Disclaimer: This scenario is not comprehensive of all risks and best practices. This case study represents a certain scenario for general application of research security principles and can be used as a resource for training, exercises and presentation, etc. The names, events and other details of this scenario are created for educational purposes and do not represent any particular event.
Fictional scenario
- Alina is a researcher at a Canadian university that is hoping to start a new research project. She is seeking federal funding for the project as well as a Canadian company as a research partner.
- Alina is contacted by a potential industry partner that has a history of operating in Canada and is well known in the research community, specifically in fields outside of Alina’s. The industry partner does not normally invest in research in Alina’s field but has put forward to her a very generous offer to collaborate on her research project.
- Alina’s proposed research project involves the collection of sensitive data, but as the company is Canadian and is offering abundant support to form a research partnership, Alina does not see any concerns with the offer and accepts it, forming a partnership with the Canadian company.
- A partnership agreement is drafted by Alina and then reviewed by Alina’s institution’s contract office and legal department. The agreement is approved and signed by Alina, the relevant university authorities, and the research partner.
- During the course of the research project, Alina notices unfamiliar names and mentions of a foreign company that was not previously identified as being involved in the research partnership.
- Alina conducts a search using available open source tools and discovers that the foreign company has recently invested heavily in Alina’s Canadian industry partner through several proxy corporations. Alina finds that it has recently been accused of attempting to acquire knowledge and data from another country.
Risks in this scenario
| Risky practices | Possible consequences |
|---|---|
| Not checking the connections, investors, and sources of control of the research partner |
|
| Not including parameters to limit the amount of access and sharing to make sure there are no security risks |
|
Risk mitigation
Best practices checklist – Researchers
- DO verify the connections, investors and sources of funding and control of potential research partners. A variety of databases and sources, including open-source databases, can be searched to view the various ties and investors of an organization.
- DO implement a research data management policy. Plan ahead on the methods of data management, storage, and use.
- DO have the Canadian institution’s relevant experts, contract office, or legal services review the agreement in detail if these services are available at your Canadian institution.
- DON’T agree to a research partnership until the ownership and reliability of a research partner can be verified. If available, use templated agreements drafted by the institution instead of the industry partner. Engage research partners with a draft contract prior to negotiation and do not agree to terms without a contract.
Best practices checklist – Post-secondary institutions
- DO provide access to tools for researchers and university staff to verify the security of potential research partner organizations.
- DO develop guidance and clauses for researchers to use when making agreements with research partners and provide template agreements to researchers in advance. Also provide indicators of security issues for researchers to be aware of when reviewing agreements to determine if further review by legal services or other experts are needed.