FGB Security Tips: Assessing Privacy Risks
2025-08-26; Version 2.1
Data about human beings are very rarely anonymous. Even if the data do not contain information such as name or address, the data may still pose privacy risks to the people they are about, especially if it is possible to re-identify individuals within the data you are using for your research.
The table below can be used to determine privacy risk categories for different types of data. The privacy risks are based on three pillars: the vulnerability of the research subjects, the re-identifiability of the data and the risk of harm to the research subjects that is posed by the information in the data. The guidance below cannot capture every possible situation, so think of this advice as a spectrum. If in doubt, opt for a higher risk category. Also, not all of the data in your research will have the same level of privacy risk and the privacy risks for each type of data may change as you clean, recode and modify the data from a raw to processed form. You should assess the risks for each separate data asset and also consider how each data asset’s risk will change over the course of the research life cycle. If some data are higher risk than others, you can store these data separately in a more secure storage option.
Once you’ve determined the privacy risk category for each data asset, you can use these categories to inform your choices about how your data can be de-identified, safely used by students/interns, safely transported physically, securely transferred digitally, and securely stored.
Red Data
| Privacy Risk | Very high-risk |
| Description | • Directly identifying data from vulnerable people containing information that elevate the risks of harm |
| Impact of a Breach | • Severity of harm to research subjects and/or damage to the
reputation of VU Amsterdam would be very high • The likelihood of harm or damages after a breach is very high |
| Examples | • Video interviews with children talking about abuse • Raw transcripts of interviews with refugees talking about their home country • Diaries from vulnerable patients with mental or physical conditions/disabilities • Raw transcripts of interviews with non-white employees describing their satisfaction with their employer • Raw neuroimages (not de-faced) of vulnerable subjects with serious medical or mental health conditions • Non-pseudonymous genetic data from vulnerable subjects that indicates a risk for disease or disorders |
Orange Data
| Privacy Risk | High-risk |
| Description | • Directly identifying data from non-vulnerable people containing information
that does NOT elevate the risks of harm OR • Directly identifying data from vulnerable people containing information that does NOT elevate the risks of harm OR • Directly identifying data from non-vulnerable people containing information that elevate the risks of harm OR • Data from vulnerable people containing information that elevate the risks of harm that has been made slightly less identifiable by removing easily identifying information (e.g. name, contact information) |
| Impact of a Breach | • Severity of harm to research subjects and/or damage to the
reputation of VU Amsterdam would be high • The likelihood of harm or damages after a breach is moderate to high |
| Examples | • Key files containing names and contact information of research
subjects • Data containing date of birth and 6-digit postal code of research subjects • Video observations of children playing • Video observations of team-building activities • Raw neuroimages (not de-faced) of non-vulnerable subjects • Raw questionnaire data about sensitive or stigmatized topics • Raw questionnaire data from vulnerable subjects containing detailed demographic information • Genetic data from non-vulnerable subjects |
Yellow Data
| Privacy Risk | Medium to high risk |
| Description | • Data from non-vulnerable people
containing information that does NOT elevate the risks
of harm that been made slightly less
identifiable by removing easily identifying information (e.g. name,
contact information) OR • Data from vulnerable people and/or containing information that does NOT elevate the risks of harm that has undergone additional de-identification steps beyond the removal of easily identifying information (e.g. name, contact information) |
| Impact of a Breach | • Severity of harm to research subjects and/or damage to the
reputation of VU Amsterdam would be moderate to high • The likelihood of harms or damages after a breach is moderate to low |
| Examples | • IP- and MAC-addresses of research subjects • Raw questionnaire data from non-vulnerable subjects containing demographic information • Questionnaire data about sensitive/stigmatized topics and/or vulnerable people that has been processed to make re-identification more difficult • Video recordings with faces blurred and voices modified • Transcripts of interviews in which the identifying information is replaced with pseudonyms • Repeated physical measurements on vulnerable subjects that include the dates and times the measurements occurred • De-faced neuroimages of vulnerable people • Extensive kinematic measurements that are used to identify sensitive information such as movement disorders |
Green Data
| Privacy Risk | Medium to low risk |
| Description | • Data from non-vulnerable people containing information that does NOT elevate the risks of harm that has undergone additional de-identification steps beyond the removal of easily identifying information (e.g. name, contact information) |
| Impact of a Breach | • Severity and likelihood of harm to research subjects after a
breach are low • Damage to the reputation of VU Amsterdam is still possible, but likelihood is lower and the impact would be less severe |
| Examples | • Data that contain a unique record for at least one research
subject, e.g.: - De-faced neuroimages of non-vulnerable people - Extensive kinematic measurements from non-vulnerable subjects - Highly variable physical measurements, e.g. blood pressure, heart rate, blood glucose, body temperature - Any other datasets that contain sufficient information to create a unique record for one or more research subjects |
Blue Data
| Privacy Risk | Little to no risk |
| Description | • Data that cannot be re-identified whatsoever, regardless of the vulnerability of the research subjects or the risks of harm posed by the information |
| Impact of a Breach | • Research subjects will suffer no direct** harm and VU Amsterdam will suffer no damages to its reputation |
| Examples | • Likert scale responses in a questionnaire • Coded qualitative data • Summary statistics NB: If your data can still be linked to identifying information (e.g. through participant identifiers that link to a separate key file), the data are not anonymous and therefore not “blue”. Such data would be “green” or “yellow” depending on the sensitivity of the information and vulnerability of the research subjects. If it is possible and appropriate to delete this last link to the identifying information, then the data can be considered anonymous. |
**NB: Although research subjects will not be directly harmed, the conclusions drawn from research results or the misuse of published research software can impact the wider population to which the research subjects belong. Such ethical considerations should be discussed with the FGB Scientific and Ethical Review Board.
