You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

This document will cover:

  1. Access to the Tableau Reporting Portal at your Organization
  2. Managing User Accounts at your Organization
  3. Responsibilities in accordance with Personal Health Information Protection Act (PHIPA)
    1. For organizations
    2. For individuals



1. Access to the Tableau Reporting Portal at Your Organization

To ensure the security and appropriate use of Tableau, access to your organization's data should be limited to individuals who:

  • Require access to fulfill their job responsibilities.
  • Understand their role in protecting sensitive information, particularly personal health information (PHI).
  • Have been trained in privacy, data security, and confidentiality policies.
  • Hold the necessary authorization to view data in Tableau.

It is recommended that organizations consider these criteria when setting up Tableau account users and implement organization-wide policies and practices accordingly.

 Some helpful practices for organizations include:

  • Designate key roles (e.g., managers, data analysts, decision-support specialists) for access
  • Determine what each Tableau user requires access to based on user needs.
  • Conduct a periodic review of active Tableau users to ensure access is still appropriate.



2. Managing User Accounts at Your Organization

Creating a process for onboarding and offboarding users is critical to ensure efficiency at the organization and minimize the risk of leaving former employees with active access. This will be supported by DATIS-CAMH through training and documentation supports (link here).

Adding New Users:

  • Ensure all new Tableau users complete necessary privacy and governance training, as provided by your respective organization.
  • Document and track new user accounts, including their assigned roles and permissions.

Updating User Roles:

  • Regularly review each user’s permissions to ensure they align with current job responsibilities.
  • Restrict or modify access promptly when a user’s role changes.

Removing Users:

  • When an employee leaves or no longer requires Tableau access:
    • Notify the DATIS-CAMH team of the change immediately to disable their account

 Organizations may find it helpful to assign a designated Tableau Administrator within the organization to oversee user management and coordinate account changes with DATIS-CAMH. 



3. Responsibilities in accordance with Personal Health Information Protection Act (PHIPA)

(a) For organizations 

The use of Tableau is governed by the organization's policies and practices regarding privacy and consent. Additionally, each organization has established agreements with DATIS-CAMH that outline data usage and ensure compliance with PHIPA regulations. Organizations granted access to Tableau are responsible for implementing measures to safeguard the confidentiality, integrity, and security of the data in alignment with these privacy agreements.

The following rules should be applied:

Limiting Access:

  • Only authorized staff should view or handle PHI.
  • PHIPA’s ‘need to know principle’ means that access should be limited to the minimum necessary information
  • Therefore, access must be role-based and restricted to what is necessary for the user’s work.

Reporting Breaches:

  • Notify your internal privacy officer and DATIS-CAMH immediately if you suspect any misuse or breach of PHI.
  • A comprehensive privacy investigation should be conducted by the organization that consists of containing the breach, evaluating risks, and taking steps to prevent future breaches.

    • In the event of a suspected or confirmed privacy breach involving PHI, please provide the following information to DATIS-CAMH: a detailed description of the incident (including date, time, and nature of the breach), the type and scope of data affected, individuals involved, a risk assessment of potential impacts, actions taken to mitigate the breach, any supporting evidence or documentation, and relevant contact details for follow-up.

Training and Awareness:

  • Individuals granted access to Tableau must fulfill their organization's training requirements, including the completion of mandatory privacy training programs.

It is advisable that organizations review their privacy policies and ensure alignment with PHIPA with respect to Tableau account governance and usage.

Organizations may also have particular focus during training for Tableau users on recognizing and mitigating risks to privacy. Users at various levels must be trained and equipped with the tools to respond to privacy breaches with expediency.


(b) For individuals

Tableau users play an active role in upholding PHIPA legislation. Each individual must adhere to their organization's data governance policies and protocols. By implementing the following best practices alongside organizational guidelines, users can actively contribute to safeguarding the security and confidentiality of PHI.

Protect Login Credentials:

  • Do not share Tableau usernames or passwords.
  • Use strong, unique passwords.

Monitor Data Use and Secure Workstations:

  • Ensure Tableau is accessed only on authorized, secure devices.
  • Never leave Tableau open on your screen or walk away from your computer without securing it.
  • Always lock your computer screen if stepping away from your workstation. 

  Staff may find it helpful to participate in regular privacy and security refresher training to stay updated on best practices.