Risk assessment of research projects with personal data - Kunnskapsbasen
Risk assessment of research projects with personal data
Before processing personal data, the project manager is responsible for carrying out a risk assessment (also known as a risk and vulnerability assessment, RVA). The intention is to protect the rights of individuals who have contributed data/information. This page provides guidance on how to conduct a risk assessment in research projects involving personal data.
Key factors in the risk assessment are the scope of the project, the sensitivity of the data, the environment in which the data will be processed and stored, and the duration of the project. The assessment should be reviewed periodically and adapted to any changes in the project.
Norsk versjon: Risikovurdering av forskningsprosjekter med personopplysninger
Topic page about research data
Template for risk assessment of research projects with personal data
A special template has been developed for risk assessment of research projects at NTNU. The template is a spreadsheet with three tabs. The guidelines are available in a separate tab and can also be downloaded in pdf format.
Note that the template is a starting point that can - and should - be adapted to the project. For example, a master's project with few informants may have different and fewer risk factors than a larger research project with project members from several institutions. Therefore, use the template to assess the actual risk and create feasible measures.
Template for risk assessment of research projects (xlsx file)
Note: Health research projects have additional requirements; see Plan and implement a health research project.
Simplified template for students
For student projects, the supervisor is responsible for completing a risk assessment with the student. Here is a simplified ROS template to use for student projects (xlsx file).
What is a risk assessment?
At its core, a risk assessment consists of three questions:
- What can go wrong?
- What can we do to prevent it?
- What can we do to reduce the consequences if this happens?
The aim of a risk assessment is to determine the current level of risk and to identify actions that can help reduce that risk. Risk is often expressed as the product of probability and consequence, expressed as numerical values according to a scale. The level of risk is also often presented on a colour scale where green is low risk, yellow is moderate and red is high.
Conducting a risk assessment
Who is responsible and for what?
The project manager is responsible for carrying out a risk assessment, but it may be beneficial to involve others in the work. For student projects, the supervisor is responsible for carrying out a risk assessment with the student. The risk assessment must be approved by the project manager (or supervisor for student projects) who ensures that an approved and signed version is available on request. This version can be f.ex. be scanned and stored digitally.
Outline data flows
It may be useful to start by outlining the data flow for the whole project: How will the data be collected, how will it be transferred, where will it be stored, where will it be processed, who will have access to it at different stages and what will happen to it when the project is finished?
What can go wrong?
Once you have an overview of the data flow, it's important to identify what can go wrong at each stage. For example, personal data stored on external devices (dictaphone, memory stick, local hard drive, etc.) could go astray. In addition to the loss of important data material if there are no copies, the loss of personal data can potentially be very distressing for informants.
Assess consequences
A risk assessment in relation to personal data should consider:
- the consequences for the data subjects, i.e., the individual persons the information is about.
- consequences for the project itself (what happens, for example, if one loses access to data material or there is a breach of GDPR?)
- consequences for NTNU as an institution (for example, loss of reputation or economic loss due to fines).
The potential consequences and their severity depend, among other things, on the number of individuals affected, the amount of data involved, and whether the data is general or special categories of personal data. Special categories of personal data (also known as 'sensitive data') generally pose a higher risk than general data and include the following information:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs or trade union membership
- the processing of genetic data and biometric data for the purpose of uniquely identifying a person
- data concerning health or the sex life or sexual orientation of a person
This type of personal data is usually classified as confidential/red data, while general personal data is often classified as internal/yellow data.
Assess relevant protective measures
NTNU has measures in place to prevent unwanted incidents, for example NTNU's guidelines for collecting personal data in research and Policy for information security.
In addition, there are recommended tools for collecting and storing personal data.
However, the existing measures are of little help if the project participants do not know about them or how to implement them in practice. Relevant measures in research projects can therefore be to familiarize all project participants with NTNU's guidelines, to use NTNU's solutions and services for collection and storage where possible, and to establish good routines for security, sharing and deletion.
The risk assessment should be reviewed at regular intervals and updated to reflect any changes in the project.
Residual risk and risk acceptance
It is not possible to eliminate all risks in a research project. Sometimes, even after implementing measures, you will end up in the yellow risk category and you will need to consider whether to implement new measures or whether the risk can be accepted. This has to be discussed on a project-by-project basis, and the responsibility for accepting risks lies with the line manager. This means that if the residual risk is yellow or higher, it is usually the head of department who has to approve.
DPIA - Data Protection Impact Assessment
In projects where there is a high residual risk connected to people's rights and freedoms even after proposed measures, it may be necessary to carry out a data protection impact assessment (DPIA). This is a more comprehensive review of the processing of personal data.
Some projects will automatically trigger requirements for DPIA if they meet certain criteria. For projects that are notified to Sikt, Sikt will assess whether a DPIA is necessary and assist in conducting this.
Note: For health research projects, there are specific guidelines for when and how a DPIA should be conducted.
See also
- Informasjonssikkerhet - risikovurdering (Norwegian only)
- Collection of personal data for research projects
Contact
- Do you have questions, feedback or need advice when conducting a risk assessment for a research project with personal data? Contact Research Data @NTNU via NTNU Hjelp. External users can send an email to research-data@ntnu.no.
- Do you have questions related to risk assessments in the context of education or teaching? Contact BLINK Learning Hub.