Confidentiality Risk versus Privacy Risk
Confidentiality and privacy overlap, however, confidentiality is about how a data breach would impact our institution while privacy considers how a data breach would impact our research subjects. Confidentiality concerns have been taken into consideration in the guidance above so that the privacy risks you determine can also be viewed as confidentiality risks.
If your data are not about human subjects, they may still need to be kept confidential, for example, when working with business secrets or intellectual property. If you are working with a third party, especially a business, they may require you to keep their data confidential. Below are some examples of different confidentiality risks for non-human data:
| Red Data | Orange Data | Yellow Data | Blue Data* | |
|---|---|---|---|---|
| Confidentiality Risk | Very high-risk | High-risk | Medium-risk | Low-risk |
| Examples | • Data that are classified as “secret” | • Commercially sensitive data • Politically sensitive data • Data subject to non-disclosure agreements |
• Patents & other intellectual property • AI algorithms that could benefit other countries • Unpublished research output with novel results • Internal procedures and policies |
• Data that can be publicly disclosed |
- Green data aren’t listed here because the primary distinction between Green and Blue privacy risks is that Green data are still technically personal data while Blue data are anonymous or anonymized data. There isn’t a comparable category to Green data when assessing the confidentiality risks of non-personal data, therefore low confidentiality risk data should be handled as Blue data. Be aware that although Blue data can be publicly disclosed, you should assess, when publishing these data, whether there should be any limitations on how these data are reused. Even publicly available data can have limits placed on how they are reused by applying restrictive licenses, such as those that don’t allow reuse for commercial purposes. More information on data licensing is found here.
Important Factors in Privacy Risk
The ease with which research subjects can be re-identified in the data:
Data are personal data if they are directly identifying or indirectly identifiable:
- Directly identifying data are what most people think of as personal data: name, contact information, facial images etc. This information isn’t always directly identifying (e.g. a name like Jan Smit is very common in The Netherlands, so that name alone might not be enough to identify someone). Regardless, it’s generally agreed that these types of data should be handled with extra care and that these types of data should be ideally stored separately from other research data.
- Indirectly identifiable data can also be referred to as pseudonymous
data (although there are some caveats1 to this). The ease with which a research
subject could be re-identified from indirectly identifiable
data depends on several factors such as:
- How much information has been collected about each research subject?
- How specific is the information about each research subject?
- How unique is the information about each research subject?
- Unique information may be a result of one variable with extreme values or a combination of several variables that create a record that is distinct from all others in the dataset
- Could the data be linked to publicly available information, such as social media profiles?
- It is very important to consider how easily indirectly identifiable data can be re-identified. If only the most cursory of efforts has been made to de-identify the data (most commonly, only removing names and contact information from the dataset), then the research subjects usually remain at risk of re-identification due to the wealth of other information present in the dataset. If someone tells you a dataset is “pseudonymous”, it is also a good idea to assess how easily these data could be re-identified, since not everyone has the same idea about what pseudonymous means1.
As long as data are identifiable, they cannot be referred to as anonymous data and the legal rules of the GDPR must be followed. This means the GDPR applies to pseudonymous data.
Not all identifiable data pose the same level of privacy risk: oftentimes, raw data often pose higher privacy risks because of greater re-identifiability (e.g. video recordings), and therefore require additional data protection measures (such as high security storage); as the data are cleaned, recoded and analysed they become less identifiable (e.g. coded interactions) and require fewer data protection measures. De-identification is therefore an important part of data processing that can be used to protect the privacy of your research participants; the identifiability of the data is the only factor you can change since it’s not possible to reduce the vulnerability of your research subjects or the sensitivity of your research topic.
