As a researcher there are steps that you can take that will help you to protect your research, ensure that you are meeting all your legal obligations and support you in making informed decisions about research collaborations. These measures should always be proportionate to the risk and balanced to support the benefits of international research collaboration.
- Collaborating with research partners – protecting intellectual property, making informed decisions about international collaboration and managing cyber risks
- Using legal frameworks – understanding contractual expectations, export controls and GDPR
- Helping researchers to stay safe - protecting your personal and research data, working with overseas researchers and attending conferences abroad
1. Collaborating with research partners
- Due diligence Conduct due diligence when considering a new research and/or funding collaboration. This should include ethical, legal and national security considerations as well as financial. You will then have all the information needed to make an informed and balanced decision about whether you want to work with them.
- Conflict of interest Be aware of potential conflicts of interests between research and/or funding partners that you work with. Be open with your partners and discuss your security arrangements, and their security needs, regularly.
- Segregation Ensure that, where necessary to protect IP, research or personal data, there is appropriate segregation between research programmes, both physically and online. Only give access to research to those who have a valid requirement.
Securing funding for even short-term research can be a source of pressure and, understandably, security considerations may be of secondary concern. Increasingly, legitimate industry or commercial partners who are seeking to fund research expect assurance around the protection of the resulting intellectual property (IP), which they hope will contribute to their future commercial success and to the success of the wider economy. A ‘secure research’ offering could result in assurance for prospective industry partners or sponsors whilst simultaneously protecting your existing relationships.
3 Key things to consider...
If you are collaborating with multiple partners, it is crucial to avoid conflicts of interest. It may be possible to explore a related but different focus for collaboration with a new research partner in order to avoid a conflict of interest with your existing partner.
Without compromising academic freedoms or curtailing the benefit of collaboration, some degree of separation between areas of research may be necessary. In some cases, you may wish to consider segregating IT network access, information and potentially people to prevent one partner having visibility of the work which another partner is sponsoring. Developing a good research security culture and having agreed guidelines between fellow researchers is a positive way of approaching this issue.
As part of managing long-term research relationships, it is important to be transparent about new research commitments. This may mean speaking to your existing sponsors, with potential implications for your ability to enter into non-disclosure agreements. Visibility of research across a laboratory, department or university is also critical. Laboratory or departmental meetings are a key opportunity to provide such visibility, and your regular meetings with research partners could include discussion about security.
Cyber security for research collaboration
When entering a new foreign collaboration, including a funding arrangement, you will need to understand the cyber security risks presented and the additional mitigation activities required.
Your IT department will be able to support you with implementation of the following measures:
It is important that you control access to sensitive data, whether that is personal data or research data. You should only allow users and partners with a valid requirement to have access to sensitive data, research and other parts of your networks. You should also ensure that you understand the security of any collaborative IT platforms, especially those used by third parties.
Unauthorised access monitoring and prevention
Even when critical or highly sensitive data is separated and privileged access is limited, there may be instances of unauthorised access attempts. These could be from system users (insider threat) or from partners or other sources (external threat). You must ensure there are effective cyber security arrangements in place to monitor and defend against unusual or malicious network activities.
Supply chain or partner organisation security
Many issues around supply chain security are due to the poor security practices of partner organisations or managed service providers. Working with overseas partners may present a higher level of risk. You should develop an understanding of the cyber risks associated with partner organisations, managed service providers and potentially vulnerable components at an early stage.
You may also wish to confirm whether your institution is recognised as cyber security industry standard, in line with the NCSC’s Cyber Essentials, as that will demonstrate to your partners that your institution is working to secure your IT against a whole range of the most common cyber attacks.
A SECURITY-MINDED AGENDA FOR RESEARCH PARTNERS
A university with long-established research relationships saw that critical to their success was having regular interactions with their partners, usually on a quarterly basis, where they ensured that security was a standing item for discussion. When it came to publishing, they had an agreement with their sponsors that they would consult on the content of papers and have a set process for arbitrating conflicts.
As the sponsors were engaged in a long-term funding relationship, there was an opportunity to consult early on new areas of research. These early discussions provided an opportunity to give confidence to the long-established research partner.
The open and transparent relationship included talking about who was working on a project, changes to personnel, and any visiting research fellows working on closely related topics. This ongoing dialogue extended to IT/network security and data protection and was an opportunity to discuss how the sponsor’s data and information was protected and held.
What do you know about your potential research partner?
