Each question in Section 2: Know Your Partner Organization (page 3 of the form) addresses specific considerations to help you assess whether the partner organization(s) may pose a national security risk in using information and data derived from your research and can help you determine the overall risk profile of the research partnership.
To answer the questions in this section, you are encouraged to gather information about your proposed partner from public sources of information as well as through discussions with your partner(s). The section “Conducting due diligence” of this guide provides guidance and resources to help you gather this information.
The UBC Research Security Team can support you by performing additional due diligence using proprietary tools during the validation process to ensure all relevant information is identified and provided in the form.
The following are questions asked in the RAF:
2.1 Are there any indications that your partner organization(s) could be subject to foreign government influence, interference or control?
This can include an entity that is state-owned (similar to a Crown Corporation in Canada), in which there is a government with direct benefit and control, or one that is subject to a legal framework that can compel the entity to provide the host government with access to information, knowledge, or IP. For example, companies based in the People’s Republic of China (PRC) can be compelled to share data with the Government of the PRC upon request, as specified in the 2017 PRC National Intelligence Law. This may also include organizations whose major sources of funding include foreign governments which could be leveraged to compel information sharing.
If you respond “Yes” or “Unsure”, describe in the Risk Identification section how organization may be subject to foreign government influence, interference or control and any input solicited from the partner that provides further context. If relevant, provide context for the level of risk posed by the specific partner and collaboration (e.g., low risk due to limited partner access to research data or involvement through a one-time transaction).
Work with the partner organization to develop strategies to mitigate any potential foreign influence or interference in the research and identify them in the Risk Mitigation Plan. Identify relevant research security best practices you plan to implement, such as employing data management and cybersecurity in accordance to UBC policies, establishing that your potential partner’s motivations in this research project align with your own and, if applicable, referencing any existing Intellectual Property (IP) frameworks or collaborative research agreement (including any in negotiation), as well as specific provisions you will implement (e.g. patent licensing agreements) relating to the use of research information and outputs. You should contact Innovation UBC’s Sponsored Research team and/or Inventions & Licensing teams for any discussions involving sponsored research, IP and licensing agreements.
2.2 Are there any indications that suggest a lack of transparency or unethical behaviour from your partner organization(s), that may impact the proposed research project?
This type of information is likely publicly available via resources such as World Legal Information Institute, which provides information on court decisions and international legislations, or a web search. In cases where you are collaborating with a large multi-national corporation, focus on recent information that is most relevant to your research areas and solicit information from the partner when possible.
If you respond “Yes” or “Unsure”, in the Risk Identification section, provide details and the context of the legal issues and their relevance to your proposed research project.
Identify in the Risk Mitigation Plan any appropriate measures or best practices that can be taken to minimize the use of research information, knowledge and data in an unauthorized manner. This can include measures such ensuring there are legal agreements covering any IP or patent disclosures, licensing agreements or revenue sharing, if applicable to your research objectives. Innovation UBC’s Sponsored Research team should be involved in the details for any such agreement.
2.3 Are there any indications that an individual(s) involved in the research project from your partner organization(s) could have conflicts of interest or affiliations that could lead to unauthorized knowledge transfer?
In cases where there are specific staff members from the partner organization involved in the research, such as lead scientists or technicians, you are encouraged to verify their professional histories, expertise, publication history, etc. via open-source research (consult this list for resources to help with verifications). You may also need to conduct this verification for persons not directly involved in the research activities but may have input on research directions or the translation of the research results at the partner organization, such as a management level scientist. Additional affiliations that may pose a national security risk and should be noted if identified, including affiliations to an organization on a sanctions list, participation in a malign foreign talent recruitment program, or current appointments or affiliations with a Named Research Organization. Work with your partner organization to verify the accuracy of this information where possible.
If you respond “Yes” or “Unsure”, disclose in the Risk Identification section any real, perceived, or potential conflicts as well as their relevance to the research project. It may be reasonable for someone to be appointed or affiliated to multiple research institutes or organizations, depending on their research areas, the risk lies in whether these multiple affiliations could lead someone to transfer your research information in an unauthorized manner.
The mitigation measures to be provided in the Risk Mitigation Plan will vary depending on the nature of the conflict. You may need to discuss your findings with your partner organization if appropriate. The UBC Research Security team also is available to discuss potential measures to support you in working with the partner organization to mitigate any risks from conflict of interest.
2.4 Are there any indications that as a result of this research project, your partner organization(s) will or could have access to your research institution’s Canadian facilities, networks, or assets on campus, including infrastructure that houses sensitive data?
This question requires you to assess if the partner organization may gain access to UBC infrastructure or data through the research partnership. Access to our infrastructure can take many forms, including physical access to UBC facilities or labs for the purposes of conducting research, remote access to file-sharing platforms, or servicing a piece of equipment via remote or physical access procured from a partner organization. You should also consider whether the partner may gain access to personal sensitive data and large datasets, related to Question 1.3 and 1.4 in “Section 2: Know Your Research”. While access via a research partnership governed by a signed agreement is authorized and legitimate, it may provide opportunities for unauthorized access to other parts of UBC infrastructure or data, so it is important to consider potential risks.
If you respond “Yes” or “Unsure”, in the Risk Identification section provide details on the types of access to which your partner may have or require throughout research project, such as which networks, files, assets, or facilities, and what type of data, including whether this involves any personally identifiable or sensitive information. You should describe potential risks associated with the misuse of access, such as unauthorized transfer of potential sensitive data or the potential for physical access to other facilities in the same building, or remote access to other folders.
Your mitigation measures in the Risk Mitigation Plan will depend on the type of access the partner will have (remote or physical), the purpose of this access (e.g., to service a piece of equipment or long-term access to research labs), and the type of assets being accessed (e.g., research information, personal data) as well as potential inadvertent access to sensitive information. Some measures may include:
Relevant resources:
- UBC Campus Security: Site Security Assessment (physical/facility security assessment for an enhanced risk management profile)
- UBC Advanced Research Computing: Security & Privacy (support in addressing infrastructure, data storage and data management needs)
- Limiting physical access of the staff from your partner organization to only areas required to conduct research activities if you identify other parts of the same facility may contain sensitive information or infrastructure. This can take the form of escorted visits or restricted access cards. You may want to discuss these considerations with the specific facility management or UBC Campus Security.
- Providing access to only parts of your network or files required for your partner organization to conduct research activities and adhering to UBC policy Acceptable Use and Security of UBC Electronic Information and Systems (SC14), particularly the standards outlined in Outsourcing and Service Provider Management (U9).
- Describing the process for granting and monitoring access for your partner’s personnel. This may involve evaluating whom of their staff require access depending on their role in your research and continuing this evaluation throughout your project.