Research data risk classification framework and guidelines

The research data risk classification applies to all research data used/created while conducting research under the auspices of University of Waterloo. The data may be or has been collected and/or stored in paper or electronic form. This could include mobile devices, personal computers, portable media, and online storage. These can be privately- or University-owned and located on or off University premises.

The term "research data" is defined according to the definition adopted by the Tri-Agency Research Data Management Policy and the Digital Research Alliance of Canada:

Data that are used as primary sources to support technical or scientific inquiry, research, scholarship, or artistic activity, and that are used as evidence in the research process and/or are commonly accepted in the research community as necessary to validate research findings and results. All other digital and non-digital content have the potential of becoming research data. Research data may be experimental data, observational data, operational data, third party data, public sector data, monitoring data, processed data, or repurposed data.

• Human participant data: Data from or about humans that are collected, obtained, and/or used as part of the research processes and outputs and/or used to answer the research question(s). Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans, 2nd edition (TCPS2) Chapter 5: Privacy and Confidentiality outlines the following categories and provide guidance for assessing the extent to which information could be used to identify an individual:
  • Directly identifying information – the information identifies a specific individual through direct identifiers
  • Indirectly identifying information – the information can reasonably be expected to identify an individual through a combination of indirect identifiers
  • Coded information – direct identifiers are removed from the information and replaced with a code.
  • Anonymized information – the information is irrevocably stripped of direct identifiers,
  • Anonymous information – the information never had identifiers associated

For more information about Human Participant Data and ethical considerations in being respectful stewards of their data, please review the Guideline on securing human research participant information and data and contact the Research Ethics team (researchethics@uwaterloo.ca). 

• Indigenous Data including any data, information, and knowledge, in any format, that impacts Indigenous Peoples, Nations, and Communities at the collective and individual levels including:
  • Data about Indigenous Resources and Environments (land, water, geology, titles, air, soil, sacred sites, territories, plants, animals, etc.)
  • Data about Indigenous Peoples as Individuals (administrative, legal, health, social, commercial, corporate, services, demographics, etc.)
  • Data about Indigenous Peoples as Collectives – Nations, Peoples, and Communities (traditional and cultural information, archives, oral histories, literature, ancestral and clan knowledge, stories, belongings, etc.)

For more information about Indigenous Data Sovereignty and considerations in being respectful stewards of Indigenous data, please contact the Indigenous Research team (Indigenous.Research@uwaterloo.ca).

Definition

Indigenous Data Sovereignty: is the authority of Indigenous peoples, Nations and communities over their own data, how their data are framed, and how their data are managed. This includes sovereignty over the collection, use, control, access, possession, and sharing of these data. These rights are recognized and upheld by the United Nations Declaration on the Rights of Indigenous Peoples. 

• Open data are available to the public so that anyone can view, use, modify, and share as permitted by the license. See Creative Commons for license options. Open data are typically accompanied by a license that promotes openness and transparency. Characteristics include:
  • Accessible without barriers, such as paywalls or registration requirements.
  • Formatted in a way that is easy to use and analyze, such as CSV or JSON, and not locked into proprietary formats.
  • Use the data for any purpose, including commercial use, if they comply with the terms of the open data license.
  • Promotes transparency and accountability in government and organizations, allowing citizens to engage with and understand information.
• Publicly available can be accessed by the public but may not necessarily adhere to the principles of openness. It may be available for viewing but could have restrictions on use, modification, or redistribution. Characteristics include:
  • May be some barriers, such as the need to register or agree to terms of use.
  • Limitations on how the data can be used, such as prohibiting commercial use or requiring attribution.
  • Not always provided in a user-friendly format.
  • May require permission to access or have an associated fee.

• Regulated Data: information that is protected by local, national, or international statute or regulation mandating certain restrictions.
• Administrative Data collected from administrative systems (e.g., government or institutional databases) and is commonly used in fields like health and social sciences.
• Online Services Data which encompasses a wide range of information from online activities (like search engines and e-commerce) and can be valuable for various research inquiries.
• Aggregate Data: Data presented in summary form, where individual responses are combined to provide overall trends or statistics, such as survey results showing the average response from a group without revealing individual data points.
• Confidential Information: where there is an expectation that such information will not be disclosed to anyone except those people requiring the information for a legitimate purpose. Confidential information must be protected against unauthorized use (as “use of information” is defined, above) or disclosure.
• Sensitive research areas data identified in Annex A of the National Security Guidelines for Research Partnerships
  • Research subject to the Export Control List (ECL) of the Export and Import Permits Act (EIPA). Examples include:
    • conventional weapons and dual-use goods
    • missile and rocket technology, space technology and chemical and biological weapons and agents
    • nuclear programs
  • Research in the area involving or applicable to nuclear programs that are subject to the Nuclear Non-proliferation Import and Export Control Regulations.
  • Research in areas related to goods or technology identified in the Schedule (section 35) of the Defense Production Act (known as the Controlled Goods List) are sensitive and subject to the Controlled Goods Program; and/or technical data as defined by Technical Data Control Regulations also under the authority of the Defense Production Act
  • Sensitive Technology Research Areas or dual-use technologies that have both civilian and military applications, See Canada’s Policy on Sensitive Technology Research and Affiliations of Concern
  • Additional research areas data that can be considered sensitive:
    • Research involving the 31 critical minerals which are deemed critical in the Canadian Critical Minerals Strategy and play a vital role in economic security, national transition to a low-carbon economy, and strategic partnerships.
    • Research involving the 10 critical infrastructure sectors outlined in Canada’s National Strategy for Critical Infrastructure which are processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government.
    • Big data/large datasets: Semi-structured and unstructured data in a wide variety of formats, in large volumes, and produced at high speed. “Big” data, by virtue of their volume, velocity, or variety, cannot be easily stored or analyzed with traditional methods. Things like sensors, Internet of Things (IoT) devices, and social media all create “big” data. This data can be analyzed to reveal patterns, trends, and associations, particularly concerning human behaviour and interactions. The sensitivity of these datasets depends on factors like the nature, type, and state of the information contained, as well as how the data might be utilized in the aggregate.
    • Research areas that use sensitive personal data that could be leveraged by hostile state actors to harm Canada’s national and economic security through its exploitation. a list of examples of sensitive data.

