Information for Researchers

The TRAC is your collaborative partner in ensuring technology-driven initiatives are both innovative and secure. The TRAC process is in place to assist researchers in making sense of the technical environment and to provide assurance that potential risks have been identified, discussed, and accepted or mitigated by the appropriate project leadership.

Intellectual Property (IP) Clarification: 

TRAC's primary focus is risk mitigation, not IP. Rest assured; your innovative solutions remain solely under your purview. 

Vendor-Involved Initiatives:  

Utilizing external technology? TRAC demystifies vendor policies, ensuring a secure and transparent partnership.

In many cases, it is important for a project to purchase a technology product from a vendor to complete tasks, engage in analysis, showcase results, and mobilize knowledge. Examination of that particular vendor's policies on security, privacy, legal, and operational management are important for both the PI as well as the institution.

Most services are now cloud-based and as such should be examined for potential risks to data exposure and/or loss, policies on retention and/or disaster recovery, details related to intellectual property and/or data ownership, and technical components related to breach notifications, encrypted traffic, and the ability to protect the information inherent to the solution. When the data or processes being engaged involves the university in some way, specifically if a breach occurs (reputation, data loss, potential regulatory fines, etc.), TRAC should be engaged to understand institutional risks.

Internally-developed Initiatives:

If your project involves crafting unique tools, TRAC can pinpoint potential risk areas, without delving into code or intellectual property intricacies. 

Risk Levels and Next Steps

The Research Ethics Board often refers the Principal Investigator (PI) and their team to TRAC for a risk assessment to help the research team understand any potential risks and to provide suggestions in terms of how they might be mitigated. 

Where there are specific data protection-related concerns, or issues with the solution and/or development processes as they relate to risk, notification to the appropriate level may be required for both awareness and risk acceptance purposes.  Should a solution be particularly risk-heavy in terms of these items, awareness and acceptance of risk on behalf of the organization will be required by the VP Research.