This page provides guidance on how to assess risks in research projects with personal data at NTNU.

Prior to processing personal data, the project manager is obliged to perform a risk assessment to ensure the rights of the data subjects. Key factors in the risk assessment include the scope of the project, the degree of confidentiality of the information, the environment in which the information is processed and stored, and the duration of the project.

Topic page about research data

Norsk versjon: Risikovurdering av forskningsprosjekter med personopplysninger

Template for risk assessment of research projects with personal data

A specific template has been prepared for risk assessments of research projects at NTNU. The template is a spreadsheet with three tabs. Guidance can be found in a separate tab and can also be downloaded in PDF format.

Note that the template is a starting point that can - and should - be adapted to the specific project. A master's project with few informants will, for example, have different and fewer risk factors than a larger research project with project members from several institutions. It is therefore important to use the template to assess relevant risks and plan feasible measures.

Template for risk assessment of research projects (xlsx file)

Are you a student? Here you will find a simplified ROS template that you can use for student projects (xlsx file).

Note: Health research projects have additional requirements; see Plan and implement a health research project.

What is a risk assessment?

At its core, a risk assessment consists of three questions:

• What can go wrong?
• What can we do to prevent it?
• What can we do to reduce the consequences if this happens?

Risk is often described as the product of probability and consequence, stated as numerical values on a scale. Often the risk level is also presented based on a color scale, where green denotes low risk, yellow is moderate, and red is high.

Conducting a risk assessment

The project manager is responsible for carrying out a risk assessment, but it can be advantageous to involve several people in the work. For student projects, the supervisor is responsible for conducting a risk assessment together with the student.

Outline data flows

It can be useful to start by outlining the data flow for the entire project. How is data collected, how is it transferred, where is it stored, where is it processed, who will have access in the various phases, and what happens to the data when the project is finished?

What can go wrong?

Next, it is important to identify what can go wrong in each individual step. An example could be personal data stored on external devices (dictaphone, memory stick, local hard drive, etc.) that is misplaced or lost. In addition to the fact that important data material is lost if there are no copies; personal data that is not kept confidential can potentially be a major burden for the informants.

Assess consequences

A risk assessment in relation to personal data should consider:

• the consequences for the data subjects, i.e., the individual persons the information is about.
• consequences for the project itself (what happens, for example, if one loses access to data material or there is a breach of GDPR?)
• consequences for NTNU as an institution (for example, loss of reputation or economic loss due to fines).

The consequences and their severity depend, among other things, on the number of people included, how much information is collected, and how confidential the material is - special categories of personal data (sometimes called 'sensitive data') usually carry a higher risk.

Assess relevant protective measures

NTNU has measures in place to prevent unwanted incidents, for example NTNU's guidelines for collecting personal data in research and Policy for information security.

In addition, there are recommended tools for collecting and storing personal data.

Established measures are of little help if the project participants do not have knowledge of them or know how to implement them in practice. Relevant measures in research projects can therefore include ensuring that all all project participants are familiar with NTNU's guidelines, the use of NTNU's infrastructure and services for collection and storage where possible, and establishing good routines for securing, sharing and deleting data.

The risk assessment should be reviewed at regular intervals and updated to reflect any changes in the project.

Residual risk and risk acceptance

It is not possible to eliminate all risk in a research project. Occasionally, the project will end up in the yellow risk category, even after implementing measures. It must then be evaluated whether new measures should be implemented, or whether the risk can be accepted. This must be discussed for each individual project, and with the department management if there is a high level of residual risk.

DPIA - Data Protection Impact Assessment

In projects where there is a high residual risk connected to people's rights and freedoms even after proposed measures, it may be necessary to carry out a data protection impact assessment (DPIA). This is a more comprehensive review of the processing of personal data.

Some projects will automatically trigger requirements for DPIA if they meet certain criteria. For projects that are notified to Sikt, Sikt will assess whether a DPIA is necessary and assist in conducting this.

Note: For health research projects, there are specific guidelines for when and how a DPIA should be conducted.

See also

• Informasjonssikkerhet - risikovurdering (Norwegian only)
• Collection of personal data for research projects

Contact

• Research Data @NTNU - if you have questions, feedback or need advice when conducting a risk assessment for a research project with personal data, contact Research Data @NTNU through NTNU Hjelp. External users can send an email to research-data@ntnu.no (if you have an NTNU user account your request will be handled in the NTNU Hjelp portal).
• If you have questions related to risk assessments in the context of education or teaching? Contact BLINK Learning Hub.