CASRAI Dictionary

Tag: research compliance

  • NSPM-33 Research Security: Disclosure & Programmes

    National Security Presidential Memorandum 33 (NSPM-33) set US policy on strengthening protections for federally funded research and development. It directs federal funding agencies to standardise and clarify disclosure requirements for participants in research, and it asks certain research institutions to establish research-security programmes. This article is a neutral explainer of what NSPM-33 covers; it is not legal or compliance advice, and the binding detail lives in each agency’s implementing rules.

    What NSPM-33 is trying to do

    NSPM-33 responds to concerns about the integrity of the research enterprise — chiefly around undisclosed conflicts of interest and commitment, and the risk of inappropriate transfer of federally funded research results. Its core principle is that openness and security can coexist: it reaffirms that fundamental research should remain open while asking the system to be more transparent about affiliations, support and commitments so that risks can be identified and managed.

    Importantly, the memorandum directs agencies to act consistently. A recurring frustration before NSPM-33 was that different agencies asked for disclosures in different formats and used different definitions. A central aim is to harmonise those expectations across the federal government.

    Standardised disclosure requirements

    The disclosure element asks that researchers consistently report information relevant to identifying conflicts of interest and conflicts of commitment. In broad terms this includes current and pending research support, professional appointments and positions, and other affiliations and resources that could bear on the integrity of the research.

    • Current and pending support: all sources of research funding, foreign and domestic.
    • Appointments and positions: including foreign appointments and titles.
    • Other support and in-kind resources: resources that benefit the research effort.
    • Consistency: common forms and definitions so disclosures are comparable across agencies.

    The emphasis is on completeness and accuracy rather than on prohibiting international collaboration. Disclosure makes relationships visible so that genuine conflicts can be evaluated and managed.

    Research-security programmes: the four elements

    NSPM-33 also contemplates that covered institutions receiving federal science funding above a defined level maintain a research-security programme. As described in implementation guidance, such programmes are generally built around four elements:

    • Cybersecurity: protecting research data and systems.
    • Foreign-travel security: tracking and supporting security for international research travel.
    • Research-security training: educating researchers on risks and obligations.
    • Export-control training: ensuring awareness of export-control responsibilities.

    The export-control element connects research security to a separate, long-standing legal regime. For background on how export controls treat openly published research, see our explainer on the fundamental-research exclusion, which is central to understanding what NSPM-33 does and does not restrict.

    Openness and security as complementary goals

    A theme worth drawing out is that NSPM-33 frames openness and security not as opposites but as goals to be balanced. The US research enterprise has long derived strength from international collaboration and the open exchange of ideas, and the memorandum is explicit that it does not seek to undermine that openness or to discourage legitimate international partnership. Instead, it aims to make the system more resilient to a narrow set of risks — undisclosed conflicts and inappropriate transfer of results — while leaving the open, collaborative character of fundamental research intact. The emphasis on transparency rather than prohibition is the practical expression of that balance.

    The fundamental-research principle

    A key point of reassurance in NSPM-33 is that it does not seek to close off basic and applied research that is ordinarily published and shared. Long-standing US policy treats such fundamental research as outside many export-control restrictions precisely because it is openly disseminated. NSPM-33 operates alongside that principle: it improves transparency about who is involved and how they are supported, rather than reclassifying open research as controlled.

    This is why disclosure, not restriction, is the dominant tool. The aim is informed risk management — knowing the affiliations and support behind a project — rather than blanket limits on collaboration. Our broader research-compliance overview situates these expectations within the wider grants framework.

    Conflicts of interest versus conflicts of commitment

    NSPM-33’s disclosure emphasis turns on two related but distinct concepts that are worth separating. A conflict of interest arises when an external financial or personal interest could bias the design, conduct or reporting of research. A conflict of commitment arises when outside obligations — such as an undisclosed appointment at another institution — compete with the time and intellectual commitments a researcher owes to their primary employer and to a funded project.

    Much of the concern that motivated NSPM-33 involved undisclosed conflicts of commitment, where affiliations or support were not reported. The disclosure framework is designed to surface both kinds of conflict so they can be evaluated. Disclosure does not by itself imply wrongdoing; it is the mechanism that allows institutions and agencies to distinguish benign, well-managed relationships from genuine problems.

    What institutions did in practice

    In response, many research institutions reviewed and updated their conflict-of-interest and conflict-of-commitment policies, refreshed disclosure processes, and built or formalised research-security functions covering the four programme elements. Some appointed designated research-security officials or points of contact, expanded training, and integrated disclosure checks into proposal and award workflows. Because the requirements are implemented through individual agency rules and award terms, the specific obligations an institution faces depend on which agencies fund it and at what level, and institutions track the rules of each relevant funder rather than assuming a single uniform standard.

    The headline is a balance: NSPM-33 pairs clearer, standardised disclosure with structured research-security programmes, while preserving the openness of fundamental research. For authoritative detail, institutions consult the implementing guidance from the relevant federal agencies and OSTP at whitehouse.gov/ostp. For related terminology, see our standards dictionary.

