In order to establish good and expedient procedures for the project, it is important that the project manager has carried out an assessment of the value of and risks relating to data in the project.
Assessment of value
An assessment of value shall take three factors into consideration: confidentiality, integrity and accessibility. Assessment of value is discussed under OsloMet's information security system (see Norwegian version).
- In principle, unpublished research data have a high degree of confidentiality, meaning that the data must not fall into the wrong hands or be disclosed to unauthorised persons. One way of ensuring confidentiality is to anonymise the data, but that can make it more difficult to achieve the overriding objective of the project.
- The research data shall have a high degree of integrity, meaning that they shall not be altered by unauthorised persons. Good technical data storage solutions (little possibility of unauthorised access and copying) are necessary, as are good training and access control in the project group to safeguard the above-mentioned values.
- The research data must be sufficiently accessible to ensure that it will not be too difficult to complete the research project. The technical solutions must therefore not be so complicated as to prevent the project from being carried out. All the members of the research group, not just the project manager, must have sufficient access to the data to be able to collect and analyse them.
The project manager is responsible for striking a balance between the three value factors. Risk assessment will be a useful tool in this context.
Procedures are established based on an assessment of threats that may arise in connection with the collection of raw data, handling of the scrambling key, and the research file (see the list of definitions). Roughly speaking, threats can be both people and systems, and often a combination of the two.
Towards rawdata, research files and scrambling keys, both project team members and/or external parties (at the institution or outside ) can be a threat.
In the same way, systems like the institution`s ICT system and/or external systems can be a threat towards the same objects.
Specific threats can be identified based on the above. You can also assess the probability of a threat being realised and score the risk as high, medium or low, for example. In addition, you can also assess the consequences of a threat and define them as major, medium or minor.
|Raw data stored on a memory stick have gone astray||medium||major|
|Unauthorised persons may recognise information in the file, because the data have not been adequately de-identified||medium||major|
|Staff at the ICT department see the scrambling key||medium||major|
The project manager must determine what threat level is acceptable and establish procedures and measures based on this. The table above is a simple example of how a risk assessment can be carried out.
OsloMet also has its own template for risk assessment in research, and a user guide on how to save the Risk assessment in P360.
Guide for personal data protection and information security in research projects page 27 (in Norwegian only) also has a simple example of a risk assessment. You will find more information about risk assessments on sikresiden.no and in the Data Protection Authority's guide to risk assessment for information systems.
The project manager shall ensure that critical incidents and non-conformities are dealt with as they arise and reported to the appropriate body; see When something happens (see Norwegian version). Non-conformities should be resolved at the organisational level at which they arise. If the non-conformity has led to unauthorised disclosure that has a bearing on confidentiality, the Data Protection Authority must be notified. The project manager shall ensure that all non-conformities and security breaches are closed, which includes requesting assistance from the Department of ICT or the Department of Facilities Management to deal with technical or physical security breaches if necessary.
The following factors will have a bearing on how thorough a risk assessment should be:
Whether the material is sensitive, and the degree of sensitivity. For further information, see Classification of data.
The amount of personally identifiable information present in the material, direct or indirect. Direct personally identifiable information includes names, personal ID numbers or other characteristics that are unique to one individual. Indirect personally identifiable information elements are background variables. For further information, see Classification of data.
Personal data are anonymised if personally identifiable information has been removed, so that the information can no longer be linked to the individual (the Personal Data Act does not apply).
The project's size, including the number of participants
The project's duration
The extent to which the institution has technical solutions / obtains services for the secure storage of research data (see Norwegian version).