On January 26, 2023, the Office of the Vice Principal Research became aware of a systemic default in the acQuire procurement system, which created the possibility of exposing the personal information (names, addresses, phone numbers, and payment amounts) of research participants to individuals with Approver status in acQuire. When the potential exposure was identified, Procurement moved quickly to understand and resolve the issue system-wide.
acQuire is a financial procurement system used to pay suppliers. Some departments have also used this platform to process compensation payments for research participants. An investigation determined that because of specific system settings, Approvers in any given department could have had access to view other transaction details processed in acQuire within the same department. Details included payment amounts, names, phone numbers and addresses of payees, and the identity of the Approver with originating ownership of the payment. Procurement has determined that at least 11 departments have paid research participants using acQuire over approximately six years. These units are being notified, and the University will support departments and principal investigators as required to address the situation.
The immediate initial fix described above prevented other Approvers from being able to make direct links between payees and principal investigators but did not remove access to names and addresses of these payees. Access to acQuire was suspended while the University worked with its software vendor to ensure access to all research participant information is entirely restricted.
In addition, changes are being made to the process used to compensate research participants to avoid this risk in the future. Process changes will be made in consultation with the research community.
There is no way to fully ascertain if another Approver within a department or other acQuire users did or did not view this information. However, we do understand that the ability to access this data could damage the trust between the University, its research participants and research partners, which include Indigenous and vulnerable communities. To date, there is no evidence that any research participant’s personal information was viewed or misused. Nevertheless, the potential exposure is being taken very seriously and managed expediently.
Upon learning of the potential for exposure of personal information, the University informed the Research Ethics Boards (General Research Ethics Board (GREB) and Health Sciences Research Ethics Board (HSREB)) and the Canadian Institutes of Health Research (CIHR), and the University will continue to work with them as we identify and reconcile any potential harms that may have been caused. Although Queen's employees are bound to protect information in internal accounting systems, we want to provide higher levels of confidentiality and privacy for our research participants and are seeking alternatives. To that end, work to actively evaluate best practices to compensate research participants continues and will include consultation with the broader research community, including research ethics boards.
If you have any questions, do not hesitate to get in touch with Steven Smith, Deputy Vice-Principal of Research, or myself.
Sincerely yours,
Nancy A. Ross, PhD
Vice-Principal Research
Professor, Department of Public Health Sciences