Skip to main content

Data Classification For Your Research Data: Risk Calculation (bèta versie)

Risk Calculation (bèta versie)

Data Classification For Your Research Data

This tool is intended as a quick scan of 4 main security aspects. You can separately check any of the security aspects to get an idea of possible risks related to your research. If the outcome results in medium or high risk level, you are advised to contact RDM Support Desk.

The security risks for your data can vary depending on the form and nature of your data (e.g. raw data, processed data, video data, physical measurements). Therefore, it is recommended to carry out this data classification for every data asset described in your data management plan.

Data asset

(How to Define Data Assets)

Do you collect data from human subjects?

Privacy Risk Assessment

How would you describe your participants (multiple answers possible)?

Is the nature of the research something where pregnant women may be judged on their behaviours/health-status, e.g. smoking during pregnancy?

namely: contact your privacy champion for advice

Which of the following best describes the data you are collecting (multiple answers possible)?

NB: health-related data and physical measurements are addressed separately

What kind of health-related/physical data will be collected (multiple answers possible)?

What kind of experimental data will be collected (multiple answers possible)?

Are audiovisual recordings made of the observation?

Could the subject matter addressed in the audiovisual data be considered sensitive (i.e. if a person’s answers were made known to others, could it harm the individual)?

Can the participant be directly identified in the audiovisual recoding (i.e. names are stated, faces are recorded etc.)?

Could topics addressed in the questionnaire be considered sensitive (i.e. if a person’s answers were made known to others, could it harm the individual)?

Does the questionnaire collect special types of data (health-related, race/ethnicity, religion/philosophies, sexual preferences, criminal history, union memberships, political opinions) or socio-economic information?

Are there open text fields in the questionnaire?

Is the interview recorded on an audiovisual medium?

Could the subject matter addressed in the audiovisual data be considered sensitive (i.e. if a person’s answers were made known to others, could it harm the individual)?

Would it be possible to infer sensitive information (such as sexual preferences, religion, health status, political opinions, criminal activity) about an individual by combining the research data with publicly available data, or by combining variables within the dataset(s) to find unique individuals, or through attribute disclosure (e.g. if a subset of participants with the same characteristics all have the same sensitive condition, such as HIV, it can be inferred that all participants in the dataset with those characteristics have HIV)?

If the data in question are leaked to the public, could this have a negative impact on the participant(s) (e.g. physical, mental, social or financial harm)?

Additional information:

Availability Risk Assessment

How readily do your data need to be available to you or your research team?

How long would data need to be unavailable for your research project to suffer serious harm (i.e. not just minor inconvenciences)?

Examples of harm include:
  • inability to move forward with the research project;
  • inability to provide data to a third party or grant provider;
  • breach of contract/legal requirements, such as contractual or legal requirements to share data;
  • reputational damage to the researcher(s) and the VU, e.g. inability to provide data upon request can lead to retraction of research articles;
  • inability of temporary staff, such as PhD candidates, to complete work in timely manner, which could damage their professional development;
  • financial costs due to delays

Additional information:

Are there specific situations where access to the data absolutely MUST NOT be lost? (e.g. during long computations or during scheduled batch processing)

Additional information:

How severely would the research project be harmed if the data are lost? Consider the worst possible scenario, i.e. at the start of data collection, data loss may not be a major issue, but loss of the data is most definitely an issue once data collection is complete

Additional information:

How long will the data need to be stored and maintained?

Additional information:

Integrity Risk Assessment

Do multiple users need to be able to access, utlize and/or edit the data simultaneously, thereby increasing the risk of data corruption and/or unauthorized changes?

In what way do the multiple users need to be able to access the data?

How many users need to access, utilize and/or edit the data on a regular basis?

Additional information:

Have measures to account for data entry error, data cleaning, measurement error, bias and so forth already been addressed in your data management plan and/or research proposal?

Pro-tip: write a data management plan and make sure to describe how you will address these issues

Additional information:

How severe would the impact on your research be if data become corrupted during storage or unauthorized changes are made to the data after collection?

Examples of harm include:
  • incorrect research conclusions that result in retractions of published articles, reputational damage and/or erroneous influence on public policy and future research;
  • financial impact and delay of completion of the research project due to time required to correct the corruption or unauthorized changes

Additional information:

If data become corrupted in storage or unauthorized changes are made after collection, could this have a negative impact on your research participants (e.g. inappropriate questions are posed in a follow-up questionnaire; participants need to be contacted repeatedly to correct mistakes etc.)

Additional information:

Confidentiality Risk Assessment

Note that confidentiality risks related to you and your research team's obligations to keep your data confidential. This applies whether or not you are working with data from human subjects and may relate to legal, ethical and/or contractual obligations

If the data in question are not kept confidential, how severely would the VU’s reputation be harmed?

Examples of reputational harm include:
  • loss of public trust;
  • loss of trust from external partners; damage to third party relationships
  • reputational damage to individual researchers

Additional information:

If the data in question are not kept confidential, how severe would the legal and/or contractual liabilities be for the VU (e.g. fines, legal action by third party partners)?

Additional information: