'Security' is often regarded as a fixed state. Therefore, people tend to think of security measures as fixed solutions in the form of technological measures. In reality, security is an assessment of the level of protection against a certain threat, that you consider to deal with that threat adequately enough. Whether or not security is accurate depends on the value of the data and the quality of protective measures.
The value of data or applications is established through classification in Confidentiality, Integrity and Availability (CIA) or in Dutch Beschikbaarheid, Integriteit en Vertrouwelijkheid (BIV).
Traditionally, this classification assesses the value of an entity (data or application) to an organisation. For research data, however, the value to the University is in all cases the same. The value of each research project is the same. Does that mean that there is not need to classify Research Data? Referring back to the definition of security, it is the assessment of the level of protection against a certain threat and its accuracy depends on the value of (in this case) data. The reason to classify Research Data is that there is a huge variety in the risks that can have in case of data loss or theft.
The reason that the Vrije Universiteit and its Reseachers need to classify data is to understand the variety in risk that exists in order to assess if security measures are accurate.
Data classification is about the level of sensitivity (low, medium or high) of your data assets so you can judge the risks to your research (group). This will help you when deciding what security and protection measures you need to take for handling the data or parts of the data.
In order to classify your data collection or data processing (in categories from low, to medium, or high), the following properties are considered.
For all of these aspects, the damage impact should be considered, i.e. te risks to all parties involved (i.e. participants, but also the VU as an institute, the researchers, any collaborators etc. Untoward outcomes could be loss of privacy/secrecy, reputation damage, financial costs, fraud, mental, social or physical harm)
Your data are classified as 'high' when you collect or process the following data:
Do not confuse the risks of data loss with the need to comply to legal regulations. Data security is part of risk management and is aimed at balancing protection against productivity, investments against profit. The GDPR is European Law in the legal area of Human Rights and concerns the use of personal data. Personal data are a type of data that is commonly processed in many fields of scientific research. You collect or process personal data when the data can be linked to a unique individual, either directly through direct identifiers such as name, address, IP-address etc., or indirectly through a combination of information. Personal data need to be protected. More information about personal data, data protection and the European law on privacy, the General Data Protection Regulation (GDPR), can be found in the section GDPR & Privacy
Data Classification tool for researchers
To help you to determine the data classification for your research data assets, the VU has developed a tool that will help you to assess and classify the availability, integrity and confidentiality risks of these assets. Based on your results from using the tool, you may need to seek further advice from VU Security and Privacy Experts (see below). Some basic security tips were compiled by the data steward of the Faculty of Behavioural and Movement Sciences.
VU Security and Privacy experts
VU Security and Privacy experts can help you with the details on these aspects.
Read more practical information about this below in the section Data Protection & Security, or the Support section on the GDPR information page.
Where sensitive information is collected, the researcher must consider the following:
On the VU Intranet information is available on Security, data loss and reporting incidents. Legal experts also can help you if you have questions about working with personal data and/or if you have to perform a Data Protection Impact Assessment. On the VU Intranet you can find more information about DPIAs at the VU. The data steward for the Faculty of Behavioural and Movement Sciences has also created a guide about data encryption.