Page History
This document will cover:
- Access to the Tableau Reporting Portal at your Organization
- Managing User Accounts at your Organization
- Responsibilities in accordance with Personal Health Information Protection Act (PHIPA)
- For organizations
- For individuals
...
1. Access to the Tableau Reporting Portal at Your Organization
To ensure the security and appropriate use of Tableau, access to your organization's data should be limited to individuals who:
- Require access to to fulfill their job responsibilities related to data analysis, reporting, or decision-making.
- Understand their role in protecting sensitive information, particularly personal health information (PHI).
- Have been trained in privacy, data security, and confidentiality policies.
- Hold the necessary authorization to view, use, or manage reports and to view data in Tableau.
It is recommended that organizations consider these criteria when setting up Tableau account users and implement organization-wide policies and practices accordingly.
...
- Designate key roles (e.g., managers, data analysts, decision-support specialists) for access
- Determine what each Tableau user requires access to based on user needs.
- Avoid granting access to casual, temporary, or untrained staff.
- Conduct a periodic review of active Tableau users to ensure access is still appropriate.
...
Creating a process for onboarding and offboarding users is critical to ensure efficiency at the organization and minimize the risk of leaving former employees with active access. This will be supported by DATIS-CAMH through training and documentation supports (link here).
...
- When an employee leaves or no longer requires Tableau access: Disable their account immediately.
- Notify your internal administrator or the DATIS-CAMH team of the change immediately to disable their account.
Organizations may find it helpful to assign a designated Tableau Administrator within the organization to oversee user management and coordinate account changes with DATIS-CAMH.
...
3. Responsibilities in accordance with Personal Health Information Protection Act (PHIPA)
(a) For organizations
The use access and usage of data in Tableau is are governed by the organization's policies and practices regarding privacy and consent. Therefore, organizations should reference their privacy policies to ensure that dashboard sharing within or outside the organization is secure and follows approved pathways.Organizations receiving Additionally, each organization has established agreements with DATIS-CAMH that outline data usage and ensure compliance with PHIPA regulations. Organizations granted access to Tableau are responsible for setting rules implementing measures to maintain safeguard the confidentiality, integrity, and security of the data in alignment with these privacy agreements.
accordance with PHIPA legislation. The following rules should be applied.:
Limiting Access:
- Only authorized staff should view or handle PHI.
- PHIPA’s ‘need to know principle’ means that access should be limited to the minimum necessary information
- Therefore, access must be role-based and restricted to what is necessary for the user’s work.
...
- Notify your internal privacy officer and DATIS-CAMH immediately if you suspect any misuse or breach of PHI.
- A comprehensive privacy investigation should be conducted by the organization that consists of containing the breach, evaluating risks, and taking steps to prevent future breaches.
In the event of a suspected or confirmed privacy breach involving PHI, please provide the following information to DATIS-CAMH: a detailed description of the incident (including date, time, and nature of the breach), the type and scope of data affected, individuals involved, a risk assessment of potential impacts, actions taken to mitigate the breach, any supporting evidence or documentation, and relevant contact details for follow-up.
Training and Awareness:
- Individuals with granted access to Tableau must be trained on PHIPA rules.It is important that organizations cultivate a practical understanding of how data visualization and management in Tableau intersects with privacy requirementsfulfill their organization's training requirements, including the completion of mandatory privacy training programs.
It is advisable that organizations review their privacy policies and ensure alignment with PHIPA with respect to Tableau account governance and usage.
...
Tableau users play an active role in upholding PHIPA legislation. Each individual must adhere to their organization's data governance policies and protocols. By enacting implementing the following best practices in addition to alongside organizational policiesguidelines, Tableau users can help actively contribute to maintain safeguarding the security and confidentiality of PHI.
...
- Do not share Tableau usernames or passwords.
- Use strong, unique passwords.
Follow Data Governance Policies:
- Use Tableau reports strictly for authorized purposes.
- Do not alter or misuse data in a way that violates privacy and consent agreements.
- Avoid copying, exporting, or printing data unless necessary and approved. Never download or share reports containing PHI outside of approved organizational processes.
Monitor Data Use and Secure Workstations:
- Ensure Tableau is accessed only on authorized, secure devices.
- Never leave Tableau open on your screen or walk away from your computer without securing it.
- Always lock your computer screen or log out of Tableau screen if stepping away from your workstation.
Respect Organizational Protocols:
- Notify your Tableau administrator of any issues or changes needed to your account.
- Report any suspicious activity or potential security breaches immediately.
- Ensure shared data is anonymized unless explicit permission is granted to include identifiable information.
Staff may find it helpful to participate in regular privacy and security refresher training to stay updated on best practices.
...
