Research data (personal or not) must be carefully secured against loss, theft and tampering. As part of Utrecht University's Information Security Policy, you are asked to classify your data. Classifying data is a practical means by which to apply neither too little nor too much protection. Based on a set of questions, you determine the value of your data as well as the security risks this data is exposed to. This allows you to reach a conclusion about the impact a data breach of your data could have. More information on data classification can be found on the intranet. You can go through the classification process yourself. If you need help, contact the data classification contact person from your faculty. This is generally the Local Information Security Manager (LISM), but you can also get help from the University's Corporate Information Security Officer (CISO) via email@example.com.
The extensive data classification procedure involves three security aspects of the data:
concerns whether authorised users have timely access to the data at the right times
refers to whether the data is correct and complete and whether only authorised users can make changes to the data
relates to whether the data is only accessible for authorised users.
You can then consult a matrix to find the corresponding measures you should take in order to properly protect your data. This could entail data encryption, two-factor access control, the need for an additional backup, auditing or detection of unauthorised changes.