Oversight of Security-Sensitive Research

Oversight of security-sensitive research

1.purpose

The purpose of this standard operating procedure, in addition to meeting the university’s duty to the research aspect of the ‘Prevent Strategy’, is to describe the process of handling security-sensitive research, which can be interpreted as engaging the Counter-Terrorism and Security Act (2015) provisions or involves extremism from animal rights campaigners, undertaken by or through the University of Surrey staff and/or students. It is an adapted version of the Universities UK; Oversight of security-sensitive research material in UK: guidance.

2.introduction

The Government has defined extremism in the Prevent Duty Guidance[1] as: “vocal or active opposition to fundamental British values, including democracy, the rule of law, individual liberty and mutual respect and tolerance of different faiths and beliefs. We also include in our definition of extremism calls for the death of members of our armed forces”.

Access to security-sensitive material requires special handling through the current research management and governance process within the University.An Al-Qaeda manual,for example, can be highly relevant to many kinds of perfectlylegitimate academic research – studies of jihadism, internationalrelations, or conflict and security, to name three. On the otherhand, prosecutions under counter-terrorism legislation in the UKhave sometimes been brought on the basis of an accumulation onpersonal computers of downloaded material and other data, forexample that which is relevant to making explosives. The white supremacist ideology of extreme right-wing groups, which has also provided both theinspiration and justification for people who have committed extreme right-wing terrorist acts, can be a legitimate research focus. It will notalways be possible for police to distinguish immediately betweenthe accumulation of such material for legitimate researchpurposes and the accumulation of material for terrorist purposes.

Researchers may not only download material that is security-sensitive but may also visit security-sensitive websites. Such visits may be interpreted by police as evidence of sympathy for, and perhaps even willingness to collude with, terrorism. At least one researcher, in Italy, conducts his research into jihadist activity by impersonating a jihadist in internet chat rooms used by extremists.[2] He does so conscious of the fact that his behaviour may come to the notice of Italian counter-terrorism police.[3]

University researchers trying to carry out security-sensitive projects in a legal environment that is highly attuned to the demands of counter-terrorism need protection from intrusive and excessive oversight where this is possible. Universities UK guidance[4] suggests that this could best be achieved by research oversight processes within universities. Such processes could expedite checks within universities which would reveal people as legitimate researchers and sensitive material as part of legitimate projects. The same processes could also speed up the identification of material that was outside the area of official research, and that might require further investigation.

A mechanism for registering declarations of security-sensitive research is not a mechanism for reviewing this research, or regulating it; it is a mechanism that operates on already approved research[5] and merely identifies it as a candidate for safe storage.

Sections 2 and 3 of chapter 11 of the Counter-Terrorism and Security Act (2015) outlaw the dissemination of terrorist publications, including by electronic means, and give a very wide definition of ‘terrorist publication’ and ‘statements’ that could be construed as endorsing or promoting terrorism.

3.Scope

This SOP applies to all research that involves security-sensitive materials that can be interpreted as engaging the Counter-Terrorism and Security Act (2015) provisions or involves extremism from animal rights campaigners. This includes consultancy and expert services.

This SOP does not apply to any activities outside the scope of research.

4.Responsibility

1. The Researchers (student and their supervisor) or staff researchers: need to complete Appendix A. (Research concerning Terrorist or Extreme Groups check list) and send by email to University of Surrey Head of Security, and apply for Favourable Ethics opinion, where applicable.
2. Security: to register the project and keep a record of the research team names, a summary of study documents that will besaved on the University secure server(Safe Store), start and end date, expected expiry date (delete date) and a copy of the completed and signed “RESEARCH CONCERNING TERRORIST OR EXTREME GROUPS CHECK LIST”. A copy of the Ethics Self-assessment form if University Ethics committee (UEC) review is not required or a copy the UEC Favourable Ethical Opinion will kept with the study record.
3. IT: to provide a secure password protected server based file (Safe Store), only accessible to the researcher/s for the purpose of the specific research project. The researcher/s will need to apply to IT services for this via (), and agree access required (research team) and data expiry date (delete date).Deletion will need to be prompted manually by the Researcher and copy Head of Security and Research Integrity and Governance Office (RIGO).

Please see; Information Security Policy, Acceptable Use Policy and Guidance Notes, Using Your Own Device Policy (UYOD), and Personal password policy

1. Ethics: Ethics review should still be undertaken by the relevant ethics committee, where necessary- not all security sensitive research will qualify for ethical review. However, RIGO will only register and store the final approved application form and favourableethical opinion. The faculty ethics committees should have similar processes in place.

It important to note that researchers are requested to not include any of the security sensitive material in their ethics application or any links to them.

In this way, legitimate research activity could continue, in return for openness on the part of researchers about their use of security-sensitive material, all of which would be kept in the store. It is not permissible to use personal devices to save, transport and/or transmit any of the data, only University of Surrey approved and encrypted devices are permitted.

4.1. ITEMS for Safe store

A store of security-sensitive material on a University server will mainly contain documents that, like certain versions of Al-Qaeda manuals, can be downloaded from the internet or are otherwise publicly available. These are not secret documents but rather documents that, if found on personal computers or as attachments in covertly observed email traffic, may throw suspicion on computer owners or senders of email. The purpose of the Safe Store on the server is to identify the material as being for research and to keep it out of any further circulation. In addition to documents that were originally in electronic form the store may also contain scanned versions of paper documents that, again, might look suspicious to an outsider if found on someone’s desk. The store would not typically function as a repository for an individual researcher’s writing about security-sensitive material, unless that, too, was considered best kept out of circulation and was therefore deposited by the researcher.

