Part 2 of 2: The complex relationships between researchers and their data
R&D intensive companies are increasingly interested in externalising their research: working with laboratories outside their company walls through commercial and academic collaborations and alliances. But greater openness carries greater risks. In an increasingly data-driven R&D environment ensuring the company investing in the research benefits from the IP produced means looking after data. In our last post we discussed the basics of information security. In this post we will get to the heart of the question: data – who owns it, what business value, and how people use it.
Agreeing who owns the data?
An important question when looking at shared data is that of ownership. When research is done in-house, ownership is usually clear. When partners or co-funded technology are involved, it is less so. A process must be developed to define who owns what, and this must cover not just the final output, but any data collected throughout the project, as well as the method of extracting and analysing it. Failing to do so could mean that you don't fully own the IP you hoped to exploit.
Understand your data in detail
Once you've agreed who has rights to data, you need to make sure no-one outside that agreement ends up with your data. There are always risks from those who would steal your data, but equally someone sharing your space may start innocently using your processes or results and take them back to their own companies.
Any data framework must understand what type of data will be generated and the criticality of that data, and this must be properly coded so appropriate security decisions can be made.
At the top end is anything that could affect share price, which should never leave a very small circle of people. Not far below that is data which could give competitors advantage, such as experimental data for a new product. This needs to be shared with the team, but not beyond.
Further down the chain is raw data, which is often meaningless out of context, and below that data which is due to be made public. Inevitably much information will contain multiple levels, and some data will change criticality depending on context and time. For example you could probably publish a string of measurements of the viscosity of particular formulation without any major risk. But the same numbers alongside the original hypothesis could be very valuable to competitors.
The whole process is an extremely complex task of understanding and assessing data - but only once this has been done can appropriate and proportionate security can be put in place.
Know how people interact with data
Externalisation means that data which once never left lab walls must now be worked on in shared spaces and carried between locations. The people who do that therefore need to take on new levels of responsibility and adopt new behaviours.
An approach that we use is to develop profiles of types of employees - researchers, project managers, etc - and build up a picture of their movements. For example where they carried data storage devices, and how they interacted with different systems. This is a good basis to then make informed recommendations against each partner’s existing information security policies. e.g. ensuring there are adequate private spaces, rules for working in private vs shared spaces, and rules for different categories of data, e.g.: Can I save raw data on a shared instrument PC for a short while? Can I use the email account provided by our partner organisation for my organisations data? How do I transport 1GB of raw data back to my home laboratory?
Whilst in many ways R&D externalisation is an information security challenge, it is far more complex than simply stopping data leaking. The task requires a detailed understanding of complex scientific data and how that data could be used, how researchers engage with it, how it could be transported and in what situations it presents a risk. Only then is it possible to create systems that allow it to be worked on in the right format by the right people, whilst protecting it from the wrong people.