Data about human beings are very rarely anonymous. Even if the data do not contain information such as name or address, the data may still pose privacy risks to the people they are about, especially if it is possible to re-identify individuals within the data you are using for your research.

The table below can be used to determine privacy risk categories for different types of data. There will always be grey areas when looking at privacy risk, particularly when considering the vulnerability of the research subjects, the sensitivity of the information and the re-identifiability of the data. The guidance below cannot capture every possible situation, so, like all good things, think of this advice as a spectrum. If in doubt, opt for a higher risk category. Also, not all of the data in your research will have the same level of privacy risk and the privacy risks for each type of data may change as you clean, recode and modify the data from a raw to processed form. You should assess the risks for each separate data asset and also consider how each data asset’s risk will change over the course of the research life cycle. If some data are higher risk than others, you can store these data separately in a more secure storage option.

Once you’ve determined the privacy risk category for each data asset, you can use these categories to inform your choices about how your data can be de-identified, safely used by students/interns, safely transported physically, securely transferred digitally, and securely stored.


Red Data

Privacy Risk Very high-risk
Description Directly identifying data from vulnerable people about sensitive topics
Impact of a Breach • Severity of harm to research subjects and/or damage to the reputation of VU Amsterdam would be very high
• The likelihood of harm or damages after a breach is very high
Examples • Video interviews with children talking about abuse
• Raw transcripts of interviews with refugees talking about their home country
• Open text responses (e.g. diary-type feedback) from patients with mental or physical conditions/disabilities
• Open text responses or detailed interviews with employees describing their satisfaction with their employer
• Raw neuroimages (not de-faced) of vulnerable subjects with serious medical conditions
• Genetic data from vulnerable subjects that indicates a risk for disease or disorders

Orange Data

Privacy Risk High-risk
Description Directly identifying data from non-vulnerable people about non-sensitive topics
OR
Directly identifying data from vulnerable people about non-sensitive topics
OR
Directly identifying data from non-vulnerable people about sensitive topics
OR
• Data from vulnerable people about sensitive topics that has been made slightly less identifiable by removing easily identifying information (e.g. name, contact information)
Impact of a Breach • Severity of harm to research subjects and/or damage to the reputation of VU Amsterdam would be high
• The likelihood of harm or damages after a breach is moderate to high
Examples • Key files containing names and contact information of research subjects
• Data containing date of birth and 6-digit postal code of research subjects
• Video observations of children playing
• Video observations of team-building activities
• Raw neuroimages (not de-faced) of non-vulnerable subjects
• Raw questionnaire data about sensitive topics
• Raw questionnaire data from vulnerable subjects containing detailed demographic information
• Genetic data from non-vulnerable subjects

Yellow Data

Privacy Risk Medium to high risk
Description • Data from non-vulnerable people about non-sensitive topics that been made slightly less identifiable by removing easily identifying information (e.g. name, contact information)
OR
• Data from vulnerable people and/or about sensitive topics that has undergone additional de-identification steps beyond the removal of easily identifying information (e.g. name, contact information)
Impact of a Breach • Severity of harm to research subjects and/or damage to the reputation of VU Amsterdam would be moderate to high
• The likelihood of harms or damages after a breach is moderate to low
Examples • IP- and MAC-addresses of research subjects
• Raw questionnaire data from non-vulnerable subjects containing demographic information
• Questionnaire data about sensitive topics and/or vulnerable people that has been processed to make re-identification more difficult
• Video recordings with faces blurred and voices modified
• Transcripts of interviews in which the identifying information is replaced with pseudonyms
• Repeated physical measurements on vulnerable subjects that include the dates and times the measurements occurred
• De-faced neuroimages of vulnerable people
• Extensive kinematic measurements that are used to identify sensitive information such as movement disorders