For more information about Sensitive research areas data and considerations in being responsible and compliant stewards of the data, please review Safeguarding Research and contact the Research Security team (safeguardingresearch@uwaterloo.ca).

Certain types of information are not classified as research data and are subject to the Freedom of Information and Protection of Privacy Act (FIPPA). This information should be classified according to Policy 46 Confidentiality Classifications. Examples of such information include:

• Research Papers: Scholarly articles presenting findings of research, including analyses and conclusions, but not classified as raw research data.
• Administrative Records: Documentation related to the planning and administration of research activities that do not involve the direct collection of data.
  • Cover Sheets
  • Grant Proposals
  • Data Management Plans (DMPs)
  • Cybersecurity plans
  • Equity, Diversity & inclusion plans
• Financial Data: Budgetary and financial documents that do not pertain directly to specific research data.
• Personnel Records: Information related to staff and graduate students that does not involve research data collection or analysis.
• Human participant information: Personal information collected and used to run a research study, such as contact information (names, phone numbers, email). This is not required to answer the research question(s).
• Contractual Agreements: Agreements with external collaborators or institutions that do not include research data.
• Correspondence: Communication related to the administration of research but not involving research data collection or analysis.
• Policy Documents: Institutional policies and guidelines not directly related to specific research projects.
• Data about external partners or institutions involved in the research project, including their expertise and contributions.
• Intellectual Property (IP): Creations of the mind (e.g., inventions, trademarks) resulting from research activities, but not considered research data. See Policy 73 for more details.

List all individuals or groups who have a vested interest in the research data or could be harmed by a compromise to the confidentiality, integrity, or availability. Consider not only the potential harm to those directly involved, but also consider the broader implications for the research community, the university, the public, and national security. Groups to consider include but are not limited to:

• Researchers
  • Principal Investigators, Co-Investigators, Collaborators, Graduate Students, Undergraduate Research Assistants, Post-doctoral Fellows, Staff

• Research Participants
  • Data/records- identifies/de-identified/anonymous, surveys, questionnaires.
• University of Waterloo
  • Institution, Faculty, Administration – Office of Research, Research Centre/Institute, Lab
• Research Partners
  • Institutional, Private, International
• Research Sponsors
  • Private, Public (Tri-Agencies, Municipal, Provincial, Federal), International, Non-Profit)
• Canada & Allies (National Security, Democracy, Population Health, Economy, Infrastructure)
• General Public (Health, Safety, Rights & Freedoms)
  • Canadian citizens & permanent residents
  • Foreign nationals
• Indigenous Peoples
  • First Nations, Inuit, and Métis
  • International Indigenous Peoples
• International Research Collaborations/Sponsors
  • International research collaborations and funding, while pivotal for advancing scientific knowledge and fostering global cooperation, introduce heightened risks to research data security. Awareness of the geopolitical landscape is required to identify potential risks associated with international collaboration and funding. The Office of Research published resources regarding the Government of Canada’s National Security Guidelines for Research Partnerships, which help researchers, research institutions and funders identify and mitigate potential national security risks. The following are additional resources that help to identify countries and/or entities that contribute to a higher risk profile:
    • Research which requires an export permit issued by the Minister of Foreign Affairs due to collaborations with institutions and/or researchers located in a country listed on the Area Control List of Export and Import Permits Act (EIPA).
    • Research involving entities regulated by Canadian sanctions legislation, specifically the Special Economic Measures Act or the United Nations Act.
    • Research involving individuals and entities subject to specific sanction regulations as listed on the Consolidated Canadian Autonomous Sanctions List.
    • Research conducted in collaboration or funded by an organization on the Named Research Organization list (NRO) included in the Policy on Sensitive Technology Research and Affiliations of Concern or may otherwise be deemed to have close linkages with hostile foreign military, state security intelligence agencies.
    • Countries listed by the Canadian Centre for Cyber Security in the National Cyber Threat Assessment 2025-2026, possess state-sponsored cyber threat programs.

