In an effort to try to help prevent the exposure of sensitive data the University is moving on several fronts, including defining a new data classification policy:
https://isea.utoronto.ca/policies-procedures/standards/data-classification/
which will help people determine how sensitive their data is. There is a Draft FAQ at the bottom of that webpage which may answer some of your questions.
It is likely that access for research and/or administration to any personal health records as defined by PHIPA, the Personal Health Information Protection Act:
https://www.ontario.ca/laws/statute/04p03
will require some form of MFA (multi-factor authentication), likely a two-factor authentication, and the University has started the MFA application assessment. This will apply to any such data that is accessed or stored on departmental or faculty-owned systems.
If you do any research and/or administration that needs access to personal health records please let us know at requests@math.toronto.edu so that we will try to let you know more details when the new MFA policy is put into effect. Of course this IT Status site is a good resource for finding out about updates and you should check back here if this affects you.
