Strategy and policies

The purpose of this policy is to support the University’s staff, students, visitors, affiliates, and contractors to comply with export control legislation and provide guidance that applies to University activities.

UK Strategic Export Control refers to legislation (The Export Control Order 2008) that restricts the transfer of certain goods, equipment, materials, software, and technology (including technical assistance, research data, designs, software, and know-how) from the UK to a destination or destinations outside the UK with the aim of protecting national security and preventing conflict, human rights abuse, weapons of mass destruction (WMD) proliferation and terrorism.

The University and its staff, students, visitors, affiliates, and contractors have a responsibility to ensure legal compliance with export control regulations related to activities, whether funded or unfunded, conducted on behalf of the University or as part of University business.

Non-compliance can result in very significant financial penalties and is a serious criminal offence with custodial sentences of up to 10 years, as well as potentially constituting a disciplinary offence. Violations of similar US legislation can also carry severe penalties or result in serious implications in the UK, including fines, revocation of licenses, or criminal penalties.

The laws around export control focus on two categories: (1) goods, software and technology that are specially designed or modified for military use; and (2) goods, software and technology that have a ‘dual use’ and could be used for both civilian and military applications.  

Items and/or technologies are also considered in line with assessments of any end user. That is, where the government views the potential end user of an export to be higher risk, even where the potential for military or dual use may seem limited, the export may be subject to requirements for export control licensing.   

The policy applies at the University to all its people, including but not limited to staff (including affiliate and honorary staff), students, visiting students and academics, and contractors.

This policy will overlap with other policies as well as additional legislative and/or regulatory requirements and therefore, while this list is not comprehensive, it should be noted that:

• Export control considerations also apply to exports that are prohibited by sanctions legislation. Further information about sanctions can be found in the University Sanctions Policy.
• Staff or Students may be required to apply for ATAS (Academic Technology Approval Scheme) certificates in relation to entering the UK for work or study.  People and Organisational Development (staff) or External Relations and/or International Student Support (students) provide support and advice on the requirements for staff or students joining the University.
• The National Security and Investment Act (NSIA) is legislation that is complementary to Export Control requirements in protecting national security. It focuses on investments and acquisitions rather than exports. Staff are encouraged to review the guidance and seek support or more information at an early stage if they suspect that their activities may require notification to the Government under the Act. 
• There may be additional regulatory and/or legislative requirements on exports relating, for example, to artworks, cultural goods, animals, plants, medicines, pathogens, radioactive substances, etc.   For more information, please contact the Safety and Environmental Protection Service or review the broader Government guidance on exporting goods. 
• Travel Safety and Risk Assessment – All individuals should assess the risks related to travel on behalf of the University, mitigating these as needed.  Support is available from the Safety and Environmental Protection Service and under the Policy for Business and Study Travel.
• Travel Insurance - All individuals should ensure that they are covered by appropriate travel insurance as detailed in the Policy for Business and Study Travel. This is available through the Travel, Risk, Insurance, and Compliance Approval Portal (TRICAP).
• IT and Cybersecurity – All individuals should ensure that they adhere to guidance about information security provided by IT Services and all relevant IT policies. This includes securing your information and your devices, including personal devices which interact with university systems or store data relevant to University business.

Individuals are responsible for their own adherence to this policy and for taking reasonable actions to prevent to prevent breaches of the legislation within the scope of their duties and responsibilities. 

All individuals identified as being in scope of this policy must make themselves aware of the requirements of the legislation / regulations, how these may apply to them, their work, and/or their area of responsibility, and take appropriate measures to mitigate risks or otherwise comply with the legislation.

• Line managers and supervisors should ensure that where export control compliance is relevant that individual responsibilities are clearly communicated.  
• It should be understood that even the casual exchange of information, items and/or technologies, such as via email or in meetings, could constitute a breach of the export control legislation.  
• Individuals are expected to act within the scope of their duties and responsibilities in adhering to the policy.  
• All individuals subject to this policy who are undertaking activities that may be an export or include the export of items and/or technologies must undertake due diligence to understand, record, and/or mitigate the risks related to activities and partnerships which are potentially subject to export controls.

These procedures will vary according to circumstances but may include efforts to undertake training, review and mitigate risks, apply for or comply with licensing, and seek support or guidance from others, e.g. the Finance Office, Research Services/RGIT, research support/operations teams, Legal and Contracts, reviewing funder requirements, reviewing advice from government entities, etc.

• Risk mitigation and management might include a broad array of activities that ensure that items and/or technologies are secured and/or are not shared inappropriately or accidently.  This may include adapting processes or adopting internal auditing processes.
• Due diligence should be embedded in activities from an early stage rather than only once a project or collaboration is agreed or funded, e.g. when considering invitations to speak internationally, meeting with colleagues or companies representing or working for internationally based entities, meetings colleagues at conferences, drafting proposals for funding, etc.

