Risk assessment of research projects with personal data - Kunnskapsbasen
Risk assessment of research projects with personal data
On this page, students and employees at NTNU can find information that enables them to assess risks in research projects with personal data.
Before processing personal data, it is the responsibility of the project manager to perform a risk assessment, i.e. a systematic review of what could go wrong. Key factors in the risk assessment includes the scope of the project, the degree of confidentiality of the information, the environment in which the information is processed and stored, and the duration of the project.
Template for risk assessment of research projects with personal data
A specific template has been prepared for risk assessments of research projects at NTNU. The template is a spreadsheet with three tabs. Guidance can be found in a separate tab and can also be downloaded in pdf format.
Note that the template is a starting point that can and should be adapted to the specific project. A master's project with few informants will, for example, have different and fewer risk factors than a larger research project with project members from several institutions. Therefore it is important to use the template to assess relevant risks and plan feasible measures.
NB: Health research projects have their own guidelines for risk assessment, see Plan and implement a health research project and Risikovurdering ved håndtering av personopplysninger – helseforskning (Norwegian only).
What is a risk assessment?
The core of a risk assessment consists of three questions:
- What can go wrong?
- What can we do to prevent it?
- What can we do to reduce the consequences if this happens?
Risk is often described as the product of probability and consequence, stated as numerical values on a scale. Often the risk level is also presented based on a color scale, where green denotes low risk, yellow is moderate, and red is high.
Conducting a risk assessment
The project manager is responsible for carrying out a risk assessment, but it can be an advantage to involve several people in the work. For student projects, the supervisor is responsible for conduction a risk assessment together with the student.
It can be useful to start by outlining the data flow for the entire project. How is data collected, how is it transferred, where is it stored, where is it processed, who will have access in the various phases, and what happens to the data when the project is finished? Next, it is important to identify what can go wrong in each individual step.
An example could be personal data stored on external devices (dictaphone, memory stick, local hard drive, etc.) that is misplaced or lost. In addition to the fact that important data material is lost if there are no copies, personal data that is not kept confidential can potentially be a major burden for the informants.
A risk assessment of this type should focus on the consequences for the data subjects, i.e., the individual persons the information is about. In addition, consequences for the project itself should also be addressed (what happens, for example, if one loses access to data material or there is a breach of GDPR?) and for NTNU as an institution (for example, loss of reputation or economic lossbecause of fines). The consequences depend, among other things, on the number of people included, how much information is collected, and how confidential the material is - special categories of personal data (also often called sensitive data) usually carry a higher risk than general ones.
There are already measures in place to prevent unwanted incidents, for example NTNU's guidelines for collecting personal data in research and Policy for information security.
In addition, there are recommended tools for collecting and storing personal data. However, these are of little help if the project participants do not have knowledge of them or know how to implement them in practice.
Relevant measures can therefore include ensuring that all all project participants are familiar with NTNU's guidelines, the use of NTNU's infrastructure and services for collection and storage where possible, and establishing good routines for securing, sharing and deleting data.
The risk assessment should be reviewed at regular intervals and updated to reflect any changes in the project.
Residual risk and risk acceptance
It is not possible to eliminate all risk in a research project. Occasionally, the project will end up in the yellow risk category, even after implementing measures. It must then be evaluated whether new measures should be implemented, or whether the risk can be accepted. This must be discussed for each individual project, and with the institute management if there is a high level of residual risk.
DPIA - Data Protection Impact Assessment
In projects where there is a high residual risk connected to people's rights and freedoms even after proposed measures, it may be necessary to carry out a data protection impact assessment (DPIA). This is a more comprehensive review of the processing of personal data. Some projects will automatically trigger requirements for DPIA if they meet certain criteria. For projects that are reported to NSD, NSD will assess whether a DPIA is necessary and assist with conducting this.
NB: For health research projects, there are specific guidelines for when and how a DPIA should be conducted.
- Informasjonssikkerhet - risikovurdering (Norwegian only)
- Collection of personal data for research projects
- Research Data @NTNU - if you have questions, feedback or need advice when conducting a risk assessment for a research project with personal data, contact Research Data @NTNU through NTNU Hjelp. External users can send an email to email@example.com (if you have an NTNU user account your request will be handled in the NTNU Hjelp portal).
- If you have questions related to risk assessments in the context of education or teaching? Contact BLINK Learning Hub.