Green Data

Privacy Risk Medium to low risk
Description • Data from non-vulnerable people about non-sensitive topics that has undergone additional de-identification steps beyond the removal of easily identifying information (e.g. name, contact information)
Impact of a Breach • Severity and likelihood of harm to research subjects after a breach are low
• Damage to the reputation of VU Amsterdam is still possible, but likelihood is lower and the impact would be less severe
Examples • Data that contain a unique record for at least one research subject, e.g.:
  - De-faced neuroimages of non-vulnerable people
  - Extensive kinematic measurements from non-vulnerable subjects
  - Any other datasets that contain sufficient information to create a unique record for one or more research subjects

Blue Data

Privacy Risk Little to no risk
Description • Data that cannot be re-identified whatsoever, regardless of the vulnerability of the research subjects or the sensitivity of the information
Impact of a Breach • Research subjects will suffer no direct** harm and VU Amsterdam will suffer no damages to its reputation
Examples • Highly variable physical measurements, e.g. blood pressure, heart rate, blood glucose, body temperature
• Likert scale responses in a questionnaire
• Coded qualitative data
• Summary statistics

NB: If your data can still be linked to identifying information (e.g. through participant identifiers that link to a separate key file), the data are not anonymous and therefore not “blue”. Such data would be “green” or “yellow” depending on the sensitivity of the information and vulnerability of the research subjects. If it is possible and appropriate to delete this last link to the identifying information, then the data can be considered anonymous.
**NB: Although research subjects will not be directly harmed, the conclusions drawn from research results or the misuse of published research software can impact the wider population to which the research subjects belong. Such ethical considerations should be discussed with the FGB Scientific and Ethical Review Board.


Confidentiality Risk versus Privacy Risk

Confidentiality and privacy overlap, however, confidentiality is about how a data breach would impact our institution while privacy considers how a data breach would impact our research subjects. Confidentiality concerns have been taken into consideration in the guidance above so that the privacy risks you determine can also be viewed as confidentiality risks.

If your data are not about human subjects, they may still need to be kept confidential, for example, when working with business secrets or intellectual property. If you are working with a third party, especially a business, they may require you to keep their data confidential. Below are some examples of different confidentiality risks for non-human data:

Red Data Orange Data Yellow Data Blue Data*
Confidentiality Risk Very high-risk High-risk Medium-risk Low-risk
Examples • State secrets
• Other data that are classified as “secret”
• Commercially sensitive data
• Politically sensitive data
• Data subject to non-disclosure agreements
• Patents & other intellectual property
• AI algorithms that could benefit other countries
• Unpublished research output with novel results
• Internal procedures and policies
• Data that can be publicly disclosed
  • Green data aren’t listed here because the primary distinction between Green and Blue privacy risks is that Green data are still technically personal data while Blue data are anonymous or anonymized data. There isn’t a comparable category to Green data when assessing the confidentiality risks of non-personal data, therefore low confidentiality risk data should be handled as Blue data. Be aware that although Blue data can be publicly disclosed, you should assess, when publishing these data, whether there should be any limitations on how these data are reused. Even publicly available data can have limits placed on how they are reused by applying restrictive licenses, such as those that don’t allow reuse for commercial purposes. More information on data licensing is found here.

Important Factors in Privacy Risk


  1. The vulnerability of the research subjects:


  1. The sensitivity of the information being used:


  1. The ease with which research subjects can be re-identified in the data:


  1. The legal definition of pseudonymization according to the GDPR is quite strict. Essentially, according to the GDPR, pseudonymous data requires additional information for the data to be re-identified and if that additional information is deleted, the data become anonymous. In real life, the situation is more complicated. A dataset with no directly identifying data may still contain indirectly identifiable data (often demographic information) that can be used to single out unique records, which could then be used to re-identify people using publicly available information or based on context clues. You could de-identify this dataset further and, if done correctly, you would ensure that the only way to re-identify the research subjects would be with an identification code and a key file. Both the former and latter versions of this dataset would be called “pseudonymized” by a layperson, but under the GDPR only the latter version is legally considered to be pseudonymized. The main takeaway from this is that even if someone says their data are pseudonymous, you should investigate to what extent the data have been pseudonymized: do they mean the GDPR’s strict definition of pseudonymized or do they simply mean that the directly identifying data have been removed from the dataset?↩︎