Examples of risks and how to mitigate them

On this page: risk example, safeguards, organisational and technical measures, protection, protective, security, data breach
Date of last review: 2023-04-18

Below you can find a list of common privacy and security risks in research and how you can mitigate them:

Unwarranted access to personal data

Someone tries to gain access to personal data

Use storage and analysis systems that are suitable for your data classification, e.g., systems that are managed by your institute and/or encrypted.
Apply protection strategies described here.

A previous team member still has access (e.g., a copy on their personal device, a working account)

Enforce a protocol in which team members who leave need to remove all their copies of the data and are denied access to the data and shared folders (on- and offboarding). Periodically review and update all users/rights. Make someone responsible for this process.

A team member shares the data with a third party

Put in place a protocol or non-disclosure agreement that makes team members aware that this is not allowed, or make sure that a data transfer agreement is in place.
Make sure that team members do not have access to data that they do not need access to.

A password is leaked

Use systems that apply multifactor authentication.
Change your password regularly or immediately when it is compromised, and have your team members do the same.

Loss of personal data

A device is lost or defective (e.g., laptop, USB stick)

Protect the device with a password.
Encrypt the device or the data on it.
Delete unnecessary copies of the data on the device as soon as you’ve made a back-up on a more stable and secure system, such as university-managed storage facilities.
Enable removing data from the device from a distance.

Paper data are lost

Avoid collecting data on paper altogether, or only collect the necessary information.
Store the paper data in a central and access-controlled location, scan the documents as soon as possible, store the scans on a backed-up storage medium and destroy the paper records (securely).

The dataset is deleted accidentally

Use a storage system that has back-up functionality, or if not available, make regular manual back-ups of the data.

A system error causes temporary loss of or access to data

If you are not using centrally managed IT solutions, regularly check if back-ups are being done as expected and have protocols in place on how to restore back-ups.
If the time-out takes a significant amount of time, discuss with your privacy officer whether you need to inform data subjects about it: they cannot exercise their rights during that time.

The organisation is hit by a ransomware attack

Enforce a security protocol that emphasises secure data practices, such as:

Do not download data from unknown sources.
Be careful when installing software, preferably only install software from the institutional software catalogue.
Create awareness of what phishing looks like and to report phishing immediately to the Computer Emergency Response Team.

Unintended collection of personal data

Data subjects give more, or more sensitive information about themselves than intended/needed

Offer data subjects the possibility to review what information they provided.
Offer the possibility to withdraw consent in a later stage.
Use a data collection protocol to prevent this from taking place.
Remove the unnecessary information from your dataset.

Data subjects give (sensitive) information about others

Use a data collection protocol to prevent this from taking place.
Offer data subjects the possibility to review what information they provided.
Remove the unnecessary information from your dataset.
Consider the risks for those others vs. your own research benefits: if the interests for the other people are more important, you should delete or anonymise the information.

Personal data are collected unintendedly

This can happen when a survey tool automatically collects additional data such as IP addresses. You can sometimes turn this off, and otherwise must remove the data as soon as possible after collection.

Invalid legal basis

Data subjects were not informed in a way that is understandable for them

This can be a risk with vulnerable subjects, such as children or psychiatric patients but also with data subjects from different cultures. Make sure the information to data subjects is easy to understand, consider other forms than text (e.g., orally). You could even test this with a sub-group of data subjects. Moreover, we recommend going through an ethical review to consider these aspects more in-depth.

Data subjects could not be (fully) informed because it would harm your research project

If fully informing data subjects can negatively affect your research project (art. 14(5)), we recommend going through ethical review and extensively debriefing data subjects after your project, including a possibility to withdraw consent or to object to the processing. In case of secretive research (heimelijk onderzoek), please contact your privacy officer: this requires an in-depth privacy scan.

Data subjects do not know that their data are used for research

This can happen for example in web scraping or archival research. In principle, you need to inform the data subjects directly. If this takes an unreasonable amount of effort, place a link to a privacy statement on a place that those data subjects likely visit (e.g., social media). Point at a possibility to object to your processing.

Consent cannot be demonstrated

Use a system that registers the consent (e.g., a survey tool, an interview recording), preferably with the date of providing consent. If your research involves a survey, make sure data subjects cannot enter the survey itself if they have not ticked the “consent” box(es). Store the consent declarations for as long as you retain the personal data. Do so securely, but separated from the research data.

Data subjects do not want to sign a consent form

Consider whether you actually need a signature. If you do not use real names or a pseudonym unconnected to real names, using a signature would lead to the unnecessary processing of personal data, and a checkbox will likely suffice.
Contact your privacy officer to consider using public interest as a legal basis instead of consent. Note that data subjects still need to be informed properly.
If you have to use consent, consider the format of consent: for some groups oral consent may work better than written consent.

Consent may not be freely given because you do research in your own organisation

Consider whether you can rely on public interest instead of consent: contact your privacy officer for assistance.
If you need to use consent, try to distance yourself from the data subjects. For example, if your data subjects are students, have someone other than the teacher perform the data collection and/or analysis, or investigate a department other than your own, and prevent the management of the department of interest from getting involved in your project.

Risks for data subjects

Your research has a stigmatising effect on the data subjects due to incorrect, unclear or opaque selection criteria

Describe clearly how the data subjects are selected.

Due to a small sample size, data subjects are easily identifiable

If you cannot increase the sample size, put in place protection measures to protect the identity of the data subjects.

Data subjects put themselves in harm’s way by participating

Balance the interests of the data subjects vs. those of your research project and go through ethical review.
Collect the data in a physically safe location.
Put in place protection measures like anonymisation, minimisation, blurring, etc. to hide and protect the identity of the data subjects.
Clearly inform data subjects what their participation entails and obtain their explicit consent.
If applicable, inform local authorities and obtain formal permission to perform your research.