Assessing risks associated to your research

This question requires you to review the Critical Minerals List to identify whether your proposed research may involve any of the identified mineral(s). This includes projects where you are working directing with critical minerals as well as where critical minerals may be an incidental component of the research, such as in mining waste or chemical byproducts. 

If you answer “Yes” or “Unsure” to this question, briefly describe in the Risk Identification section with which critical minerals your research intersects (or may intersect), if your project potentially relates to critical mineral extraction or their supply chains and how your proposal supports Canada Critical Minerals Strategy. You can also include potential consequences from the misuse or unauthorized transfer of critical minerals and/or research information related to them. 

In the Risk Mitigation Plan, identify potential measures or best practice that you intend to implement for this risk. You may also include any information from your due diligence research on your partner organization that helps mitigate this risk.

Example:

• Identification of risk: Your proposed research aims to explore the development of a metal alloy with aluminum that can be used to make light-weight components for vehicles; aluminum is a critical mineral on the list. There is a risk of your research being used to develop components for military end-use should the research information be transferred in an unauthorized manner; in other words, your research is dual-use. You may note that your research objective is not to develop military components, but rather supports the Canadian Critical Minerals Strategy by enhancing the efficiency of domestic production of vehicle components for the automobile industry.
• Potential mitigation measure: You can indicate that from your understanding, your research partner operates solely in the civilian commercial sector, and that you will employ the best practice of assessing that your potential partner’s motivations align with your own in the civilian usage of the research information and establishing an agreement on this intended use of all information surrounding the research project, up to and including research outputs. 

This question requires you to review the list of ten critical infrastructure sectors and identify whether the research may relate to any of the ten sectors of critical infrastructure. 

If you respond “Yes” or “Unsure” to this question, briefly describe in the Risk Identification section how the research project may intersect with or relate to any critical infrastructure sectors, as well as how it may support the National Strategy for Critical Infrastructure. Consider the potential consequences if this type of infrastructure sector were disrupted, including from misuse or unauthorized transfer of relevant sensitive information. If the proposed research is likely to support or enhance the resiliency of any critical infrastructure, be sure to include how it will do so.  

In the Risk Mitigation Plan, in addition to identifying specific measures or best practice you may employ, you can include findings from your due diligence of the potential partner who may access the critical infrastructure sector via this project to demonstrate that the partner will not cause disruptions.

Example:

• Identification of risk: Your proposed research examines vulnerabilities in existing encryption algorithms to develop more secure protocols; your research may intersect with the critical infrastructure category “Information and communication technology”. There is a risk that your research can be transferred in an unauthorized manner to an organization seeking to exploit vulnerabilities and access encrypted information.
• Potential mitigation measure: You should indicate that your team will use the best practice of employing sound cybersecurity and data management practices by adhering to UBC on cybersecurity and data management practices, as well as any additional cybersecurity measures as appropriate, such as vulnerability scanning and patching throughout the research project to better secure relevant information to prevent leaks or authorized access. We recommend you discuss your specific requirements with UBC Advanced Research Computing (ARC) Security & Privacy. You may also include that the type of cybersecurity and data management practices that your partner organization uses to help illustrate that they would also take measures to prevent potential exploitation of vulnerabilities of a critical infrastructure.

Personal data includes any information that can be used to identify an individual. Personal data can be leveraged by hostile state actors to harm Canada’s national and economic security through its exploitation. Some data is inherently sensitive, and some examples are indicated in the RAF and in List 2 of Annex A of the NSGRP; the sensitivities of other types of personal data will depend factors such as the how the data is being used and how much it can reveal about an individual. As such, personal data should be protected by security measures appropriate to the sensitivity of the information. 

Note: There may be additional approvals required if your research activities involve human participants or human biological materials, such as that from the UBC Office of Research Ethics; we recommend engaging with them to discuss specific requirements. 

For the purpose of this question, only data related to research subjects needs to be considered. For personal information involving UBC staff and/or students who may be involved in your research, you could also note that this is governed by UBC Information Security Standards (U1) and methods of transmitting and sharing of this information must follow Transmission and Sharing of UBC Electronic Information (U3) guidelines.