Activities that have been refused export control licensing or which have been agreed through relevant institutional processes to be unacceptable in the light of the export control legislation will not proceed.

Proposed activities that are subject to export control regulations will not proceed until an appropriate license is first obtained by the individual, and all necessary steps are taken to ensure that its conditions are fully implemented and being monitored.

Any member of the University who becomes aware of or is in receipt of a report of a potential breach of the legislation whether through routine auditing, internal processing or other mechanisms, or via queries from an external source must report it to appropriate staff and/or act to mitigate risks of a breach of the legislation. Any issues must be investigated and resolved urgently.

• If anyone is notified of issues, they should contact their line management, the Research Governance and Integrity Team (RGIT), and their College professional lead for research support/operations (or equivalent) in the first instance.

The strategic decision-making body in the University for Trusted Research matters is the Trusted Research Advisory Group (TRAG) although a number of University and College decision making entities will consider matters that relate to export control.  Escalation to TRAG will take place where the decisions are matters of institutional strategy, impact, or risk.

• TRAG may refer matters to Senior Management Group (SMG) for final decision or recommend that another University policy is more appropriate to deal with specific matters, e.g. disciplinary policies.

Export Control regulations can be more complex than simply the export from the UK of controlled or dual use items and/or technologies. All individuals should seek guidance from RGIT where it is suspected that additional regulations might apply. For example:

• Foreign nationals who are undertaking activities at the University should be aware that, in addition to UK, US and EU controls, they may also be subject to their home country’s export control laws (e.g. India, China) and are responsible for ensuring they comply with these laws.
• US Export Controls are extraterritorial and consider certain items and/or technologies to be ‘deemed exports’, meaning that US export control laws may apply in the UK to items and/or technologies of US origin and some uses or users may be prohibited. Individuals are urged to seek advice from RGIT where this might apply.

The consequences of violations of this policy will be proportionate to the violation. This might include disciplinary action by the University in the most serious cases, including but not limited to where clear guidance from TRAG or other responsible University authorities has been not followed or where activity has been undertaken despite the refusal of a license.

• It should also be understood that violations of export control legislation are also criminal matters for adjudication by relevant authorities with the potential for fines or custodial sentences.

Dual Use – Dual use items and/or technologies are those which can be used for both civil and military purposes. These are detailed in the UK Strategic Export Control List published by the UK Government. 

Export Control Joint Unit (ECJU) - ECJU administers the UK’s system of export controls and licensing for military and dual-use items. Contact with ECJU is made only though the Research Governance and Integrity Team.

Export - Export is construed widely and covers: (i) the physical, electronic and verbal transfer of controlled items from within the UK to a destination outside the UK (including within the EU); (ii) the transit of controlled items through the UK; and (iii) the transfer of controlled items within the UK for use in a WMD programme outside the UK (including teaching taking place in the UK). Export of controlled items can occur in a variety of activities such as academic and commercial collaborations, teaching, consultancy and licensing activities and even electronic transfer of data, such as through email, or travelling to a country overseas with a laptop or papers which contain controlled technology.

Items and/or technologies – The policy refers to ‘items and/or technologies’, but this should be construed broadly and understood to encompass the full range of physical, non-physical goods, technologies, materials, data, software, technical assistance, etc. to which the legislation and government guidance refer.

Research Collaboration and Advice Team (RCAT) - UK Government advice service with dedicated regional teams providing advice to research institutions on the national security risks linked to international research.  Contact with RCAT is made only though the Research Governance and Integrity Team.

Research Governance and Integrity Team (RGIT) - Professional team in the Research Services Directorate supporting compliance awareness, providing advice, guidance and training, supporting and coordinating with the Trusted Research Advisory Group, supporting licensing processes, and liaising with and coordinating technical assistance with UK Government entities.

Trusted Research - ‘Trusted research’ is a phrase widely used in the UK research and innovation sector to refer to activities, processes, systems, guidance, and support that seeks to protect research, intellectual property, people, and infrastructure from potential threats, misuse or exploitation and supports the integrity of international research collaborations. Similar terms are also used interchangeably, such as ‘research security or ‘responsible internationalisation’.

Trusted Research Advisory Group (TRAG) - Strategic advisory body for Trusted Research matters within the University. TRAG connects various other decision-making entities such as the Transnational Education Board, International Strategy Deliver Board, and College-level Committees through its membership and escalates decision-making to Senior Management Group (SMG) as needed.

 Roles and Responsibilities

Export Control Flowchart (pdf download)