A limited risk assessment related to the processing of personal data is always carried out before the processing of personal data. The risk assessment allows you to identify the measures needed for the proper processing of personal data.
The processing of personal data refers to the collection, storage, analysis and transfer of identifiable materials. Personal data are any kind of data that may be used to identify a natural person.
Risks should be assessed from the perspective of the research participant. In particular, the subject may be at risk of unauthorised disclosure of or access to personal data. It is important to determine where research data is stored, who has access to the research data and how access management is implemented. The risk can be reduced, for example, by removing direct identifiers from the data or by pseudonymizing the data. Other security measures include using two-factor authentication and encrypting files (or an external hard drive).
Also consider how and where the material will be transferred during the project. Transferring means, for example, transferring audio files from interviews to a company providing transliteration services. A significant risk can also be the large amount of data and the combination of data from different sources. The possibility of the loss of personal data always poses a risk. Therefore, for example, external hard drives should only be used for temporary storage purposes.
The severity and the likelihood of risks must also be assessed. Possible damages may include financial damage (such as fraud or identity theft due to a data breach), physical (such as violence or threat) intangible (such as loss of reputation or privacy).
For each processing operation, evaluate:
- Processing risk
- Likelihood of risk (unlikely, possible, probable, almost certain)
- Severity of risk (serious, identified effects, minor effects)
- Measure to reduce risk
- Residual risk. Residual risk refers to the risk to the examiner after the safeguard measures have been taken (low, average, high)
The greater the risk, the more serious and more likely the consequences for the individual. For more detailed instructions on risk assessment, see the Data Protection of research. If you need more information and assistance in identifying and assessing risks, please contact the Data Service.
