The University supports its researchers in undertaking research using security-sensitive material, but takes seriously the need to protect them from the misinterpretation of intent by authorities, which can result in legal sanction. It is therefore important that the University is aware of the research before it begins and can ensure proper data management and oversight.
The registration process described below is a mechanism for allowing researchers to register their use of security-sensitive materials as part of legitimate research projects and thereby enabling the University to demonstrate to authorities that it is aware the research being carried out. It is not a mechanism for reviewing this research or regulating it.
The guidance applies to all staff and students, both postgraduate and undergraduate.
Register all research that involves the use of security-sensitive research material
Individuals whose research falls within the definition of using security-sensitive research material must register their research project(s) with the University prior to commencement by completing the Registration Form and submitting it to the Research Governance and Planning Manager. The registration form must be approved by either the departmental Director of Research (staff research) or the research supervisor and departmental Director of Research (student research). This provides evidence that the University is aware of the research, and its legitimacy.
Use a University profile when visiting security-sensitive websites
Researchers should be aware that visits to security-sensitive websites (even from open access sites) may be subject to monitoring by the police and, if discovered, can prompt a police investigation. Therefore it is recommended that, when undertaking research, University IP addresses are used to access these sites, thus ensuring that any enquiries about such activities come to the institution in the first instance.
Use the University individually allocated secure SharePoint to store security-sensitive research material
Research material that is security-sensitive must not be stored on the researcher’s personal computer, University computer or on their standard University drives. Individuals indicating on the registration form that their research involves the storage of security-sensitive research materials will be allocated a secure SharePoint site drive for the storage of this material.
Physical data e.g. reports/manuals must be scanned and a copy uploaded to the site. Hardcopies must subsequently be securely destroyed.
Documents stored on the secure site will only be accessible by the named research personnel and files from this store must not be exchanged. This will ensure that security-sensitive material is kept away from personal and university computers.
The Research Governance and Planning Manager will have oversight of the declared use of security-sensitive research material through the registration process. The purpose of this oversight is to allow a prompt response to any enquiries, internal and external, relating to declared use of security-sensitive material. The Research Governance and Planning Manager will be aware of the names of the researchers who are able to access each secure site and will be aware of the metadata for documents (e.g. the titles) that are stored, but will not know the content of the document themselves. For those who declare the use of security-sensitive research material, this oversight will offer protection for researchers as it ensures that the research material is kept secure and at arm’s length from external intrusion (unless access is required for legal reasons).
If it is identified that material is being accessed or used within the University that appears to be security-sensitive, in particular, material that might be connected with terrorism and extremism this should be reported to the Research Governance and Planning Manager using the appropriate form.
Material of this kind can be connected with legitimate research and on receipt of an enquiry form checks will be made to establish whether the discovery of such material is linked to a registered research.
If the identified material is not connected with legitimate research, the matter will be immediately reported to the University’s Security Manager.