It is important to ensure the appropriate storage, disposal and/or shredding of physical materials including print out.

4.2. Security enquiries and rapid response process

Security would know who was carrying out declared security-sensitive research attheUniversity, and so would be in a position to confirm whether or not an individual found to possess such material was a declared researcher. On the other hand, security would not know what the research content was in any detail, and would not communicate the summary of stored documents unless required to do so by law officers. Supervisors of research student who have been allocated aSafe Store would know what the research content was as a result of the normal postgraduate research supervision process; so would heads of department in the case of staff researchers. In many cases, confirmation by security of declared researcher status would be enough to reassure anyone interested that the storage of material was legitimate and not interfered with. If security needed more reassurance that a particular materials is deemed legitimate for research purposes, then they can approach the student’s supervisor orHead of School/Dean. In any case, declared researchers would have at least two layers of protection from non-university intrusion: security and heads of department.

5.Data management

5.1. Undergraduate and Masterslevel:

5.1.1. Researchers are to ensure that restricted (security sensitive data) materials are not sent to library.

5.1.2. The default delete date will be 14 days after award, this is will need to be agreed with IT.

5.2. PhD and Staff level:

5.2.1. The data management plan should specify expiry date for security sensitive materials (The default is 14 days after award).

5.2.2. PhD Thesis may have two volumes; Volume One(without any security sensitive data) open for academic access and can be put on the internet and library. Volume Two (with security sensitive data) with restricted access and to be deleted 14 days after award and/or agreed deletion date.

5.2.3. Funders will need to be made aware that for national security purposes that research material falling with the remit of The Counter-Terrorism and Security Act (2015) will be deleted after the project’s final report have been presented (specify dates). Also, for staff research; funders should be informed at the application stage of the proposed deletion date of security sensitive data. The Data Management Plan should capture all this. Researchers are advised to ensure that funders are content with intended handling of research data, preferably in writing.

Any queries regarding the data management plan should, in the first instance, be directed to .

6.Training

A training programme will be made available to researchers working in this area of research to include:

1. a review of current terrorism legislation relevant to research
2. what should be done in the case of a query about security-sensitive research material both internal and external

It important to note that researchers are requested to not include any of the security sensitive material in their communications or any links to them.

APPENDIX A: RESEARCH CONCERNING TERRORIST OR EXTREME GROUPS CHECK LIST
The Counter-Terrorism and Security Act (2015) outlaws the dissemination of records, statements and other documents that can be interpreted as promoting or endorsing terrorist acts.
Please complete this form if the project concerns terrorist or extreme groups
Study title:
Yes / No
1 / Does your research involve the storage on a computer of any such records (terrorist or extreme groups), statements or other documents involving extremism from or relating to animal rights campaigners?
2 / Does your research involve the electronic transmission (e.g. as an email attachment) of such records or statements?
3 / If you answered “Yes” to questions 1 and/or 2, you must store the relevant records or statements electronically on the secure University server (Safe Store). The same applies to paper documents with similar content. These should be scanned and uploaded, and the hard copies disposed of appropriately. Access to this file store on the server should be protected by a password unique to you. You agree to store all documents relevant to 1 and 2 within this file store, on the server. (CONTACT the University Security and IT departments to arrange this)
4 / You agree not to transmit electronically to any third party documents in the SafeStore.
5 / Does your research involve visits to websites that might be associated with extreme, or terrorist, organisations?
6 / If you answer “Yes” to question 5, 1 and/or 2 you are advised that such sites may be subject to surveillance by the police. Accessing those sites from University of Surrey IP addresses might lead to police enquiries. Please acknowledge that you understand this risk.
7 / By submitting to the University of Surrey Head of Security, you accept that you must submit a summary of the documents and files (but not the content of the documents) in your Safe Store. This will only be available for review by the University of Surrey Head of Security. Please acknowledge that you accept this.
Please note that by following this process and gaining written sign off (approval),the University will endeavour to protect the researchers’ interests but can't then guarantee that we can prevent action from outside security agencies.
If you answer No to all questions above, then contact RIGO for further advice.
DECLARATIONS
RESEARCHER/APPLICANT:
I confirm that the above questions have been answered accurately to reflect the nature of my research and I acknowledge my responsibilities in conducting this research.
Signature …………………………………………………………………… Date:
COUNTERSIGNATORY BY SUPERVISOR/MANAGER/HEAD OF DEPARTMENT
Name of Supervisor: Name of Head of Department/Dean:
Date: Date:
Signature Signature

Page 1 of 7

v.1, 15 June 2016

Research Integrity and Governance Office

[1]

[2]The researcher in question disclosed this at an international terrorism conference held in London by the Royal United Services Institute for Defence and Security Studies on 2 and 3 October 2008

[3]Personal communication, December 2008

[4]Oversight of security-sensitive research material in UK universities: guidance

[5]Approved by Supervisor and, Head of School/Dean in the first instance, and consequently approved by Ethics (where needed).