Add example questions for researchers considering web resource / app development

[ekuw]

Things to think about and areas that need to be managed when running services/tools/applications etc.

The key message is that the governance process is in place to allow people to run services (however small) safely and there are a lot of risks that individuals shouldn't be managing themselves (even unwittingly) - the process is intended to prevent that. Note that the IT Business Partners can work with researchers to support them through the process:-
https://uob.sharepoint.com/sites/itservices/SitePages/business-partners.aspx

There are many questions that need answering, a set of example questions are:-

1. Who owns the intellectual property for the code that the third party develops, where is that stored and who has access to it? Also, see 11).

2. Where are the servers hosting the service located? This matters under UK data protection law and applies even if the service doesn't store obvious user data (e.g. email addresses) but simply captures things like IP addresses in server access logs (which do as a matter of course). If you're hosting in the US, for example, then that's not considered to provide data protection analogous to our own laws so you normally need separate agreements to cover that.

3. What data about individuals is being collected and has this be assessed and deemed appropriate/proportionate? Are the individual's rights explained to them regarding the collection, use, retention, destruction of that data as required by law? Are these processes being followed?

4. If the UoB receives a Subject Access Request and you hold data about that person because they are using your service, how will the secretary's office know and be able to respond?

5. What are the backup and data recovery policies for the service? Many commercial web hosts explicitly exclude responsibility for backups in their ToS and backups are your responsibility as the customer. This is especially problematic for databases since the content could change very frequently but it is almost always your responsibility to back these up. How you do this securely and reliably can be a headache.

6. Who maintains the code and is responsible for security updates? Software like Django has many security releases per year and who is responsible for applying these updates in a timely manner? Who is checking that this is happening and the code isn't vulnerable and rotting on a server somewhere? What happens when the software is end-of-life and who migrates to the next version? We commonly use the LTS versions of Django in our team but they are only maintained for 3 years so we are regularly on, or planning, an upgrade for various projects. Someone just silently abandoning a running service and not doing updates (or just not checking) should be a major concern for these sorts of small ad-hoc project. It's also not just limited to the main software you're using, projects often have package dependencies, how are these tracked and who is applying these updates? Given that researchers tend to put code in public code repos it's easy to go and look at them for out-of-date dependencies or secrets too.

7. If there is a data breach then who is responsible for contacting the UoB secretary's office given there is a maximum legal notification time now?

8. Does the site have all the relevant privacy policy and cookie information as required by the relevant laws?

9. If you're using third party companies and hosters then do you have signed data processor agreements and where are those agreements lodged?

10. What documentation exists and where is it held? What happens if the person running the service no longer looks after it? If an individual is paying hosting then what happens if they just stop?

11. If someone is writing a package (rather than creating some publicly available app) then do you know who actually owns the output? For example, I'm paid to write code for research projects but the UoB owns everything I write at work (and there are restrictions on what I do outside work too for that matter!) so they need to be consulted on what happens to that code since it's not mine to decide. This tends to be something that RED does rather than ITS via the NSDD but it's still important and not based on assumptions.