security(opens in new window) (sign in with @lakeheadu.ca)
2. Under "Signing in to Google," click 2-Step Verification
3. Click Get Started and re-enter your password
4. Choose your method: Google Prompts (recommended), Security Key, or Authenticator App
5. Follow the prompts to complete setup
6. Add a backup method (recovery phone or backup codes)

Save Your Backup Codes: Google will offer backup codes during setup. Save these somewhere secure — they can unlock your account if you lose your phone.

C. Other Software & Services

Beyond Lakehead systems and Google, you should enable 2FA on every other account that supports it. This includes personal email, banking, social media, cloud storage, and any research tools or databases you use.

Common Services with 2FA Options

• Microsoft/Office 365 — Settings → Security → Two-step verification
• Dropbox — Settings → Security → Two-step verification
• GitHub — Settings → Password and authentication → Two-factor authentication
• Apple ID — Settings → [Your name] → Password & Security → Two-Factor Authentication
• Banking & Financial — Check your bank's security settings (most now require 2FA)
• Social Media — Facebook, LinkedIn, Twitter/X all offer 2FA in security settings

Be Secure Everywhere: Take time to review all your accounts and enable 2FA wherever available. Check 2fa.directory to see if a specific service supports two-factor authentication.

Data protection involves multiple layers: encrypting devices and files, transferring data securely, and using end-to-end encryption for sensitive communications. This section covers all aspects of keeping your research data safe.

When Do You Need Extra Protection?

• Device encryption — Always (protects if laptop is stolen)
• File encryption — When sharing sensitive files via cloud services
• E2EE communications — For sensitive conversations, especially when travelling

A. Protect Your Devices

Full-disk encryption ensures that if your laptop is lost or stolen, your data cannot be accessed without your password. This is essential for protecting research data.

Windows: Enable BitLocker

1. Open Settings → Privacy & security → Device encryption
2. Turn on Device encryption (or search for "BitLocker" and enable it)
3. Save your recovery key — Print it or save to your Lakehead Google Drive

Important: If you lose your recovery key, you cannot access your data if something goes wrong. Save it somewhere secure but accessible to you.

Mac: Enable FileVault

1. Open System Settings → Privacy & Security
2. Scroll to FileVault and click Turn On
3. Choose how to unlock: iCloud account or recovery key
4. If using recovery key, save it somewhere secure

Note: On newer Macs with Apple Silicon (M1/M2/M3), encryption is enabled by default. FileVault adds an extra layer by protecting the encryption key with your login password.

Encrypt USB Drives & External Storage

External drives should be encrypted, especially if they contain research data.

Windows:

1. Right-click the drive in File Explorer → Turn on BitLocker
2. Choose Use a password to unlock the drive
3. Save the recovery key, then encrypt

Mac:

1. Right-click the drive in Finder → Encrypt
2. Set a password and hint
3. Wait for encryption to complete

Cross-Platform Note: BitLocker-encrypted drives may not be readable on Mac. If you need to use the drive on both, consider using VeraCrypt(free, works on both platforms).

B. Protect Files in the Cloud

Google Drive encrypts files during transfer and storage, but Google (and potentially US authorities under the CLOUD Act) can access the contents. For sensitive research files, add your own encryption before uploading.

When Should You Encrypt Files Before Uploading?

• Encrypt files before uploading to Google Drive if they contain:
• Human subjects data or identifiable personal information
• Unpublished research findings
• Industry partner confidential information
• Grant applications or proposals in progress
• Anything covered by an NDA or data sharing agreement

For everyday files (lecture notes, general correspondence, non-sensitive drafts), Google Drive's built-in encryption is sufficient.

How to Encrypt Files Before Uploading

Choose the method that matches your situation:

Windows Only — 7-Zip (Best for Most Users)

Download 7-Zip — Free, open-source, creates AES-256 encrypted archives.

