Data Risk Classification Flow
Scroll down and zoom in…
flowchart TD; Start[Start] --> Generate{"Will the research generate (including by
selecting, sorting or combining) any
personal data"}; Generate --> |No| Input{Will any project input be personal data}; Generate --> |Yes| Threat{Would disclosure pose
a substantial threat to the
personal safety, health or
security of the data subjects?}; Input --> |No| Commercial_1{"Will you be working with
commercial-in-confidence information
or private third party intellectual property
or legally or politically sensitive data?"}; Input --> |Yes| Public{"Is that personal data legally accessible by
the gerneral public with no restrictions on
use?"}; Commercial_1 --> |No| Advantage{Will releasing any of the datasets or results
impact on the competitive advantage
of the research team?}; Commercial_1 --> |Yes| LowConsequence_1{Do you have
high confidence that the commercial, legal
reputational or political consequences of
unauthorised disclosure of this data
will be low?}; LowConsequence_1 --> |No| LikelyAttackers; LowConsequence_1 --> |Yes| TrivialConsequence{Do you have
high confidence that the commercial, legal
reputational or political consequences of
unauthorised disclosure of this data
will be trivial?}; Advantage --> |No| Tier0[Tier 0]; Advantage --> |Yes| Tier1[Tier 1]; Threat --> |No| Tier3[Tier 3]; Threat --> |Yes| Tier4[Tier 4]; Public --> |No| Pseudonymised{Is that personal data
pseudonymised?}; Public --> |Yes| Commercial_1; Pseudonymised --> |No| Threat; Pseudonymised --> |Yes| AbsoluteConfidence{Do you have absolute confidence
that it is not possible to identify individuals
from the data, either at the point of entry
or as a result of analysis that
may be carried out?}; AbsoluteConfidence --> |No| StrongConfidence{Do you have strong confidence
that it is not possible to identify individuals
from the data, either at the point of entry
or as a result of analysis that
may be carried out?}; AbsoluteConfidence --> |Yes| Commercial_1; StrongConfidence --> |No| LikelyAttackers{Do likely attackers include sophisticated,
well resourced and determined threats, such as
highly capable serious organised
crime groups and state actors?}; StrongConfidence --> |Yes| Commercial_2{"Will you be working with
commercial-in-confidence information
or private third party intellectual property
or legally or politically sensitive data?"}; Commercial_2 --> |No| Tier2[Tier 2]; Commercial_2 --> |Yes| LowConsequence_2{Do you have
high confidence that the commercial, legal
reputational or political consequences of
unauthorised disclosure of this data
will be low?}; LikelyAttackers --> |No| Tier3; LikelyAttackers --> |Yes| Tier4; LowConsequence_2 --> |No| LikelyAttackers; LowConsequence_2 --> |Yes| Tier2; TrivialConsequence --> |No| Tier2; TrivialConsequence --> |Yes| Tier1;
selecting, sorting or combining) any
personal data"}; Generate --> |No| Input{Will any project input be personal data}; Generate --> |Yes| Threat{Would disclosure pose
a substantial threat to the
personal safety, health or
security of the data subjects?}; Input --> |No| Commercial_1{"Will you be working with
commercial-in-confidence information
or private third party intellectual property
or legally or politically sensitive data?"}; Input --> |Yes| Public{"Is that personal data legally accessible by
the gerneral public with no restrictions on
use?"}; Commercial_1 --> |No| Advantage{Will releasing any of the datasets or results
impact on the competitive advantage
of the research team?}; Commercial_1 --> |Yes| LowConsequence_1{Do you have
high confidence that the commercial, legal
reputational or political consequences of
unauthorised disclosure of this data
will be low?}; LowConsequence_1 --> |No| LikelyAttackers; LowConsequence_1 --> |Yes| TrivialConsequence{Do you have
high confidence that the commercial, legal
reputational or political consequences of
unauthorised disclosure of this data
will be trivial?}; Advantage --> |No| Tier0[Tier 0]; Advantage --> |Yes| Tier1[Tier 1]; Threat --> |No| Tier3[Tier 3]; Threat --> |Yes| Tier4[Tier 4]; Public --> |No| Pseudonymised{Is that personal data
pseudonymised?}; Public --> |Yes| Commercial_1; Pseudonymised --> |No| Threat; Pseudonymised --> |Yes| AbsoluteConfidence{Do you have absolute confidence
that it is not possible to identify individuals
from the data, either at the point of entry
or as a result of analysis that
may be carried out?}; AbsoluteConfidence --> |No| StrongConfidence{Do you have strong confidence
that it is not possible to identify individuals
from the data, either at the point of entry
or as a result of analysis that
may be carried out?}; AbsoluteConfidence --> |Yes| Commercial_1; StrongConfidence --> |No| LikelyAttackers{Do likely attackers include sophisticated,
well resourced and determined threats, such as
highly capable serious organised
crime groups and state actors?}; StrongConfidence --> |Yes| Commercial_2{"Will you be working with
commercial-in-confidence information
or private third party intellectual property
or legally or politically sensitive data?"}; Commercial_2 --> |No| Tier2[Tier 2]; Commercial_2 --> |Yes| LowConsequence_2{Do you have
high confidence that the commercial, legal
reputational or political consequences of
unauthorised disclosure of this data
will be low?}; LikelyAttackers --> |No| Tier3; LikelyAttackers --> |Yes| Tier4; LowConsequence_2 --> |No| LikelyAttackers; LowConsequence_2 --> |Yes| Tier2; TrivialConsequence --> |No| Tier2; TrivialConsequence --> |Yes| Tier1;