Example Scenarios-Visitor Access to IT Systems, Data, and Restricted Facilities Policy and Procedures
The following scenarios are designed to help sponsors and approval authorities assess the level of risk associated with granting visitors access to the University’s protected data, systems, or restricted facilities. By considering the visitor’s country of origin, the location of their organization, and the sensitivity of the data or facilities requested, these examples illustrate how visits can be categorized as high, medium, or low risk.
Approval authorities considering medium-risk and high-risk visits should seek specialist advice from the University Risk Office, who may refer the matter to the University’s Research Risk and Compliance Manager or New Zealand Government agencies for further specialist advice.
These scenarios should be read alongside the Visitor Access to IT Systems, Data, and Restricted Facilities Policy and Procedures and the accompanying FAQs.
Scenario A
An academic staff member is collaborating with a scientist from a research institute in Russia and requests visitor access to a restricted laboratory.
Course of action: Visitors from countries subject to New Zealand or United Nations sanctions are considered high-risk for any level of access so the sponsor or approval authority must consult with the Risk Office for specialist advice. The Risk Assessment will document the advice and the conditions of access in the event the visit is approved.
Scenario B
An academic staff member requests visitor approval for a postdoctoral researcher from a university in Germany, and the request includes access to restricted facilities and data.
Course of action: The visitor’s country of origin is an EU member, but they are requesting access to restricted facilities and data, so the visit would be categorised as medium-risk. The sponsor or approval authority must consult with the Risk Office for specialist advice which would inform the standard Risk Assessment, and the University may request additional supporting documents before granting access. The sponsoring staff member would be responsible for ensuring the visitor adheres to all security and compliance requirements agreed as part of any approval for access to the restricted facility.
Scenario C
A collaborator from a university in Brazil requests access to an internal database of sensitive demographic research used in policy studies.
Course of action: Brazil is outside the EU, OECD, and Pacific Islands, but the data they request is classified as sensitive, so the visit would be classified as medium risk and the sponsor or approval authority must consult with the Risk Office for specialist advice. The Risk Assessment would give particular attention to data-sharing agreements and sponsor oversight as a condition of any Approval.
Scenario D
A collaborator from a university in Australia requires access to a Canvas course for collaboration on curriculum development.
Course of action: The visitor’s country of origin is an OECD member, and the system requested contains only internal non-sensitive data, so the visit would be categorised as low-risk and can be approved without seeking specialist advice.
Sponsors and visitors can reach out to the Risk Office or the office of Research Operations, Ethics and Integrity with any questions.