1. Right-click file(s) → 7-Zip → Add to archive...
2. Set Archive format to 7z
3. Under Encryption, enter a strong password
4. Set Encryption method to AES-256
5. Click OK, then upload the .7z file to Google Drive
6. To decrypt: Download and right-click → 7-Zip → Extract Here, enter password

Cross-Platform — Password-Protected ZIP (Mac to Windows or Vice Versa)

Use this method when sharing between Mac and Windows users. Creates a .zip file anyone can open.

On Mac (Terminal):

1. pen Terminal (Applications → Utilities → Terminal)
2. Type: zip -er ~/Desktop/encrypted.zip then drag your file/folder into the Terminal window
3. Press Enter
4. Enter a password when prompted (you won't see it as you type)
5. Re-enter password to verify
6. Find encrypted.zip on your Desktop
7. Upload to Google Drive and share the password separately

On Windows (7-Zip):

1. Right-click file/folder → 7-Zip → Add to archive...
2. Set Archive format to zip (instead of 7z)
3. Enter password under Encryption
4. Click OK, then upload to Google Drive

To Decrypt:

Download the .zip file and double-click it. Enter the password when prompted. Works on both Windows and Mac without additional software.

Office Documents Only (Word, Excel, PowerPoint)

Microsoft Office has built-in AES-256 encryption:

1. Open your document in Word, Excel, or PowerPoint
2. Go to File → Info → Protect Document → Encrypt with Password
3. Enter a strong password and click OK
4. Save the file, then upload to Google Drive
5. To decrypt: Download and open the file — enter password when prompted

Sharing the Password Securely:

Never send the password in the same email or message as the file link. Use a separate channel:

• Best: Phone call or Signal message
• Acceptable: Separate email (not in the same thread as the file)
• In person: Tell them directly

Remember: If you lose the password, the files cannot be recovered. Store passwords securely using a password manager.

 C. Protect Files in the Cloud

Good News: If you share files using email attachments or Google Drive, your transfers are already encrypted in transit. You don't need special tools for everyday file sharing.

You need secure file transfer tools (SFTP) when uploading to research servers or computing clusters, transferring large datasets, or working with servers that require direct file access.

Recommended tools:

• Windows: WinSCP — Two-panel drag-and-drop interface
• Mac: Cyberduck — Simple Finder-like interface

To connect:

1. Open the SFTP application
2. Click New Connection
3. Select SFTP as the protocol
4. Enter server address, username, and password
5. Click Connect
6. Drag files to transfer

Important: Always choose SFTP, not FTP. Regular FTP sends your password and files without encryption.

 D. Protect Files in the Cloud

End-to-End Encryption (E2EE) ensures that only you and your recipient can read messages or access content. Not even the service provider can see the content.

For sensitive conversations with collaborators, especially when travelling or communicating outside institutional systems:

• Signal — Gold standard for secure messaging. Free and open-source. Works offline.
• WhatsApp — Uses Signal's encryption protocol. Convenient if collaborators already use it.

Zoom End-to-End Encryption for Meetings

Lakehead's Zoom allows users to enable End-to-End Encryption (E2EE) for meetings that require extra security. When E2EE is enabled, the encryption keys are generated on participants' devices — not Zoom's servers — so even Zoom cannot access your meeting content.

Step 1: Enable E2EE in Your Zoom Settings

1. Sign in to the Zoom web portal
2. Go to Settings (Left Sidebar) → Meeting (Top Menu) → Security (Nested Left-Sidebar)
3. Scroll to "Allow use of end-to-end encryption" and toggle it ON
4. Under Default encryption type, leave as "Enhanced encryption" (recommended for everyday meetings)

Step 2: Schedule an E2EE Meeting

1. When scheduling a new meeting, look for the Encryption option near the bottom of the Meeting Details page
2. Select "End-to-end encryption" instead of "Enhanced encryption"
3. Schedule the meeting as normal

Verifying E2EE is Active

Look for the green shield icon with a checkmark in the top-left corner of your meeting window. Click it to view security codes that participants can verify match.

