Examples of risks and how to mitigate them

On this page: risk example, safeguards, organisational and technical measures, protection, protective, security, data breach
Date of last review: 2023-04-18

Below you can find a list of common privacy and security risks in research and how you can mitigate them:

Unwarranted access to personal data

Someone tries to gain access to personal data

A previous team member still has access (e.g., a copy on their personal device, a working account)
Enforce a protocol in which team members who leave need to remove all their copies of the data and are denied access to the data and shared folders (on- and offboarding). Periodically review and update all users/rights. Make someone responsible for this process.

A team member shares the data with a third party
  • Put in place a protocol or non-disclosure agreement that makes team members aware that this is not allowed, or make sure that a data transfer agreement is in place.
  • Make sure that team members do not have access to data that they do not need access to.

A password is leaked
  • Use systems that apply multifactor authentication.
  • Change your password regularly or immediately when it is compromised, and have your team members do the same.

Back to top

Loss of personal data

A device is lost or defective (e.g., laptop, USB stick)
  • Protect the device with a password.
  • Encrypt the device or the data on it.
  • Delete unnecessary copies of the data on the device as soon as you’ve made a back-up on a more stable and secure system, such as university-managed storage facilities.
  • Enable removing data from the device from a distance.

Paper data are lost
  • Avoid collecting data on paper altogether, or only collect the necessary information.
  • Store the paper data in a central and access-controlled location, scan the documents as soon as possible, store the scans on a backed-up storage medium and destroy the paper records (securely).

The dataset is deleted accidentally
Use a storage system that has back-up functionality, or if not available, make regular manual back-ups of the data.

A system error causes temporary loss of or access to data
  • If you are not using centrally managed IT solutions, regularly check if back-ups are being done as expected and have protocols in place on how to restore back-ups.
  • If the time-out takes a significant amount of time, discuss with your privacy officer whether you need to inform data subjects about it: they cannot exercise their rights during that time.

The organisation is hit by a ransomware attack
Enforce a security protocol that emphasises secure data practices, such as:
  • Do not download data from unknown sources.
  • Be careful when installing software, preferably only install software from the institutional software catalogue.
  • Create awareness of what phishing looks like and to report phishing immediately to the Computer Emergency Response Team.

Back to top

Unintended collection of personal data

Data subjects give more, or more sensitive information about themselves than intended/needed
  • Offer data subjects the possibility to review what information they provided.
  • Offer the possibility to withdraw consent in a later stage.
  • Use a data collection protocol to prevent this from taking place.
  • Remove the unnecessary information from your dataset.

Data subjects give (sensitive) information about others
  • Use a data collection protocol to prevent this from taking place.
  • Offer data subjects the possibility to review what information they provided.
  • Remove the unnecessary information from your dataset.
  • Consider the risks for those others vs. your own research benefits: if the interests for the other people are more important, you should delete or anonymise the information.

Personal data are collected unintendedly
This can happen when a survey tool automatically collects additional data such as IP addresses. You can sometimes turn this off, and otherwise must remove the data as soon as possible after collection.

Back to top

Risks for data subjects

Your research has a stigmatising effect on the data subjects due to incorrect, unclear or opaque selection criteria
Describe clearly how the data subjects are selected.

Due to a small sample size, data subjects are easily identifiable
If you cannot increase the sample size, put in place protection measures to protect the identity of the data subjects.

Data subjects put themselves in harm’s way by participating
  • Balance the interests of the data subjects vs. those of your research project and go through ethical review.
  • Collect the data in a physically safe location.
  • Put in place protection measures like anonymisation, minimisation, blurring, etc. to hide and protect the identity of the data subjects.
  • Clearly inform data subjects what their participation entails and obtain their explicit consent.
  • If applicable, inform local authorities and obtain formal permission to perform your research.

Back to top