Skip to Main Content

Research Data Management

Make informed choices for research data. RDM, policy, practical guidelines, software and tools at VU Amsterdam. FAIR data, archiving, storage, publication

Data Classification

'Security' is often regarded as a fixed state. Therefore, people tend to think of security measures as fixed solutions in the form of technological measures. In reality, security is an assessment of the level of protection against a certain threat, that you consider to deal with that threat adequately enough. Whether or not security is accurate depends on the value of the data and the quality of protective measures.

The value of data or applications is established through classification in Confidentiality, Integrity and Availability (CIA) or in Dutch Beschikbaarheid, Integriteit en Vertrouwelijkheid (BIV).

Traditionally, this classification assesses the value of an entity (data or application) to an organisation. For research data, however, the value to the University is in all cases the same. The value of each research project is the same. Does that mean that there is not need to classify Research Data? Referring back to the definition of security, it is the assessment of the level of protection against a certain threat and its accuracy depends on the value of (in this case) data. The reason to classify Research Data is that there is a huge variety in the risks that can have in case of data loss or theft.

The reason that the Vrije Universiteit and its Reseachers need to classify data is to understand the variety in risk that exists in order to assess if security measures are accurate.

Data classification is about the level of sensitivity (low, medium or high) of your data assets so you can judge the risks to your research (group). This will help you when deciding what security and protection measures you need to take for handling the data or parts of the data.

Data classification criteria

In order to classify your data collection or data processing (in categories from low, to medium, or high), the following properties are considered.

  • Availability: what risks are associated with accessibility to data (i.e. how readily do the data need to be available for use and how damaging would it be to your research if data are lost), what measures should you take to prevent data loss?
  • Integrity: what do you do to prevent measurement or data entry errors, corruption of stored data or unauthorised changes to the stored data?
  • Confidentiality: how securely do data need to be managed to prevent sharing of data with unauthorised individuals? The necessity for confidentiality depends on the sensitivity of the information, either as sensitive personal information or confidential business information, as well as the vulnerability of the subjects from whom the data is collected and the laws that apply to the data being collected and analyzed. In some cases, confidentiality can be very high; when the confidentiality is high or very high, please contact the RDM Support Desk.

For all of these aspects, the damage impact should be considered, i.e. te risks to all parties involved (i.e. participants, but also the VU as an institute, the researchers, any collaborators etc. Untoward outcomes could be loss of privacy/secrecy, reputation damage, financial costs, fraud, mental, social or physical harm)

Examples of Highly classified data

Your data are classified as 'high' when you collect or process the following data:

  • personal data
  • state secrets
  • competitive corporate information
  • animal-testing data

Personal data

Do not confuse the risks of data loss with the need to comply to legal regulations. Data security is part of risk management and is aimed at balancing protection against productivity, investments against profit. The GDPR is European Law in the legal area of Human Rights and concerns the use of personal data. Personal data are a type of data that is commonly processed in many fields of scientific research. You collect or process personal data when the data can be linked to a unique individual, either directly through direct identifiers such as name, address, IP-address etc., or indirectly through a combination of information. Personal data need to be protected. More information about personal data, data protection and the European law on privacy, the General Data Protection Regulation (GDPR), can be found in the section GDPR & Privacy

 

Data Classification tool for researchers

To help you to determine the data classification for your research data assets, the VU has developed a tool that will help you to assess and classify the availability, integrity and confidentiality risks of these assets. Based on your results from using the tool, you may need to seek further advice from VU Security and Privacy Experts (see below). Some basic security tips were compiled by the data steward of the Faculty of Behavioural and Movement Sciences.

VU Security and Privacy experts

VU Security and Privacy experts can help you with the details on these aspects.

  • General questions about information security: RDM Support Desk. If you need advice when determining the data classification of your data assets, you can contact them.
  • Reporting a (potential) data breach: IT Servicedesk. A data breach is an incident in which the possibility exists that the confidentiality, integrity or availability of information or data processing systems has been potentially threatened, for example attempts to gain unauthorised access to information or systems (hacking), the loss of a USB stick with sensitive information, data theft of hardware.
  • Tailored advice or support: Relationship Managers at IT. Through the relationship managers researchers can request capacity at IT for setting up and/or assessing of information security plans or paragraphs. An information security plan is particularly important in projects with a complex infrastructure (e.g. international collaboration, use of various data sources and databases), tailored solutions and requirements from funding agencies or external partners. Please note: IT-capacity for tailored support is a paid service for which budget needs to be reserved.

Read more practical information about this below in the section Data Protection & Security, or the Support section on the GDPR information page.

Data Protection & Security

Where sensitive information is collected, the researcher must consider the following:

  • who has access to the data during the study, and how the data will be made available after publication
  • what security regimes apply to sensitive data, and how data are protected
  • how data access during and after the project will be managed
  • how to deal with sensitive information
  • whether informed consent is required and how the forms will be accessed and stored

On the VU Intranet information is available on Security, data loss and reporting incidents. Legal experts also can help you if you have questions about working with personal data and/or if you have to perform a Data Protection Impact Assessment. On the VU Intranet you can find more information about DPIAs at the VU. The data steward for the Faculty of Behavioural and Movement Sciences has also created a guide about data encryption.