If you respond “Yes” to this question, describe in the Risk Identification section the source and nature of personal data involved, such as what type of personal data may be collected during the research, how it is being collected and the sensitivity of this data. If your potential partner may have direct access to this type of data stored on UBC infrastructure, see risk identification section for question 2.4 for additional considerations.

In the Risk Mitigation Plan, identify specific measures to protect the data, such as data security, cybersecurity, anonymization processes and types of access control. If your research requires review and approval from the ethics board, indicate so and include whether the process involves reviewing safeguards for personal data and whether approval has been secured. You also may already have described some of these personal data management measures in other parts of your funding proposal, such as in your Data Management Plan if applicable; if so, you include some of these measures as mitigations if they address the risks you have identified. 

Example:

• Identification of risk: Your proposed research involves conducting a longitudinal study of an illness and its impact on the lifestyle of those living with the illness, and uses a dataset that contains personal health data, financial data, and socioeconomic data. These types of data are inherently sensitive. There is a risk that the unauthorized release of this data could compromise the privacy on individuals within this dataset.
• Potential mitigation measure: You can indicate if additional review or approval, such as from the ethics board, may be required or has already been obtained. As well, you can outline your research team’s commitment to adhere to existing relevant UBC policies (see above Additional relevant resources) governing the collection of information from human participants and protection of data derived therein, as well as the use of any additional data collection system approved by UBC to secure the datasets, such as REDCap. Indicate any anonymization processes for these datasets and how the original records linked to an individual will be stored (e.g., in a locked file cabinet with access limited to certain research team personnel). If your partner may be hosting this type of data locally in their system, also detail their protocol on how they plan to secure this data.

When evaluating whether your research involves a large dataset, consider, for example, whether the data is of substantial size that cleaning would require some form of automation or take manual hours, or that inferences or insights can be made about a sub-population of community. When evaluating whether the dataset may be sensitive, consider whether it contains information that, if misused, could impact an individual, a community, or Canada negatively in an ethical, commercial, or legal way. Examples can include data that can be used to identify an individual or a group of individuals and their behaviours (see above question 1.3 for personal data risk consideration) or data may be used to disrupt or exploit Canadian critical infrastructure (see above question 1.2 for critical infrastructure risk consideration).

If you respond “Yes” or “Unsure” to this question, describe in the Risk Identification section the sources and nature of the dataset(s) that may be collected or accessed and the potential risks involved if an unauthorized party were to gain access to this information. Describe whether you are collecting your own large dataset, working with publicly available sets, or using proprietary datasets from your partner organization, as well as whether the data is anonymized.

In the Risk Mitigation Plan, identify specific measures you plan to employ, such as de-identification of the collected dataset, implementation of access controls (e.g., multi-factor authentication, encryption) or the use of a dedicated secure server for data storage, in addition to the best practice of adhering to standard data management and cybersecurity practices at UBC. You may want to describe how you plan to de-identify or de-aggregated the data to reduce the likelihood of the dataset being attributed to specific datapoints, if applicable.

Example:

• Identification of the risk: Your proposed research will analyze large datasets involving traffic patterns in major intersections across the Lower Mainland to identify modifications in traffic light signals and intervals to improve traffic flow. The dataset includes license plates, so a potential risk may be the exposure of personally identifiable information (i.e., the license plates) to an unauthorized party seeking to target or monitor specific individuals.
• Potential mitigation measure: You may indicate how the dataset may be de-identified and include protocol wherein the original data stored in secured servers with access control restricted to certain members of the research team as required. You can also indicate that your research team is adhering to UBC policy on cybersecurity and data management practices governing appropriate handling of information, including de-identified human datasets, to ensure research information is protected by UBC’s IT infrastructure.

The Government of Canada has regulations that govern or restrict the transfer of specific goods, technologies and data outside of Canada, regardless of the means of transfer. Transfer can be via physical, such as shipping of goods, via consulting, such as training, instructing and advising, or via electronic means, such as sharing information via cloud or email; any such transfer requires permits. Areas covered by the Export Control List is not exclusive to goods, technologies, and data related to military and nuclear applications.

