The security risks for your data can vary depending on the form and nature of your data (e.g. raw data, processed data, video data, physical measurements). Therefore, it is recommended to carry out this data classification for every data asset described in your data management plan.
(How to Define Data Assets)
Privacy Risk Assessment
Which of the following best describes the data you are collecting (multiple answers possible)?
Directly identifying information, including:
Address, e-mail address
"Special" data, as defined by the GDPR, including:
Race or ethnicity
Religion, philosophy or other beliefs
NB: health-related data and physical measurements are addressed separately
Health-related data and physical measurements
What kind of health-related/physical data will be collected (multiple answers possible)?
Height, weight, waist circumference, body fat and other related measures
Cardiovascular measurements (e.g. blood pressure, heart rate, cardiac output, ECGs)
VU Ambulatory Monitoring System data (e.g. circadian rhythms, sleep-wake cycle, response to stressors)
Exercise capacity (e.g. VO2 Max)
Pulmonary function testing
Blood tests (levels of: glucose, cholesterol, fatty acids, vitamins, hormones etc.)
Neurological imaging (e.g. fMRI)
Other neurological testing (e.g. EEGs, facial cues, eye-tracking, reaction times)
Tongue positioning/non-nutritive sucking
Genetic risk factors for disease
Mental health, stress, well-being, self-efficacy, personality traits
History of mental or physical abuse
Known medical conditions/diagnoses
Medications (including herbals and supplements)
Illicit drug use
Academic performance/exam scores
Would it be possible to infer sensitive information (such as sexual preferences, religion, health status, political opinions, criminal activity) about an individual by combining the research data with publicly available data, or by combining variables within the dataset(s) to find unique individuals, or through attribute disclosure (e.g. if a subset of participants with the same characteristics all have the same sensitive condition, such as HIV, it can be inferred that all participants in the dataset with those characteristics have HIV)?
If the data in question are leaked to the public, could this have a negative impact on the participant(s) (e.g. physical, mental, social or financial harm)?
No Additional information:
Availability Risk Assessment
Integrity Risk Assessment
Confidentiality Risk Assessment