E2EE Limitations

When E2EE is enabled, these features are disabled:

• Cloud recording
• Live transcription & AI Companion features
• Zoom Whiteboard
• Streaming
• Polling
• Join before host
• Browser joining (participants must use Zoom app)
• Phone dial-in participants will NOT be E2EE protected
• Zoom Rooms & H.323/SIP devices — Cannot connect to E2EE meetings

Practical note: E2EE works well when everyone joins from laptops or mobile devices. It won't work if some participants are in a boardroom or classroom using Zoom Room equipment.

Learn more: Zoom E2EE FAQ | Full setup guide & limitations

Recommendation: Use E2EE only for sensitive meetings where extra protection is needed. For everyday meetings, "Enhanced encryption" is sufficient and preserves all Zoom features.

Remember: Encryption protects files while stored and in transit. Also back up your data — encryption doesn't protect against hardware failure.

A reliable backup strategy protects your research from hardware failure, theft, ransomware, or accidental deletion. Follow the 3-2-1 rule to ensure you never lose important work.

The 3-2-1 Backup Rule

• 3 copies of your important data
• 2 different storage types (e.g., cloud + physical drive)
• 1 copy offsite (separate location from your primary workspace)

Storage Options at Lakehead

Total cloud storage available: 200GB — For larger datasets, you'll need to rely more on external drives.

Example 3-2-1 Setup

This gives you: 3 copies, 2 storage types (cloud + physical), and 1 offsite (cloud).

External Drive Tips

What to buy:

• Size: 1TB or larger
• Type: Portable SSD (faster, more durable) or portable HDD (more affordable)
• Connection: USB 3.0 or USB-C

Keep it secure:

• Encrypt the drive before storing data — see Encrypt USB Drives & External Storage
• Store in a locked cabinet in your office when not in use
• Don't leave it plugged in continuously (protects against ransomware)

Ransomware Protection: Ransomware encrypts all connected drives. Keeping your backup drive unplugged and stored separately means you can recover without paying.

Making Backups a Habit

Schedule reminders:

• Set a weekly or bi-weekly calendar reminder: "Back up research files"
• Monthly: "Test backup — try opening a file from your backup drive"

Key moments to back up:

• Before travel
• Before major analysis
• At project milestones
• End of semester

Optional — Automate external drive backups:

• Windows: File History can automatically back up when your drive is connected (Settings → Update & Security → Backup)
• Mac: Time Machine does the same (System Settings → General → Time Machine)

Data Requiring Canadian Hosting

Some research data must remain in Canada. This includes:

• Certain ethics approvals that specify Canadian storage
• Provincial health data
• Indigenous data governance agreements
• Some federal grant requirements

Use Nextcloud (through the Digital Research Alliance) instead of Google Drive for these files — Nextcloud servers are located in Canada.

Not sure if your data requires Canadian hosting? Contact the Research Security and Data Management Specialist.

Simply deleting files or formatting a drive does not remove your data — it can be recovered with basic tools. Before disposing of, donating, or repurposing any storage device, you must securely erase all data.

Windows — Eraser (TSC-recommended):

1. Download and install Eraser
2. Right-click the file(s) you want to erase
3. Select Eraser → Erase
4. To wipe previously deleted files, use Erase Unused Space

Mac — Disk Utility:

1. Open Disk Utility
2. Select the drive in the sidebar
3. Click Erase
4. Click Security Options
5. Choose the number of passes (more = more secure)
6. Click Erase

SSD Limitation: SSDs use "wear leveling" which distributes data across the drive — traditional overwrite methods can't guarantee complete erasure. For highly sensitive data on SSDs, physical destruction may be required. Contact TSC for secure disposal services.

A VPN creates a secure encrypted connection and lets you access campus resources from anywhere. Lakehead University uses FortiClient VPN.