Review the list fully to determine whether your research area is covered in the subcategories of the Export Control List and evaluate against the specific performance characteristics of the item. If your proposed research involves an area included on the export control list, you must answer “Yes” to this question, regardless of whether you plan to export such items outside of Canada.

If you respond “Yes” to this question, in the Risk Identification section describe the specific item covered by the export control list and whether the private sector partner will have access to the item(s) during the research. If you plan to export goods, technologies, data or services in areas covered under the export control list, review the Government of Canada’s Export Control Handbook and UBC’s guide on exporting goods (CWL-required).

Identify in the Risk Mitigation Plan any documentation obtained or in the process of being obtained to facilitate export, if required. Identify if the research team is aware of their responsibilities under the Export and Import Permits Act. Describe any relevant data management, cybersecurity, or physical security measures to handle the item(s), if applicable.

Example:

• Identification of risk: The research proposal examines efficient cryogenic cooling techniques for quantum computing; this falls under the item “Cryogenic Complementary Metal Oxide Semiconductor (CryoCMOS)” in the Export Control List.
• Potential mitigation measure: You may specify that your potential research partner’s offices/laboratories are located only in Canada and explain that the research will not export this item/technology outside of Canada. You can include that should the above change, you will obtain the relevant export permit and documentation necessary to export this item/technology.

Certain research areas are designated as Sensitive Technology Research Areas (STRAs) by the Government of Canada and are included in List 1 of Annex A. Review the entirety of List 1 and identify whether your project may intersect with any of the STRA subcategories. This includes using or aiming to advance any one of the STRAs. For example, if you are using proteomics techniques to conduct your research but are not advancing its underlying techniques, you would need to check “Yes” for this question. To assess whether you may be aiming to advance, consider whether your proposal may support the generation or discovery of knowledge that contributes to progress in the sub-categories on the STRA list.

If you respond “No” but your research is in an area related to a STRA on the list, provide additional context and describe the process by which you determined that the research does not fall under a subcategory of the STRA. 

Example for a research area related, tangentially or adjacent to, a STRA:

• Identification of risk for an area related to a STRA: Your research examines the current manufacturing practices for magnesium alloys to determine how the current processes impact local ecological systems and the wider climate. After reviewing the STRA list, you note that “Augmented conventional materials” include magnesium alloys but determine that your research is not considered sensitive and not dual use as your proposal does not involve augmenting the material to have unconventional or extraordinary properties. You should include an explanation of your assessment.
• Potential mitigation measure: While a mitigation measure for this risk is not required, you may indicate that you will advise the funding agency and follow additional research security requirements (e.g. attestation forms, information on new mitigation measures, etc.) should the research focus shifts and begin to advance a STRA. 

If you respond “Yes” or “Unsure”, you should describe in the Risk Identification section which specific subcategory relates to your research, whether you aim to use or advance one of these technologies in your project, whether the outcome of the research could have military, intelligence or dual military/civilian applications, and how the research could be misused in a worst-case scenario.

In the Risk Mitigation Plan, identify the research security best practices that you plan to employ during the project that aim to reduce the likelihood of potential unauthorized transfer of research information and/or misappropriation of these technologies by malign actors. 

Example for a research area in a STRA:

• Identification of risk: Your proposed research aims to generate knowledge toward developing a new vaccine using lipid nanoparticle delivery system. While your specific project objective may not be to develop a new vaccine, your research is generating foundational knowledge towards the STRA of “Nanomedicine”, and therefore advancing this area. There is a risk of your research being used to advance biological weapons; in other words, your research is dual-use. You may note that your research objective is for civilian purpose and aims to enhance the heath and resiliency of the Canadian population.
• Potential mitigation measure: You can indicate that from your understanding, your research partner operates solely in the civilian pharmaceutical sector and has a history of collaboration in academia to translate research outputs for global health. You can also indicate that you will employ the best practice of assessing that your potential partner’s motivations in this research project align with your own in the civilian usage of research information and establishing an agreement on the intended use of all information surrounding the research project, up to and including research outputs. As well, you may identify additional best practices you will employ to mitigate this risk, including raise awareness on research security with your research team by taking training on this topic on how to safeguard your research.