UKRI Trusted Research and Innovation: principles and expectations

Trusted Research and Innovation (TR&I) is the protection of the UK’s intellectual property, sensitive research, people, and infrastructure from potential theft, misuse and exploitation.

UK Research and Innovation (UKRI) has a long-standing and continuing commitment to supporting and enabling safe and effective collaboration in research and innovation. UKRI is equally committed to ensuring that this takes place with integrity and within strong ethical frameworks.

All parts of the research and innovation sector should engage in the TR&I agenda, empowering researchers, innovators and organisations to make informed decisions, adopting appropriate mitigations and risk protocols, and maximising the benefits of collaboration.

1. Introduction

1.1 This document sets out the principles that UKRI applies to TR&I and our general expectations of the research organisations (including businesses, research institutes, and research technical organisations) that we support. Our expectations are also set out in UKRI’s policy on organisation eligibility, and in the terms and conditions for specific awards, including any additional terms and conditions.

2. Principles

2.1 As the largest public funder of research and innovation in the UK, UKRI is required actively to manage its portfolio of investments. We develop guidelines and examples of best practice in collaboration with other funders, universities and sector groups, and the business community.

2.2 UKRI operates a risk-based approach to TR&I: projects that are deemed to be higher risk may be required to implement additional mitigations or controls.

2.3 As far as is reasonably possible, UKRI aims to ensure that:

policies for TR&I fully support our organisational aims for equality, diversity and inclusion (EDI)
funding opportunities indicate clearly any additional requirements related to TR&I that might be requested in applications, or that form part of the review process
additional mitigations or controls required as part of a funding award are specific, proportionate, understandable, and achievable by the award recipient
similar TR&I requirements are made for projects that are assessed as carrying similar levels of risk
updates to UKRI terms and conditions for TR&I activities are specific, proportionate, understandable, and achievable

2.4 Examples of reasonable mitigations and controls, along with case studies, will continue to be developed by UKRI and other organisations to illustrate the potential threats and mitigations for research and innovation. This will empower researchers, innovators and organisations to make informed decisions.

2.5 In addition to our commitment to TR&I, UKRI places equal emphasis on ensuring that research and innovation is carried out with integrity and takes place within strong ethical frameworks, referred to as ‘responsible research and innovation’. Details of our responsible research and innovation policies can be found in the Good Research Resource Hub.

3. Expectations

3.1 This section sets out UKRI’s general expectations of organisations receiving UKRI funding. Organisations supported by UKRI should be able to provide evidence that their internal controls and processes meet these expectations.

3.2 Organisations receiving UKRI funding are obliged to act in line with UK government legislation. Legislation relevant to TR&I includes:

the National Security and Investment Act 2021
financial sanctions legislation
export controls
the National Security Act 2023 and the Foreign Influence Registration Scheme

TR&I assessment of project partners

3.3 UKRI expects the organisations it supports to undertake appropriate due diligence assessments of organisations involved in research partnerships, collaboration agreements and commercial contracts. We acknowledge that the risk appetite and details of how these assessments are carried out will vary between institutions. UKRI research grant conditions sets out this requirement in more detail.

3.4 In line with paragraph 2.2, UKRI also carries out a range of checks prior to an award being made. These may include discussions directly with the proposed recipient.

3.5 It is important to understand the democratic and ethical values, and legal framework, of countries that project partners are based in, particularly where these are significantly different from those of the UK.

3.6 UKRI expects that award recipients will have enquired into the governance and ownership of partner organisations and the existence of any formal alignment between the organisation and foreign government agencies or departments (civilian or military). If any affiliations pose a potential risk to the integrity of the handling of project information or project outputs, we expect that proportionate controls will be put in place.

3.7 Formal collaboration agreements should be established by the research organisation with all project partners to ensure that data and assets (for example intellectual property rights) are appropriately managed. Such agreements should include statements to ensure that project partners are aware of the need for compliance with relevant UK legislation (see RGC 2.7.2).

Collaboration agreements should state under what conditions any commercially relevant data or findings derived from the project can be made publicly available. When research findings are published, outputs must comply with UKRI’s open access and open data policies.

3.8 Due diligence on individuals associated with project partners may also be appropriate when considering who will have physical or virtual access to the research organisation, and potentially to data and IP, via employment, study, or research visits.

Cybersecurity

3.9 To minimise the risk of cyberattacks, UKRI expects research organisations to have:

a robust cybersecurity culture supported by the development of controls
a cybersecurity awareness and training programme that includes well publicised guidance for staff and students

Knowledge and facility-sharing

3.10 Within research project collaborations, mutual transparency and openness are important to the success of research and innovation and the full realisation of benefits. UKRI expects research organisations to balance this requirement against commercial, legislative, and UK national security requirements.

3.11 Research organisations should be mindful of the information and knowledge they are sharing with project partners. This extends to assistance provided to researchers in interpreting data generated elsewhere, and the use of facilities or novel technology developed by the research organisation.

Data handling and access

3.12 Data must be securely stored and, where a shared platform is used for information exchange, access control should be used to prevent unauthorised access.

3.13 Access to data should only be given to individuals with a clear requirement for access, for only the duration that such access is required. The basis for the handling and usage of the data should be clearly specified, understood and agreed by all parties prior to information being shared.

UKRI expects that research organisations inform themselves of any local legislation that may apply to overseas partners which permits authorities to access information without consent from all parties.

Export controls

3.14 UK export controls are designed to restrict the export and communication of various kinds of technology, knowledge or strategic goods, and apply equally to the academic community as to any other exporter.

3.15 Organisations should ensure they understand export controls as may apply to their projects and activities, noting that:

export controls may apply to data and algorithms as well as to products and services
the notion of an export may cover otherwise routine activities such as sending emails outside the UK
the exemption for basic scientific research does not apply if there are end-use, end-user, or destination concerns