  • Research compliance as structured metadata: IRB/REC, GDPR and MTAs

    Most researchers experience compliance as a sequence of forms: an ethics application here, a data-protection assessment there, a signed agreement before a reagent can cross an institutional boundary. Each is completed under deadline pressure, filed as a PDF, and rarely consulted again. Yet the facts those documents record — that a study was approved, that personal data are processed under a defined legal basis, that a material was transferred under stated conditions — are exactly the facts that funders, regulators, repositories, and downstream researchers later need to check. This article sets out how the main compliance frameworks fit together, and why representing them as structured metadata, drawing on the compliance and regulatory domain, turns a paperwork burden into reusable infrastructure.

    Ethics review: one function, many names

    The oversight of research involving human participants is a near-universal requirement, but its institutional form varies by jurisdiction, and the vocabulary trips people up. In the United States the reviewing body is the Institutional Review Board (IRB); in the United Kingdom and much of Europe it is the Research Ethics Committee (REC); in Australia it is the Human Research Ethics Committee (HREC). These are not different things so much as the same function under different names and statutes, and a controlled vocabulary should treat them as such rather than privileging one country’s term.

    The review itself is not monolithic. Most regimes distinguish levels of scrutiny calibrated to risk: an exempt review for studies meeting defined exemption criteria, an expedited review for minimal-risk work, and a full board review for higher-risk studies considered by the whole committee. The agreement that lets a participant take part is informed consent — a documented agreement to participate after being told the nature and risks of the research — with variants such as broad consent for unspecified future use, and an ethics-approved waiver of consent where standard procedures are omitted.

    Data protection: GDPR’s defined roles

    Where research touches personal data, ethics approval is necessary but not sufficient; data-protection law applies in its own right. In the European Union and, in near-identical form, the United Kingdom, the governing instrument is the General Data Protection Regulation (GDPR), and its precision is a feature, not an obstacle. GDPR assigns defined roles: a data controller is the entity that determines the purposes and means of processing, and a data processor processes personal data on the controller’s behalf. The distinction is not pedantic — it determines who carries which legal obligation — and a study that cannot say which party is controller and which is processor has a real gap, not merely a documentation one.

    For higher-risk processing, GDPR requires a Data Protection Impact Assessment (DPIA): a structured analysis of the risks a processing activity poses to data subjects, and the measures taken to mitigate them. The DPIA is the data-protection analogue of the ethics application, and like it, it tends to be written once and shelved. Comparable regimes exist elsewhere — the United States governs protected health information under HIPAA — while the international ethical baseline for medical research remains the Declaration of Helsinki.

    Material transfer: the agreement that governs the sample

    The third pillar is contractual rather than regulatory. A Material Transfer Agreement (MTA) is a legal agreement governing the transfer of research materials — cell lines, reagents, datasets, biological samples — between institutions. The MTA sets out what the recipient may do with the material, what they may not, who owns any derivatives, and what acknowledgement or rights flow back to the provider. It is easy to treat the MTA as a one-off signature, but its terms persist for the life of the material and everything derived from it, which is precisely why its conditions need to travel as data rather than languish in a signed PDF.

    An MTA whose terms are buried in a scanned signature page is a constraint nobody can check. The same agreement, recorded as structured conditions linked to the material and the receiving project, is a constraint a system can enforce — flagging, for instance, that a derivative dataset inherits a no-redistribution clause before it is deposited openly.

    Compliance does not stop there. A conflict of interest, whether financial or personal, and export-controlled technology rules under regimes such as the EAR and ITAR, are further disclosable facts that arrive as yet more forms asking for information the institution already holds somewhere.

    Why this is, at bottom, a metadata problem

    Here is the connection to CASRAI’s mission. Almost every compliance artefact records a structured fact: a study has an approval reference and an approving committee; a processing activity has a controller, a legal basis, and a DPIA; a material moves under an MTA with stated conditions. The burden researchers feel as oppressive is largely the burden of re-entering those facts, by hand, in each system’s format — ethics portal, funder report, repository deposit form, institutional register. A regime that demands manual re-keying manufactures exactly the transcription errors it later treats as compliance failures.

    Anchoring compliance records in persistent identifiers changes this. An approval linked to its project by a RAiD, an institution identified by a ROR ID, an investigator by an ORCID iD, and a funder by its registry ID, becomes a checkable assertion rather than a typed paragraph. A repository can read that a dataset’s underlying study was approved and that its MTA permits deposit; a funder can verify that a DPIA exists for a project processing personal data — without anyone reconstructing the paperwork from memory. This is the same dividend that structured grant and disclosure data pay throughout research administration: enter each fact once, read it everywhere.

    Where shared vocabulary fits

    The terms in this area are easy to misuse and the cost of misuse is real: an IRB and an REC are the same function, not different standards; a controller is not a processor; a DPIA is a specific assessment, not a synonym for “we thought about privacy”. A shared, federated vocabulary that defines these precisely — pointing back to the relevant national regulators and to the Declaration of Helsinki for the ethical baseline rather than inventing its own meanings — is what lets a compliance assertion made in one system be understood and checked in another. Supplying that definitional layer is the role the CASRAI dictionary is designed to play.

    What to do now

    For researchers: maintain approvals, data-protection roles, and MTA conditions as structured records linked to the project, not as orphaned PDFs. For institutions: build compliance registers that generate funder and repository disclosures from authoritative, identifier-anchored facts rather than from re-keyed forms. For standards work: pin down the precise definitions that separate ethics review levels, controller from processor, and one agreement type from another, federating to the authoritative regulators for the normative content.

    Related reading