Risk management and mitigation

Take steps to transparently manage risks posed by enhancing access to sensitive categories of research data and other research-relevant digital objects from public funding, including personal data, by applying specific risk mitigation measures, as well as providing for a “right to know” in cases of digital security incidents affecting the rights and interests of stakeholders. 

Risk mitigation measures exist in particular for sensitive personal data. In Europe this is most notably implemented through the General Data Protection Regulation (GDPR).

Options for implenentation include: 

• Provide support for researchers to evaluate the sensitivity of their data and to develop Technical and Organisational Measures (TOMs) to mitigate any security, safety, economic or geopolitical risks associated with their research, their research partnerships and their international travel. This may include co-operation with institutional data protection officers as well as strengthening their role and resources.

• Request and/or promote that research outputs be deposited in repositories that have safety standards and protocols for preservation (trusted repositories).

• Request data management plans that include measures to mitigate risks associated with access to personal and sensitive data. Measures related to storage, access and sharing of the data and information should be recorded in a data management plan. Sensitive research data may be appropriately shared through mediated access arrangements and the application of a risk assessment framework. 

• Encourage the use of Privacy Enhancing Technologies (PETs) in research projects. 

• Request research projects to build in mechanisms for risk management into their design.

The complexity of balancing open access with data protection is challenging, particularly for sensitive data.

Challenges include: 

• Developing and enforcing risk mitigation measures across diverse projects and institutions can be resource-intensive and inconsistent. 

• Lack of awareness or expertise among researchers and staff on managing data security risks may lead to non-compliance. 

• Establishing effective mechanisms to ensure the “right to know” during digital security incidents requires clear communication channels and rapid response systems. 

• Navigating varying legal and ethical standards across jurisdictions adds complexity to ensuring compliance and harmonised risk management practices.