You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This document will cover:

  1. Access to Tableau at your Organization
  2. Managing User Accounts at your Organization
  3. Responsibilities in accordance with Personal Health Information Protection Act (PHIPA)
    1. For organizations
    2. For individuals



1. Access to Tableau at Your Organization

To ensure the security and appropriate use of Tableau, access should be limited to individuals who:

  • Require access to fulfill their job responsibilities related to data analysis, reporting, or decision-making.
  • Understand their role in protecting sensitive information, particularly personal health information (PHI).
  • Have been trained in privacy, data security, and confidentiality policies.
  • Hold the necessary authorization to view, use, or manage reports and data in Tableau.

It is recommended that organizations consider these criteria when setting up Tableau account users and implement organization-wide policies and practices accordingly.

 Some helpful practices for organizations include:

  • Designate key roles (e.g., managers, data analysts, decision-support specialists) for access
  • Determine what each Tableau user requires access to based on user needs.
  • Avoid granting access to casual, temporary, or untrained staff.
  • Conduct a periodic review of active Tableau users to ensure access is still appropriate.



2. Managing User Accounts at Your Organization

Creating a process for onboarding and offboarding users is critical to ensure efficiency at the organization and minimize the risk of leaving former employees with active access. This will be supported by DATIS through training and documentation supports (link here).

Adding New Users:

  • Ensure all new Tableau users complete necessary privacy and governance training, as provided by your respective organization.
  • Document and track new user accounts, including their assigned roles and permissions.

Updating User Roles:

  • Regularly review each user’s permissions to ensure they align with current job responsibilities.
  • Restrict or modify access promptly when a user’s role changes.

Removing Users:

  • When an employee leaves or no longer requires Tableau access:
    • Disable their account immediately.
    • Notify your internal administrator or the DATIS team of the change.

 Organizations may find it helpful to assign a designated Tableau Administrator within the organization to oversee user management and coordinate account changes with DATIS.



3. Responsibilities in accordance with Personal Health Information Protection Act (PHIPA)

(a) For organizations 

The use of Tableau is governed by the organization's policies and practices regarding privacy and consent. Therefore, organizations should reference their privacy policies to ensure that dashboard sharing within or outside the organization is secure and follows approved pathways.

Organizations receiving access to Tableau are responsible for setting rules to maintain the confidentiality, integrity and security of the data in accordance with PHIPA legislation. The following rules should be applied.

Limiting Access:

  • Only authorized staff should view or handle PHI.
  • PHIPA’s ‘need to know principle’ means that access should be limited to the minimum necessary information
  • Therefore, access must be role-based and restricted to what is necessary for the user’s work.

Reporting Breaches:

  • Notify your internal privacy officer and DATIS immediately if you suspect any misuse or breach of PHI.
  • A comprehensive privacy investigation should be conducted by the organization that consists of containing the breach, evaluating risks, and taking steps to prevent future breaches.

Training and Awareness:

  • Individuals with access to Tableau must be trained on PHIPA rules.
  • It is important that organizations cultivate a practical understanding of how data visualization and management in Tableau intersects with privacy requirements.

It is advisable that organizations review their privacy policies and ensure alignment with PHIPA with respect to Tableau account governance and usage.

Organizations may also have particular focus during training for Tableau users on recognizing and mitigating risks to privacy. Users at various levels must be trained and equipped with the tools to respond to privacy breaches with expediency.


(b) For individuals

Tableau users play an active role in upholding PHIPA legislation. By enacting the following best practices in addition to organizational policies, Tableau users can help to maintain the security and confidentiality of PHI.

Protect Login Credentials:

  • Do not share Tableau usernames or passwords.
  • Use strong, unique passwords.

Follow Data Governance Policies:

  • Use Tableau reports strictly for authorized purposes.
  • Do not alter or misuse data in a way that violates privacy and consent agreements.
  • Avoid copying, exporting, or printing data unless necessary and approved. Never download or share reports containing PHI outside of approved organizational processes.

Monitor Data Use and Secure Workstations:

  • Ensure Tableau is accessed only on authorized, secure devices.
  • Never leave Tableau open on your screen or walk away from your computer without securing it.
  • Always lock your computer screen or log out of Tableau if stepping away from your workstation. 

Respect Organizational Protocols:

  • Notify your Tableau administrator of any issues or changes needed to your account.
  • Report any suspicious activity or potential security breaches immediately.
  • Ensure shared data is anonymized unless explicit permission is granted to include identifiable information.

  Staff may find it helpful to participate in regular privacy and security refresher training to stay updated on best practices.