Disclaimer: This scenario is not comprehensive of all risks and best practices. This case study represents a certain scenario for general application of research security principles and can be used as a resource for training, exercises and presentation, etc. The names, events and other details of this scenario are created for educational purposes and do not represent any particular event.
Fictional scenario
- John is a researcher who recently received federal funding for his research at a Canadian university. With these new funds, John wants to upgrade and update his lab’s equipment which would allow him to increase the scope of his research and allow further research on similar projects.
- While John is searching for a supplier, he is contacted by a friend from graduate school that is now working at a foreign equipment supplier. The foreign supplier offers to donate some of their equipment and several new computers to John’s lab as a gift. The foreign supplier also offers to supply other discounted equipment to John. All the equipment is already set up with proprietary software, but the foreign company also offers licenses to use the software.
- John trusts his friend as they have known each other for years and have a positive working relationship. The equipment offered is more than he could have hoped for and would greatly advance the capabilities of John’s lab to conduct research. John thinks that in the interest of the advancement of science, he should accept the offer.
- While John’s institution has a preferred list of suppliers, he does not feel that the donation of used equipment and reselling of computers from the foreign company is an issue.
- John accepts the donation and purchases several extra computers and pieces of lab equipment from the foreign company.
Risks in this scenario
| Risky practices | Possible consequences |
|---|---|
| Accepting unscreened used equipment from a foreign company |
|
| Not following established procurement procedures of the home university |
|
Risk mitigation
Best practices checklist – Researchers
- DON'T accept donated or heavily discounted equipment or services from a supplier without engaging with your institution’s relevant officials to identify any risk in the transaction.
- DO follow your institution’s policies on procurement for your research. Many institutions have a list of trusted suppliers. If it is determined that an existing preferred supplier or contract is not best value, or your institution does not have established procedures, a fair and competitive bid process that incorporates security provisions is recommended for all goods and services.
- DO ask a supplier how they will be protecting your information and data, by having them provide information on:
- Where data is stored (e.g., geographic location which may change the privacy, security, and data ownership laws and regulations applied to the data);
- How data is data labelled/categorized according to its sensitivity;
- Their data retention policies, and if data retention requirements can be supported.
- DO use software that is approved by your institution and aim for open-source, non-proprietary software.
Best practices checklist – Post-secondary institutions
- DO provide researchers at the institution resources and information about procurement policies and their responsibilities under funding agreements.
- DO provide researchers with contact information of procurement officials at your institution to provide project-specific guidance.
- DO develop a list of recommended suppliers and guidance on holding competitive bidding on procurement contracts.
- DO provide researchers with example clauses to include in procurement contracts to clarify ownership, responsibilities, liability and to establish the specifications of equipment, software, and other materials that are to be procured.
Additional resources
- Global Affairs Canada - Export Controls