Universities already invest significant effort in conducting due diligence around the financial sustainability or fraud risk associated with a research partner or funder. You should also consider whether a research or funding partner poses ethical or national security concerns. This consideration should go beyond questions of compliance (such as the export control regime) and consider reputational risks. An internet search can provide a lot of information about a partner, their relationship with a state or state military, and the nature of any previous research they have undertaken.
Things to consider include:
- Is there any publicly available information about an organisation, institution or entity which might give you cause for concern?
- In view of that information, what might be the broader application or unintended consequences of working with them in the area of research that you intend to undertake?
- What information is available about the level of freedom and the state of law of the country where your research partner is based?
The following resources could help inform your decision about the suitability of research with specific partners:
2. Using legal frameworks
- Export ControlEnsure that you understand whether your research is subject to export control. Research activities are covered by export control legislation and there are tools that you can access to check whether your research needs to have an export control licence.
- Legislation When collaborating with a foreign research partner or funder, ensure that you have an awareness of the different legislative frameworks under which they may operate and how this might impact your agreements or partnership.
- GDPR Be aware of your responsibilities to protect the data and information that you handle under GDPR legislation.
- Technology Transfer Office Speak to your Technology Transfer Office (TTO) or equivalent at the earliest stage of considering a new collaboration. They should be well-placed to advise you on legal conditions and compliance issues.
Collaboration and contracts
Your research will often be subject to contractual arrangements, providing greater certainty around the expectations of a research partner or sponsor. Equally, sponsors will have contractual expectations. It is critical that you have a clear understanding of the impact of these agreements on the research that you undertake.
“Unfortunately, it is common for disputes to arise over co-created materials. That is not to say you shouldn’t collaborate. It is, however, essential that the collaborators agree upon the terms of the arrangement.” Maria Crimi Speth
UK export controls are designed to restrict the export and communication of sensitive technology or strategic goods, with the aim of preventing weapons of mass destruction (WMD) proliferation and countering international threats such as terrorism.
The controls apply equally to the academic community as to any other exporter, and from an academic perspective may touch on a range of areas of academic exchange which might enable technology transfer, either verbally, physically or electronically. Failure to obtain a licence to export controlled goods (or transfer knowledge on related controlled technologies) may result in a criminal offence being committed.
The following routine academic activities could be covered by export control:
- Research on behalf of an international partner
- International collaboration
- Presentations at conferences
- Export of materials
- Academic exchange with a colleague at an overseas institution
Your Technology Transfer Office, legal department or other relevant supporting corporate services should be able to help with advice on export control issues. ECJU also provides a support point of contact which is able to advise on whether a particular end user is likely to be of concern or not. You can contact the ECJU on 020 7215 4594 or by email on [email protected].
Further useful information and guidance is available from the following resources:
Guidance on export control for academia produced by King College London in partnership with the Foreign and Commonwealth Office (FCO) and Export Control.
Export Control Organisation:(PDF)
Guidance on Export Control Legislation for academics and researchers in the UK, produced by the Department for Business Innovation and Skills.
US entity control list (PDF)
Entities subject to license requirements for specified items under this part 744 and part 746 of the EAR (Export Administration Regulations).
UK Strategic Export Control List
Find out about the lists that control exports, which goods are on the list, when you need to apply for a strategic export licence.
EU Export control list
Regime for the control of exports, transfer, brokering, technical assistance and transit of dual-use items.
A multilateral export control regime with 41 participating states including many former COMECON (Warsaw Pact) countries.
WORKING WITH OVERSEAS INSTITUTIONS
A university worked in partnership with overseas institutions for a number of years on cutting-edge technology research. In 2019 the university discovered that a significant proportion of existing research agreements should have been subject to export control licence applications. The university undertook an extensive review of those agreements and, working with the relevant government departments, went through a process of submitting export control licenses for those research programmes, some of which had to be paused during the process and some of which were stopped entirely.
You should be aware that, at the time of publication (2019), there are arms embargoes in operation against both China and Russia. You should also carefully consider whether any of your research is derived from the US, in which case you may also be subject to United States export control laws, specifically:
Compliance in foreign jurisdictions
If you are collaborating with an international partner there may be laws and regulations with which you will need to comply in your collaborator’s country. Most countries will maintain some form of export control, they may have laws which restrict their institution’s ability to share data or research outcomes, and the legal protections around IP may also differ in those jurisdictions. You should not assume that your research partner will take responsibility for such compliance, and you should be aware of any requirements that impact the collaboration. The Intellectual Property Office (IPO) provides advice on the protection of intellectual property in other countries.