The vulnerability of the research subjects:
Vulnerable research subjects have an additional risk of harm (socially, physically, emotionally, financially) if their personal information is made public. The greater the vulnerability of the research subjects, the greater the potential for serious harm.
Vulnerable research subjects include, but are not limited to:
- children
- people who identify as LGBTQ+
- refugees
- ethnic or religious minorities
When assessing the vulnerability of the research subjects, bear in mind that we are looking at what vulnerability characteristics are known or disclosed within the data. If you are not actively studying a specific vulnerable population and you do not need to collect data that could identify someone as vulnerable, then that information should not be collected in order to minimize the risks to the research subjects. For example, if you do not need to know the ethnicity or sexuality of your research subjects, you should not collect that information within your research data. That way you can minimize the overall privacy risks by minimizing the vulnerabilities of the research subjects studied. However, there may be situations where collection of this information is unavoidable, e.g. video recordings of research subjects will also collect skin colour and any religious clothing. Keep such cases in the back of your mind when assessing the overall privacy risks; even if you are not actively studying a vulnerable population, consider whether you will collect data that could identify someone as part of a vulnerable population when you are assessing the risks of harm to the research subject.
The risk of harm posed by the information being used:
- The risk of harm posed by the information in the data is the most
complex and subjective consideration in assessing the privacy risks.
Your goal is to consider what information your research data contain and
whether that information, either in combination with or in addition to
the vulnerability of your research subjects, poses elevated risks of
harm to the research subjects. Information that could increase the risks
of harm to your research subjects include subject matter that is
sensitive, taboo or stigmatized in nature. The risk of harm is elevated
if the research subjects would experience further risks to their
well-being if the information is made public beyond the disclosure of
their vulnerability characteristics. For example, a dataset containing
the names of LGBTQ research subjects is only high-risk (orange data) as
long as the only information leaked is the research subjects’ names.
Such a situation is not ideal, but no further information beyond names
has been disclosed. However, if the leaked information included
information about the research subjects’ sexuality and their sexual
experiences, that would constitute an elevated risk of harm due to the
information contained in the data (i.e. very high-risk or red data). If
the leaked data included just names, but it was known that the research
population being studied was entirely LGBTQ, this may or may not
constitute an elevated risk of harm, i.e. the data may be orange or red.
The data would be more likely orange if your population consists of
openly queer research subjects, whereas it would be better to consider
the data red if your subjects are still in the closet. Because of these
complex nuances, it is imperative that you thoroughly contemplate how
much damage the public disclosure of your research data would pose to
your research subjects.
- If in doubt, contact the FGB Privacy Officer for support.
- Some other topics that may potentially increase the risk of
harm to your subjects, include:
- employment status
- income and other financial data
- student grades and performance
- location data
The risk of harm in these cases will often depend on the vulnerability characteristics of the research subjects, for example, employment status of the average Dutch person is someone sensitive, but does not pose an elevated risk, while employment status of an asylum seeker could have political ramifications for the research subject in question and may risk their safety and well-being.
- If the data are “special” under the GDPR the risk of harm
may be elevated but this is not always the case; if your
research data fall into the “special” category it is a warning sign to
thoroughly assess for elevated risks of harm posed by the data.
- “Special” data are subject to additional legal requirements under the GDPR regardless of the risks of harm posed by these data. More information is found on the GDPR Take-Home Points page
- If your data pose additional risks to the research subjects, but are not “special” data types under the GDPR, they do not need to meet the additional legal requirements for “special” data. However, these data should of course be treated with extra care because of the risk to the research subjects’ privacy and well-being.
- Elevated risks of harm can also apply to non-personal data, such as a company’s financial records. If the disclosure of this information could negatively impact an individual or organisation, this suggests a potentially elevated confidentiality risk.
The legal definition of pseudonymization according to the GDPR is quite strict. Essentially, according to the GDPR, pseudonymous data requires additional information for the data to be re-identified and if that additional information is deleted, the data become anonymous. In real life, the situation is more complicated. A dataset with no directly identifying data may still contain indirectly identifiable data (often demographic information) that can be used to single out unique records, which could then be used to re-identify people using publicly available information or based on context clues. You could de-identify this dataset further and, if done correctly, you would ensure that the only way to re-identify the research subjects would be with an identification code and a key file. Both the former and latter versions of this dataset would be called “pseudonymized” by a layperson, but under the GDPR only the latter version is legally considered to be pseudonymized. The main takeaway from this is that even if someone says their data are pseudonymous, you should investigate to what extent the data have been pseudonymized: do they mean the GDPR’s strict definition of pseudonymized or do they simply mean that the directly identifying data have been removed from the dataset?↩︎
Contact research.data.fgb@vu.nl
or submit a suggestion to the GitHub repo
