Dipna, a university researcher, is mandated to sponsor three PhD students at her university. In order to facilitate the work schedule of the students, she grants them with 24/7 access to the research building and the lab. Dipna returned to work late one evening and noticed a student in the lab looking through research data and notes not relevant to the work with which the student was involved. The information had been left unsecured by another team member, and Dipna did not directly challenge the student in the moment.
Risks to Dipna and the Institution
The student may be operating in good faith and consulting documents of a colleague when the other individual was unreachable, to legitimately inform the team's research.
The student may also be an insider motivated to gain data or knowledge for other purposes, including personal or commercial benefit. Moreover, the student may be an agent of a foreign state, either willingly recruited or under duress. This person may also be testing the limits of the lab's security by doing this to see what information they can gather and whether it would have value that could be subsequently used for personal gain.
Possible Consequences for Dipna
If the information was sensitive or confidential, then Dipna and her research team may run the risk of forfeiting potential personal, professional, or economic and commercial gains that could be achieved from their research. This could also have a negative impact on her team's reputation and career, and that of her team's.
If the data contained patient or personal data then this could result in a serious breach of privacy.
If confidential information from a third-party was involved, the entire collaboration or funding agreement could be in jeopardy.
Possible Impact for the Institution
If it becomes public knowledge that sensitive information was misappropriated by the student, the university could face a crisis of confidence with its stakeholders, including private sector firms and other collaborators.
If information that was classified or related to controlled goods was compromised, the university could face compliance measures by the Government of Canada.
Best Practices
- All research data and information should be appropriately classified, and all corresponding protective measures including their sharing, disclosure, and storage should be identified and monitored. Team members should be briefed on all restrictions and requirements related to the research project and their related work products. An oversight framework, including a process for the identification of potential breaches, is recommended.
- Access to classified, protected or business confidential material (including documents, lab books, software, physical goods, samples, etc.) should be appropriately controlled at all times. Such material should never be left where it can be examined by people who do not need to know or do not have the appropriate clearance. Such material should be locked away in a secure enclosure (e.g. locked cabinet, sample freezer etc.) or a securely closed office/lab when not in immediate use.
- When feeling safe, Dipna should question the student about her activities and retrieve the materials from the student. She should also remind team members of the relevant protective measures for research and related work products. If Dipna still has concerns, she could alert appropriate university security and administration officials.