‘Data breaches – the new oil spills’: protecting research participants and their sensitive personal data

“If data is the new oil, then data breaches are the new oil spills”. This observation by blogger Frith Tweedie comes hot on the heels of news reports that the Ministry of Culture and Heritage mistakenly exposed the personal details of hundreds of young people online. The sensitive data, belonging mostly to teenagers, had been uploaded to an external website without adequate protection measures. And last week, I read another news report that the results of online tests for depression taken by members of the public through the Depression.org website have been exposed to third party companies.

Digital and online technologies (e.g. smart phones, online survey tools, social media, collaboration platforms etc.) are mainstream tools that are increasingly used to collect, store and share research data. For all their use in the research lifecycle, they each have their limitations. Arguably many of the ‘digital data spills’ stories appearing in the news are down to data collectors not fully understanding the limitations of the technologies they use, or taking adequate steps to mitigate risks to the data and research participants.

If you’re a researcher who needs to store sensitive data and move it between systems, what can you do?

Firstly, make sure you don’t access or disclose sensitive personal information without prior agreement with your research participants.

Beyond this, put a a security management plan in place that safeguards data in digital form when it’s ‘at rest’ (e.g. in storage) and in transit (e.g. being moved between systems and devices).

A couple of key steps in security management planning include:

  1. Carrying out a risk assessment to classify the sensitivity levels of the data you will collect. The Privacy Commissioner has a Privacy Impact Assessment Toolkit to help with this.
  2. Evaluate the privacy limitations of the digital and online technologies you’ll use to collect, store and manage sensitive data. Have a look at the ‘terms of service’ which should detail how data will be used by the vendor and/or shared by third parties.

Learn more


This entry was posted in Research Data Management. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *