Hans was working on a study about a drug for geriatric health issues. All data (contact information, interviews, health records, medication records) from nursing home residents were stored at the research institute under strict security protocols and could only be processed on-site. With a bit of trickery, Hans managed to bypass the security measures and made local copies of all the files on his laptop.
One day, Hans was working in a café. While he used the restroom, he left his laptop unattended and without a screen lock on the table. A person, who specialized in spying on data in public spaces, took the opportunity to copy the data, including personally identifiable information (names, addresses) in order to sell the information to criminal third parties.

This story highlights extremely concerning researcher behaviour with regards to data protection: the careless handling of sensitive data in public spaces, the storing of personal data together with other research data, and the bypassing of security measures.
A key element for handling personal data safely is establishing a security-focused research culture. Researchers should be thoroughly educated and trained in data protection, especially regarding their responsibilities and obligations. This includes ensuring the security of local data, for example, through encryption and access control, as well as being fully informed about the risks of working in public spaces. If personal data is essential for analysis, pseudonyms should be used to reduce the risk of re-identification. To increase the commitment to agreed principles and measures, these can be formally documented.