China’s top legislature, the National People’s Congress (NPC) passed the National Intelligence Law in June 2017. The legislation allows Chinese intelligence agencies to compel Chinese organisations and individuals to carry out work on their behalf and provide support, assistance and cooperation on request. This may affect the level of control you have over any data, information, research and assets that you share with Chinese individuals and organisations, especially if you research is in an area that is of interest to the Chinese state.
The System of Operative Search Measures (SORM) is Russia’s legal intercept capability, which is administered by the Russian Federal Security Service (FSB). All communication service providers (CSPs) operating in Russia are obliged to install equipment to enable the FSB to monitor communications. The FSB can use SORM to monitor communications transmitted to, within, and out of Russia including voice calls, text messages, social media, web browsing and metadata. The FSB is not obliged to provide CSPs or commercial companies with any details of their monitoring of SORM. This may mean that you are unaware of how your sensitive communications and information is used outside of your commercial engagements in Russia (or with Russian individuals and companies).
Publish and protect
Freedom to publish will be of paramount importance to all academics, but it is possible to both publish and protect. In many cases, publishing first will be the means by which you protect your ideas but there may also be occasions when you want to protect aspects of your work if they have a sensitive application or if you are considering commercial opportunities.
Your Technology Transfer Office, legal department or other relevant supporting corporate services should be able to help with advice on export control issues and contractual undertakings.
Publishing and protecting research
At an early stage, before publishing or even speaking at a conference, consider if there is anything which is patentable within your research. Through the cycle of a research project, you should continually review progress and whether there is anything new which you have developed which might now be patentable. If working with sponsors or partners where there is a co-creation agreement for IP, maintain a regular dialogue and discussion around what may be patentable and explore an early framework agreement or process for agreeing sensitive material that may be sanitised without damaging your overall ability to publish.
In some cases, you should consider whether there are national security implications to the research and whether a National Security Patent under Section 22 of the Patents Act 2004 might be applicable. Alternatively, you may not want to patent an area of research as at that point your sponsor may wish to protect the information until they are closer to the point of commercialisation. In this case, you would be treating specific aspects of the research as 'trade secrets' and commercially sensitive. You will need to have an agreed process about those things which you may be able to publish and those things which you may wish to protect. Think carefully before disclosing information where you do not have a patent.
When you submit a patent application the Patent Office will assess whether there are any national security applications which may require an application under Section 22. Some details of the technologies and areas that may fall within section 22 are described below, although some details are not made public.
- Technology prejudicial to national security or public safety
- National security checks on patent applications
GDPR: Implications for research data
The Data Protection Act (DPA) 2018 sets out the framework for data protection law in the UK. It updates and replaces DPA 1998, and came into effect on 25 May 2018. It sits alongside the GDPR, and tailors how the GDPR applies in the UK - for example by providing exemptions. You must ensure that all data that you handle (including research data) is protected in compliance with GDPR. The Information Commissioner’s Office (ICO) is the regulator for GDPR and there are circumstances in which you will have to report a data breach to the ICO. A detailed guide to your responsibilities under GDPR can be found on the ICO website.
3. Helping researchers to stay safe
- Awareness Ensure that you and your colleagues are aware of the measures that you can take to protect you and your research online. Good cyber security practices will reduce the likelihood of the loss or compromise of your research data.
- Visas Ensure that visiting researchers with access to your facilities and IT network are centrally recorded as members of staff and have appropriate visas.
- Travel advice When travelling overseas for a conference or longer period, consider local laws and custom as well as how you protect intellectual property and sensitive data. If relying on IT, make sure it can be used/accessed overseas.
The nature of your collaborations, including how you use and share data and research online, will require a tailored approach to cyber security in line with your institution’s security policies. However, there are some sensible tips that all individuals can follow, that will reduce the likelihood of loss or compromise of your research:
- Protect your email by using a strong and separate password
- Install the latest software and app updates
- Enable two-factor authentication on your email and collaboration platforms where possible
- Use a password manager to help you create and remember passwords
- Secure smartphones and tablets with a screen lock
- Always back up your most important data
Your IT department will be able to support you with any of the measures in this section.
Take care when using USB drives
USB drives or memory cards are a quick and easy way to transfer files between organisations and people. However, there are risks. If you’re handed a USB drive at a conference, for example, before you insert it:
- Consider how trusted the source of the USB drive is
- Make sure ‘autorun’ is disabled on your device via settings or system preferences, , for example:
- Windows 10: “Windows key + I -> Devices -> Autoplay -> Use Autoplay for media and devices (OFF)
- MacOS just mounts the files rather than executing anything
- Make sure your antivirus software runs an auto-scan before your device accesses the data on the USB drive
If you need to share information, consider alternative means (such as cloud storage, email or dedicated collaboration platforms).