When to Use the VPN

• Always when using public Wi-Fi (airports, hotels, cafes, conferences)
• Always when travelling internationally
• When accessing campus resources (library databases, internal systems, network drives)
• When handling sensitive research data remotely

FortiClient VPN Setup

Download FortiClient: Windows & Mac | Android | iOS

Windows/Mac Configuration:

1. Launch FortiClient and click Configure VPN
2. Select SSL-VPN
3. Enter: Connection Name: LU SSL | Remote Gateway: vpn.lakeheadu.ca | Port: 10443
4. Click Apply, then enter your Lakehead credentials to connect

Mobile: Enter server address vpn.lakeheadu.ca and your Lakehead credentials.

Windows Users: "Power saving mode" can disconnect your VPN. Disable this feature or use a wired connection for long sessions.

Before You Travel: Test your VPN from a non-campus network. Some countries block VPNs — check travel advisories.

Need help? See the full FortiClient VPN setup guide or contact TSC.

A stolen or unattended laptop can expose all your research data, saved passwords, and university access — even with strong passwords.

Physical Security Best Practices

• Enable automatic screen lock — Quick lock: Windows Win + L | Mac Control + Command + Q
• Never leave devices unattended — Not in coffee shops, libraries, or conference venues
• Keep devices in sight when travelling — Carry laptops in hand luggage
• Be aware at conferences — Theft at academic conferences is common

If Your Device Is Lost or Stolen

1. Report immediately to TSC
2. Change your passwords — Especially Lakehead account and saved accounts
3. Enable remote wipe — Windows: Find My Device | Mac: Find My | Mobile: Find My iPhone/Android
4. File a police report — Especially for university-owned equipment
5. Notify your supervisor if research data was on the device

Outdated software is one of the easiest ways for attackers to compromise your system. Security updates patch known vulnerabilities — delaying updates leaves you exposed.

Enable Automatic Updates

Windows: Settings → Windows Update → Turn on automatic updates
Mac: System Settings → General → Software Update → Enable automatic updates
Browsers: Chrome, Firefox, Edge update automatically — don't ignore restart prompts

Simple Rule: When your computer asks you to restart for updates, do it. Don't click "Remind me later" repeatedly.

The software you install can be a security risk. Malicious software can steal your data or give attackers access to your system. Always use software from trusted sources.

TSC-Approved Software Resources

• Software Available — SPSS, MATLAB, ArcGIS Pro, NVivo, and more
• TSC Recommended Software — Vetted free tools for common tasks

Avoid Untrusted Software: Software from unknown websites, torrent sites, or unofficial sources may contain malware — even if it appears to work normally. Avoid pirated software.

Phishing is the #1 way attackers gain access to university systems. These messages use fear or urgency to trigger an impulsive reaction, often luring you to fraudulent websites that mimic legitimate ones. For detailed guidance, see Lakehead's Phishing Guide and Safe Computing Guidelines.

Email Spoofing: Attackers can alter email headers to make messages appear to come from @lakeheadu.ca addresses. Always check the actual sender address (not just the display name) and report suspicious emails to the TSC Helpdesk.

Red Flags: Phishing vs Legitimate Email

• Greetings — Legitimate emails are personalized; phishing may use generic or strange greetings
• Spelling & grammar — Phishing emails often contain errors
• Urgency or threats — "Your account will be suspended" or "Immediate action required"
• Hidden links — Hover over links to see the actual URL before clicking
• Personal info requests — Legitimate organizations don't ask for passwords via email
• Sender address — Check if the email address matches the sender's claimed identity

Common Phishing Scenarios for Researchers

• Fake conference invitations — Impersonating legitimate conferences
• Journal submission scams — Fake peer review requests or publication fees
• Collaboration requests — Emails appearing to be from other institutions
• IT impersonation — "Your mailbox is full" or "Verify your account"
• Grant scams — Fake funding opportunities requesting information

How to Report Phishing at Lakehead

If you receive a phishing attempt, TSC wants to know about it. Follow these steps:

1. Don't click any links or download attachments
2. Download the email as .eml file: Click the "More" icon (⋮) beside Reply → Select Download message
3.  Send to TSC: Email the .eml file to spam@lakeheadu.ca
4. Report in Gmail: Click the "More" icon (⋮) → Select Report phishing
5. Delete the email after reporting

If you clicked a link or entered credentials, see Section 12: Incident Reporting immediately.

