Students will often work on a project where there is sensitive information involved, and where inappropriate sharing could cause harm, embarrassment or damage to the client, students and the University - in some cases breaking the law. Such information might be commercially sensitive, and/or personal information.
The client or the students may require that their Intellectual Property (IP) is protected, this is to ensure their designs and ideas cannot be copied by another party. IP can include things such as plans, financial information, designs, and technology. IP can be protected in a number of ways, the most common being copyright, trademarks, and patents.
This is not necessarily Intellectual Property, but can include personal data, such as names, addresses of clients, their clients. There are two main types of sensitive information.
- Personal information = Any sensitive information that can be traced back to the individual. Examples include things such as; biometric data, medical information, address, and date of birth.
- Business information = This is any information that potentially poses a risk to the organisation, if discovered by a competitor or the general public. Examples include acquisition plans, trade secrets and financial information.
Often, organisations will use a classification marking to protect their information. This is often the case in large organisations, especially government bodies and is restricted according to the level of data sensitivity. Example classifications you might see are: restricted, confidential, secret and top secret.
If you are not sure what restrictions such a classification marking places on the project, please ask the client.
Data Protection Act
The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.
Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damag
You must be clear, open and honest with people from the start about how you will use their personal data. Whilst there are some obvious uses, such as: to communicate, get in touch etc. Give some thought to the below additional uses:
- To share contact details with the students, the lecturers or the wider network of businesses on the project.
- To let you know about other knowledge services or products from the University.
- To let you know about opportunities to take part in the SEKE project next year.
Non-Disclosure Agreements (NDAs)
These are written agreements that restrict the sharing of information in some way. Some clients will insist on these, where the students and tutor need to sign that they understand the terms and conditions.
The vast majority of projects will not require an NDA. Instead, relationships require trust, and as all parties get to know each other better, and build that trust, this creates an environment for sharing information.
It is incumbent on all involved to behave ethically. This means:
- Being open, honest and not hiding mistakes.
- Not breaking the trust others have put in you, by casually sharing project information.
Potential scenarios and ways of managing these
- A client is developing a highly sensitive new product, where the details are crucial to the client’s success. The client asks each team member, and the tutor, to sign an NDA at project start.
- The student team has been asked to do some market research with members of the public or other stakeholders. It initially might seem attractive for the client to ask the students to do the research and claim that they are acting as independent students. In reality, the students are acting as agents or representatives of, or consultants to, the client, and so they must be upfront about who the project is for.
- The students have been asked to do some primary research. Your university will have procedures and rules about ethics in research, and these need to be interpreted appropriately for a SEKE project. The students may well collect personal details, but it may not be appropriate to share these with the client.
- Students may get carried away with enthusiasm for the project, and share details or stories (whether a project is going well or badly) with other students. It may be acceptable to share some details in a seminar group, as part of team learning. However, it is not appropriate for students to share sensitive information - i.e. do not gossip.
Clients may ask for their information to be protected and wider sharing minimised due to confidentiality. Often this can be done through Non Disclosure Agreements, and keeping sensitive information to a minimum. During the project process ensure you are keeping ethical standards high to protect yourself, the client and your university. Make sure that you familiarise yourself with the standards of confidentiality in the project and with all parties involved.