Preventing phishing attacks
Phishing attacks are one of the most common ways of obtaining personal and other data, so it is worth doing whatever you can to defend yourself against them. Phishing emails appear genuine but are actually fake. They might try and trick you into revealing sensitive information or contain links to a malicious website or an infected attachment.
Below are some of the actions you can take to reduce the likelihood of being phished.
For more details please refer to the NCSC guidance that can be found on the NCSC website.
- Phishers use publicly available information about you to make their emails appear convincing. Review your privacy settings and think about what you post and what has been posted about you, such as conference or organisational biographs
- Know the techniques that phishers use in emails. This can include urgency or authority cues that pressure you to act
- Phishers often seek to exploit ‘normal business’ communications and processes. Make sure you understand your organisation’s policies and processes to make it easier to spot unusual activity
- Anybody might click on a phishing email at some point. If you do, tell someone immediately (e.g. your IT team or line manager). Prompt reporting will significantly reduce the potential harm caused by cyber incidents, so don’t assume that someone else will do it
PHISHING IN THE RESEARCH SECTOR
In August 2018, researchers discovered over 300 fake websites and login pages for 76 universities across 14 countries, including the UK. Victims were likely directed to the fake websites by email. After entering their credentials into the fake login page, the credentials were stolen and the victims redirected to the legitimate university website. This was likely to limit suspicion over what had taken place. Many of the fake pages were linked to university library systems, indicating the actors’ appetite for this type of material.
The researchers attributed this activity to Iranian actors who had previously targeted universities in order to steal intellectual property, including from library systems. This attack followed a previous Iranian campaign between 2013 and 2017, which saw the Mabna Institute target more than 100,000 accounts of academics worldwide and led to the loss of more than 30 terabytes of academic data and intellectual property.
Working with researchers from overseas
Academic institutions will want to attract visitors and researchers from overseas. You have a duty of care to all staff and need a degree of understanding of visiting staff’s backgrounds, previous work and ongoing obligations in order to help them to avoid conflicts of interest.
It is critical to follow your institution’s human resources procedures so that anyone working on research for the university (with access to its facilities and IT network) is recorded as a member of staff or a student. Even short-term research attachments must comply with your institutional policies. Also consider what expectations you or sponsors may have from staff at the end of their work, particularly around confidentiality and non-disclosure.
You also have a responsibility to ensure that they are working on an appropriate visa whilst at the university. Visas for overseas students applying for certain courses in the UK may be subject to the Academic Technology Approval Scheme (ATAS). Your visa office at the university will be able to advise.
ATAS applies to all international students (subject to existing UK immigration permissions) who are applying to study for a postgraduate qualification in certain sensitive subjects which could be used in programmes to develop weapons of mass destruction (WMDs), or their means of delivery. These students must apply for an ATAS certificate before they can study in the UK.
Staff working overseas
If you have staff working in a country whose democratic and ethical values are different from our own, your broader risk assessment of staff working overseas should include the following:
- If something happens to one of your colleagues when they are working overseas, who should they report it to?
- How often do you check up on whether they have any concerns or issues?
- What agreements are there with the institution that will be hosting them overseas?
- What are the rules and laws that they are required to comply with in that country?
- Do any laws conflict with any of the agreements that you have made with that institution?
- Will the work that they conduct be subject to UK export control?
- Are your colleagues aware of the export control laws, national security laws or intellectual property arrangement in the country that they are working?
In 2019 a UK university identified that there were a large number of individuals with access to its facilities and IT network that were not recorded as members of staff at the university. In many cases this had occurred because individual academics at the university were informally approached by researchers based at overseas institutions, who had come to the university for a short-term placement which they had funded themselves. Although they had access to the university site and network, the visiting academics had not applied for appropriate visas for the research work that they were undertaking at the university.
Countries not conferences
With overseas conferences being a normal part of academic life, researchers will understandably focus on their presentations and potential research opportunities, rather than the security issues associated with travelling to a different country. Part of your preparation for any overseas conference should be to:
- Consider the country that you are travelling to, and be aware of local laws and customs
- Think carefully about what information you share or present
- Make sure you understand your host’s attitude to academic freedom and discussion
- Ensure that any payments you accept for attendance do not create a conflict of interest, or place you in a contractual breach or breach of university policies
- Be clear on the areas of research that you can, and cannot, talk about
- Be polite but firm if pressed to share more information
- Report any suspicions to your manager and the appropriate university authority
See the FCO website has more detailed travel advice, including how to seek consular assistance in country.