Information for Researchers
The TRA process should be looked at as a resource for the research team to use to gain any gapped understanding of what a technology-oriented initiative might possess in terms of risk.
While the submission is detailed, the resultant report can help Principal Investigators (PIs) and their teams navigate any potential areas of concern prior to engaging a given project.
Ultimately, the TRA process is in place to assist researchers in making sense of the technical environment and to provide some guidance/assurances for the PIs that potential risks have been identified, discussed (by the research team and other resources as needed), and either accepted or mitigated by the appropriate project leadership.
Often the question has been asked whether or not the TRA process has any influence over the creation and management of researchers' intellectual property.
Simply stated, the answer is no.
PIs are encouraged to develop new ways of engaging with problems and determining innovative solutions to those issues. The TRA process is just a tool to help researchers understand where risks might exist when dealing with technology. A collective understanding of how technologies are intended to be used and how they may be instantiated to better protect projects' interests, as well as the interests of the PIs and the organization (where there might be intersects) assists in understanding and mitigating risks.
In many cases, it is important for a project to purchase a technology product from a vendor to complete tasks, engage in analysis, showcase results, and mobilize knowledge. As researchers look to procure technologies for their respective projects, an examination of that particular vendor's policies on security, privacy, legal, and operational management are important for both the PI as well as the institution.
Most services are now cloud-based and as such should be examined for potential risks to data exposure and/or loss, policies on retention and/or disaster recovery, details related to intellectual property and/or data ownership, and technical components related to breach notifications, encrypted traffic, and the ability to protect the information inherent to the solution.
Although the initiative is research-based and in the hands of the PIs, there are times when the data or processes being engaged involves the university in some way, specifically if a breach occurs (reputation, data loss, potential regulatory fines, etc.). As such, it is vital that TRA is engaged to understand any institutional risks that might exist alongside your initiative.
In many cases, a research team does not procure technology, but actually creates tools or platforms, either for, or as a result, of the project. In these cases, a submission can be made so that the TRA process can help tease out potential risks associated with the solution from the outset. The TRA process would not conduct a code review of developed technology or put forward specific demands or claims related to intellectual property. Rather, the TRA would highlight areas the research team may wish (or need) to mitigate.
Risk Levels and Next Steps
For TRA submissions assessed at MEDIUM RISK or HIGH RISK levels within a Research context, the PI will be made aware of the identified potential risks to determine next steps, which might include recalibration of processes, pushing back on the vendor to include protection clauses in the contract, or selection of an alternative technology solution.
In some cases, Research Ethics may need to be contacted by the PI to ensure the solution is still aligned to that particular process.
Where there are specific data protection-related concerns, or issues with the vendor and/or development processes as they relate to risk, notification to the appropriate Decanal level may be required for both awareness and risk acceptance purposes. Should a solution be particularly risk-heavy in terms of these items, awareness and acceptance of risk on behalf of the organization will be required by the Provost (VP Academic).
Often, research-oriented projects are confronted with the question of where their data will be located as the initiative is underway. There is a high degree of variability involved in providing guidance here as projects are quite different from each other, but there are opportunities for the TRA to identify risks related to data storage, cloud-based platforms vs on-premise solutions, and data transfer methodologies.
Published on and maintained in Cascade CMS.