Spotting Phishing Websites

Phishing sites mimic legitimate websites. Look for these warning signs:

• No HTTPS — Missing padlock icon or "https://" in address bar
• Misspelled domain — "lakeheadu.ca" vs "lakehead-u.ca" or "lakeheadu.com"
• Broken functionality — Links that don't work or go to different sites
• Unusual requests — Asking for information the real site already has
• Browser errors — Certificate warnings or loading errors

Tip: When in doubt, don't click links in emails. Instead, go directly to the website by typing the address in your browser.

Why 2FA Matters: With Two-Factor Authentication enabled, even if you enter your password on a phishing site, attackers can't access your account without your second factor.

For more information, visit the RCMP Canadian Anti-Fraud Centre.

USB drives can carry malware that infects your computer the moment they're plugged in. Attackers deliberately leave infected drives in public places.

The Risk: A USB drive can execute malicious commands instantly or run malware automatically when connected. This attack is so effective that it's used by nation-state actors targeting researchers.

USB Safety Rules

• Never plug in USB drives you find — In parking lots, conference venues, or anywhere
• Be cautious with conference swag — Free USB drives may not be safe
• Use your own trusted devices — Don't let them out of your control
• Prefer cloud sharing — Use Google Drive or email instead of physical drives

If something goes wrong — or you think something might have — report it. Quick reporting allows TSC to contain damage, protect others, and help you recover.

The Rule: When in doubt, report. There's no penalty for reporting something that turns out to be nothing. There can be serious consequences for not reporting something real.

What Should Be Reported?

• Clicked a suspicious link or opened a suspicious attachment
• Entered credentials on a website you now suspect was fake
• Lost or stolen device (laptop, phone, USB drive)
• Unusual account activity — logins you don't recognize, emails you didn't send
• Unexpected software or pop-ups
• Accidentally shared sensitive data to wrong recipient
• Anything that seems "off" — trust your instincts

How to Report

IT security incidents:

• TSC Helpdesk: Contact TSC or submit a ticket(opens in new window)
• Phishing: Forward to spam@lakeheadu.ca

Research security concerns:

Research Security and Data Management Specialist

AI tools like ChatGPT, Microsoft Copilot, Google Gemini, and Claude are increasingly used in research. However, these tools pose significant data security risks that researchers must understand.

Critical Warning: When you input data into most AI tools, that data may be stored on foreign servers, used to train future AI models, and potentially accessible to the service provider. Assume anything you put into an AI tool could become public.

What NOT to Put in AI Tools

• Unpublished research data or findings — Your competitive advantage disappears if in a training dataset
• Grant applications — Contains your research plans and institutional information
• Human subjects data — Even "anonymized" data may be re-identifiable
• Proprietary information from industry partners — May violate NDAs
• Sensitive technology research — Anything in STRAC-designated areas
• Student records or personal information — Violates FIPPA
• Code containing credentials or API keys

The Data Sovereignty Problem

Most major AI tools process data on US servers. This creates issues with:

• US legal jurisdiction — Data subject to US government access requests (CLOUD Act)
• Grant compliance — Many federal grants require data to remain in Canada
• Indigenous data governance — May prohibit foreign data processing
• STRAC requirements — Sensitive technology research has strict protocols

Before Using Any AI Tool — Ask These Questions

1. Would I post this on a public website? If not, don't put it in an AI tool.
2. Does my grant have data residency requirements?
3. Is this covered by an NDA or confidentiality agreement?
4. Does this involve human subjects?
5. Is this in a STRAC-designated sensitive technology area?
6. Could this harm someone if it became public?

Safe Uses for AI Tools: General concepts, brainstorming without specifics, checking grammar on non-sensitive text, learning programming syntax. Treat them like a public conversation.

Questions about AI tool use? Contact the Research Security and Data Management Specialist for guidance.