One of the central research-ethical principles is that a research study should produce as much benefit as possible and as little harm as possible. Sometimes harm is unavoidable, but usually it can be minimised through careful risk assessment and mitigation.

2.14.1. General method of risk assessment

Research funders sometimes require researchers to assess the ethical risks associated with their study and describe how to mitigate them. When planning the study or applying for a grant, researchers may also need to assess the risks associated with their research.

Risk assessment is usually carried out in several stages.

  • In the risk identification stage, all potential risks are listed. There is no single correct way to do it. Sometimes this task is delegated to experts or the project’s lead partner; researchers involved in the study can also do it. Also rare risks must be identified, so it is always useful to involve more people.

Even if no risks are identified, it shows the external assessors (European Commission, Estonian Research Council, Data Protection Inspectorate, ethics committee) that potential risks have been addressed, that they do not exist, and no further action is necessary.

  • In the risk analysis stage, each identified risk is assessed based on its likelihood and potential impact. The easiest and usually acceptable solution is rating the likelihood and impact on a fivepoint scale (“very low”, “low”, “moderate”, “high”, and “very high”) and the risk based on three colours (green, yellow and red). These are combined to construct a risk matrix table showing the probability and impact estimates. In the table below, high risk is represented by red, moderate risk by yellow and low risk by green.

Table. Distribution of risks by likelihood and impact

LIKELIHOODIMPACT
Very lowLowModerateHighVery High
Very low01234
Low12345
Moderate23456
High34567
Very high45678

There are other risk assessment methods, and the scales of impact, likelihood and risk may differ.

  • In the risk assessment stage, it is necessary to decide which risks are low and which are above average so that they need mitigating. Therefore, measures must be proposed to reduce the likelihood and the impact of the risk. These may be technical (secure information systems), legal (data exchange agreement with the processor) or organisational (needs-based access to data). After the risks have been mitigated, they should be reassessed until they are below average. If it is impossible to eliminate the risk fully, monitoring activities should be described to continuously monitor and mitigate the risk throughout the research. This is risk management, which presumes the readiness and capacity to act if one of the risks materialises or a new hazard is identified. Before managing the risks, it is necessary to agree on the responsibilities of people, on who monitors the risks, and how to respond to them.

Read more

  • European Network and Information Security Agency (ENISA, 2006) report “Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools”
  • European Commission (2021) guidance “EU Grants: How to complete your ethics selfassessment”, which sets out the need to assess the risks in the context of environmental damage, research safety, use of artificial intelligence, misuse of research results and processing of personal data

2.14.2. Assessment of risks associated with personal data processing

General research-ethical risks may have something in common with data protection risks5. For example, a research study may undermine people’s right to privacy or discriminate against them. Therefore, before starting a research project, the researcher must identify the risks involved in processing personal data and the potential impact on people.

In data protection, risks should be considered in at least two cases.

First, information security risks must be assessed to ensure the integrity, availability, confidentiality and secure processing of personal data. This is done mainly by the university’s information security specialists, who ensure that the researchers have the appropriate equipment (see 3.1).

Secondly, the potential harm arising to data subjects from personal data processing must be taken into account. If the study involves a high risk of harm to people’s rights and freedoms, the GDPR requires the responsible person to carry out a data protection impact assessment, which is a specific form of risk assessment.

2.14.3. Preparing a data protection impact assessment

It is necessary to prepare a data protection impact assessment if the processing of personal data – considering the nature, scope, context and purposes of the processing – is likely to threaten the rights and freedoms of people. There is no clear and simple definition of when an impact assessment is mandatory. It is up to the controller to assess the impact of the planned processing on people. The concept of high risk is an important element of data protection. However, the GDPR and the guidelines of the Data Protection Inspectorate define the high-risk processing of personal data somewhat differently.

1. The GDPR gives three examples of high-risk processing:

  • systematic, extensive and automated assessment or tracking of people (including profiling), which has legal or other equivalent consequences for people;
  • extensive processing of special categories of personal data or data relating to the offence;
  • comprehensive surveillance of public areas.

In these cases, an impact assessment is mandatory. In other situations, the controller must assess the level of risk. The relevant factor is the harm to the rights and freedoms of people. The risk is high if there is a reasonable likelihood of harm to the rights and freedoms of individuals.

2. The Data Protection Inspectorate has set additional criteria for conducting a data protection impact assessment – the scope and systematic nature of the processing. According to chapter 5 of the Data Protection Inspectorate’s general guidelines for data processors, data processing is systematic if it is methodical and planned. As research is by default always systematic, the controller must pay particular attention, when assessing a high risk, to the scope of the processing, in both quantitative (a large number of data subjects) and qualitative terms (special categories of data and data on offences).

In “Making an impact assessment”, the Data Protection Inspectorate points out specific cases when the scope of processing involves such a risk that a data protection impact assessment is required:

when processing the special categories of personal data of 5,000 or more people or when processing offence data;

when processing data posing a high risk to 10,000 or more people;

in other cases, when processing the data of 50,000 or more people. These figures concern the processing of personal data in Estonia. If the research study involves crossborder processing of data, the criterion of scope should be assessed on a case-by-case basis. According to the Data Protection Inspectorate’s guidelines, a high risk arises when processing, e. g.,

  • data, the disclosure of which would breach the confidentiality of the message;
  • people’s location data in real time;
  • personal data in a way that could lead to discrimination against persons with legal effect;
  • personal data of children.

Data protection impact assessment

According to Article 35 of the GDPR, data protection impact assessment consists of four major parts:

  • a description of the envisaged processing operations and their purposes;
  • an assessment of the necessity and proportionality of the envisaged operations;
  • an assessment of the risks to the rights and freedoms of people;
  • the measures envisaged to mitigate the risk.

When preparing the impact assessment, other documents relevant to the personal data processing and directly related to the study should be consulted, such as research records reflecting the data processing method, policies on granting access rights, contracts, etc. If necessary, the specialist for data protection should be involved. In the case of international research, the organiser may require an impact assessment to be carried out under the organiser’s rules in the country of research.

The specialist for data protection must be involved when the impact assessment has found that a major risk persists and the proposed measures do not entirely eliminate or sufficiently mitigate it. If necessary, the options to mitigate the risks are explored in cooperation, in consultation with the Data Protection Inspectorate.

Read more

  • Data Protection Inspectorate’s general guidelines for data processors, chapter 5 “Making an impact assessment” and annex 1 Checklist for making an impact assessment”
  • European Network and Information Security Agency (ENISA, 2006) report “Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools“
  • Data Protection Inspectorate’s sample impact assessment

5 While it is common practice in IT, national defence, environmental and some other fields to consider risk and oht (threat) as different terms in Estonian (see e.g. https://akit.cyber.ee/term/52-risk and https://akit.cyber.ee/term/93-oht, https://eits.ria.ee/et/seletavsonaraamat/ o?id=96649ad7b153a7f6d3bae608d0b1cbfe, https://sonaveeb.ee/search/unif/dlall/mil/risk/1 and https://sonaveeb.ee/search/unif/dlall/mil/oht/1, https://www.riigiteataja.ee/akt/163255), they are used synonymously in this guide due to the wording of different legislative acts and guidelines.

  • No labels