CSR Advisory document ‘Making data breach notifications available for research purposes’ - CSR Advisory document 2020, No. 1

The obligation to report data breaches generates a substantial quantity of data in connection with security incidents involving personal data. Further analysis of these data may yield recommendations for improving our information security. The Dutch Data Protection Authority (Dutch DPA) is prepared to make these data available – under certain conditions, of course – for research purposes. The Cyber Security Council (CSR) and the Dutch DPA have, in close consultation, arrived at the opinion that a project should be carried out in order to determine the value of making these data available for research purposes.