The Research Data Lifecycle acts as a roadmap for researchers, outlining key considerations for Research Data Management (RDM) at each stage.

Researchers should also consider the extent to which the data are interconnected with other systems or datasets. This assessment helps identify the potential impact of a data breach or exploit on other parts of the research ecosystem and highlights key impacted/interested parties and their roles in managing and protecting the data throughout its lifecycle.

Research data lifecycle phases

Plan: organize research data for discovery, reuse, and archiving and creating a data management plan (DMP).

Create: identify, acquire, and generate research data and metadata.

Process: data are prepared for analysis through validation and cleaning.

Analyze: analyze prepared data.

Disseminate: share findings.

Preserve: transition data to an archival state.

Reuse: ensure data are discoverable and accessible for integration into new datasets.

The following elements need to be considered at each phase of the research data lifecycle and should be integrated into the DMP; the specific implementation of these elements will vary based on the assessed risk level classification of the data.

• Store: The active and archival storage of data, with an emphasis on accessibility and security.
• Discover: Ensuring data discoverability to facilitate accessibility and mobilization for future research use.
• Document and Curate: Providing rich descriptions of data context.
• Secure: Addressing consent, ethical considerations, and maintaining integrity while utilizing established security platforms and guidance from privacy and IT security services.

​How is risk calculated?

Considering the value of research data and its appeal to malicious actors, it is essential to align handling protocols, processes, and security controls with the assigned data classification. Researchers, with support from campus experts, must identify vulnerabilities and apply targeted cybersecurity measures to ensure data protection and reliable research outcomes. These efforts are critical to maintaining public trust and preserving the integrity of the research process.

Risk assessment involves evaluating threats to research and infrastructure, data exposure, and the impact of unauthorized disclosure, modification, or inaccessibility, forming the foundation for effective risk management.

To calculate risk effectively, researchers must assess the following key factors:

• Threat: Any potential danger that could exploit a vulnerability to cause harm to an asset. This can include malicious actors, natural disasters, or system failures.
• Exposure: How exposed or available are the data to threats, or potential threats.
• Impact: The potential consequences or damage that could result from a successful exploit. This includes financial losses, reputational damage, legal implications, and operational disruptions.

Research data classification framework

For full details, please see:

.

1. Determine the Scope: Identify the following:
   • Impacted/interested parties
   • Data types
   • Map the Research data lifecycle
   • Identify the compliance obligations: University of Waterloo Policies, Laws, Regulations, Governing bodies, etc.
2. Identify & Engage Expertise: Identify internal or external experts to support risk assessment and mitigations.
3. Identify Potential Harms & Impacts: Assess the consequences of data breaches or misuse on individuals, the institution, and society. Examples include (non-exhaustive:
   • Reputation: Damage to the credibility of researchers, institutions, or organizations.
   • Harm to Research Participants: Privacy violations, identity theft, and misinterpretation of data.
   • Harm to Indigenous Communities: Impact on trust, sovereignty, and ethical research practices.
   • Delayed Research: Disruptions in data availability causing research delays.
   • Financial Costs: High costs of remediation, investigations, and implementing security measures.
   • Loss of Funding: Reduced confidence in research data leading to funding challenges.
   • Theft & Illicit Transfer of Technology: Loss of competitive advantage and IP theft.
   • Debarment: Potential revocation of research permissions or funding due to compliance failures.
   • Criminal Liability: Potential legal consequences for non-compliance with regulations.
   • National Security: Risks to national security from foreign interference or misuse of sensitive data.
4. Identify & Assess Threats (Actors & Attacks):
   • Identify possible threat actors (Advanced Persistent Threats - APT, Cybercriminals, Hacktivists, Insider Threats, Nation-States, Terrorist Groups, Thrill-Seekers) and evaluate their skills/capabilities, motive and opportunity.
   • Identify possible attacks. The Canadian Center for Cybersecurity provides a non-exhaustive list of common tools and techniques that are used by threat actors.  MITRE ATT&CK® also provides a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Researchers can consult with their respective Information Technology administrators and ISS/IST to identify applicable attacks.
5. Identify & Analyze Exposures: Assess the level of exposure of data to threat actors, or potential threat actors
   • Data Storage and Security: Location, security controls, volume, backup, archival, compliance
   • Data Modification: User profiles, access controls, permissions, access frequency
   • Access Location: Working remotely, external institutions
   • Device Security: Endpoint protection, vulnerability management, encryption, access controls
   • Collaboration Level: Internal/external partnerships, international collaborations
   • Interfaces for Data Access: Authentication, data transfer protocols, logging
   • Data Retention: Legal requirements, destruction protocols, backup and recovery
   • Software Requirements: Licensing, vendor security, authentication methods
6. Develop Strategies Based on Classification: Based on the assigned classification, implement tailored security measures and data management strategies to address the specific risks, ensuring appropriate levels of protection, access control, and compliance with relevant policies and regulations.

​