RISM14 Approved Researcher Agreement

UCL Research Data Information Security Management System #

Document Name: RISM14-Approved_Researcher_Agreement

Classification: Public

Author: Tim Machin

version: 1.1

Last Review: 10/04/2025

Last Reviewed by: Jack Hindley

Approved by: OMG

Approved date: 12/03/2025

Review Period: 3 years

Approved Researcher Agreement #

You are reminded that the UCL Information Security Policy, Data Protection Policy and UCL Computing Regulations are contractually mandated. Found here:

www.ucl.ac.uk/information-security/information-security-policy

Documented information for the use of UCL Trusted Research Environments can be found here:

UCL Research Data Information Management System

UCL staff members are bound by contract of employment to maintain confidentiality. Non-staff users shall be bound by contracts specific to their circumstances, which shall include a confidentiality clause. Where your contract differs from this agreement, the more restrictive set of terms applies.

Each user shall be identified by a unique user identity so that users can be linked to and made responsible for their actions. UCL reserves the right to monitor and audit the use of an Environment.

Where adequate assurance of compliance with this agreement is absent, account access shall be disabled such that re-enablement shall only follow evidence of adequate assurance.

In using the UCL Trusted Research Environments (‘Environments’), as defined by the Information Security Management System, I agree:

  • To comply with all relevant standard operating procedures and policies in relation to my use of the Environments.
  • My use of the Environments and those resources and functions allocated to me by authorised personnel will be for UCL’s authorised business only. Any other activity, including but not limited to, the use of offensive material is forbidden.
  • To report any suspected or potential security incidents in accordance with the UCL Information Security Group incident procedure.
  • To ensure the transfer and sharing of personal sensitive data must respect the rights of research data subjects.
  • To ensure I have the legal right to use data and software I bring into any Environment.
  • To act responsibly at all times and not put Environment resources and sensitive data at risk.
  • I will not attempt to circumvent the security measures implemented within the Environments. Attempts to circumvent the security measures include, but are not limited to, sharing of credentials, sharing screens (e.g. during online meetings) or taking screenshots.
  • To keep authentication details secure including passwords and multi-factor authentication tokens.
  • To change passwords regularly in line with policy. If a password is shared or exposed, it will be changed immediately.
  • If a multi-factor authentication token is lost it must be reported immediately.
  • When using the Environments, to do so in a suitably private space chosen to prevent unauthorised access to information e.g. through ‘shoulder surfing’ and screens being positioned to face away from ground floor windows. · To lock my screen if I am away from my device for any reason while logged into any Environments.
  • To maintain a record of the required data security training as per the Research Data ISMS Information Security Policy and I shall make this available when requested to by relevant staff.

When working offsite, I agree to:

  • Only work in locations where the risk of disclosure is proportionate to the sensitivity of the information.
  • Work in line with all other legal, regulatory, contractual and policy requirements which apply.
  • Avoid the use of unsecured public Wi-Fi networks without additional controls (e.g. UCL VPN).
  • Avoid the use of shared computing equipment unless it is issued by UCL.
  • Ensure devices used to connect to an Environment will be adequately protected from malware and unauthorised usage.

To maintain training I agree to:

  • Complete appropriate Information Governance training within a reasonable timescale before or during onboarding.
  • Keep myself informed about changes to procedures and policy.
  • Refresh my training as required.

I fully understand my responsibilities for use of the Environments and what constitutes a breach of the UCL Information Security Policy, Data Protection Policy and UCL Computing Regulations.

I acknowledge acceptance of my responsibilities for confidential information assets by signing this declaration form below.

Signature:

Name (CAPITALS):

Job Title:

Date:

Mandated UCL policies:

UCL Computing Regulations: www.ucl.ac.uk/information-security/sites/information_security/files/regulations.pdf

UCL Data Protection Policy: www.ucl.ac.uk/legal-services/sites/legal-services/files/data-protection-policy.pdf

UCL Information Security Policy: www.ucl.ac.uk/information-security/information-security-policy

UCL Information Security Incident Reporting Procedure www.ucl.ac.uk/information-security/report-incident