skip to primary navigationskip to content

JANET Policy on Research Use of Network Traffic Data

Cambridge University does not have a defined policy on research use of network traffic data. Until a local policy is defined, a starting point for guidance is the JANET Policy on Research Use of Network Traffic Data.

This document was originally published as "MF-POL-009 26th October 2009", and was previously available from the JISC website.

At the time of writing, the original copy is not available online. The following text has kindly been provided by Betty Willder, Legal information Specialist at Jisc Legal: www.jisclegal.ac.uk

 

Policy

1. As the operator of the JANET network, JANET(UK) has access to data about traffic flows across the network. The main use of this information is to ensure the proper operation of the network and to protect its customers and users of the network. However the information may also be useful for some types of research that may help the JANET network achieve these objectives in future. Subject to the availability of effort, JANET(UK) will therefore endeavour to work with researchers who wish to make use of this traffic data for these purposes.

2. Any use of traffic data for research must not affect any users or organisations connected to the network, nor hinder the normal operation or use of the network. It must also comply with JANET(UK)’s contractual obligations and the law, in particular the Data Protection Act 1998, Regulation of Investigatory Powers Act 2000 and associated legislation. A number of conditions, set out in this Policy, therefore apply to the collection, disclosure and use of the information.

3. Because of the complexity of the law in this area, each request for data will need to be assessed individually. In particular where joint research involves countries outside the UK, further conditions relating to cross-border transfers will need to be considered.

4. In order to protect the privacy of users of the network, the private content of network traffic may not be recorded or made available for research purposes. Only the following information may be used: traffic data as defined in section 21(6) of the Regulation of Investigatory Powers Act 2000 (data consisting of, or derived from, the headers that are needed by each protocol layer to route a communication from its origin to its destination), and information derived from content in such a way that the privacy of the original content is protected.

5. Where the research can be undertaken on anonymised data then this will be the only form of data that will be made available. Anonymised data will not contain original IP addresses, network numbers or other information that could associate it with a particular JANET(UK) customer or individual. This can be achieved, for example, by aggregating statistics across the whole network (for example where only port numbers are of interest), or by using standard algorithms to rewrite original addresses in ways that preserve structure and uniqueness while making recovery of the original values difficult. Appropriate methods of aggregation or anonymisation may be discussed with individual researchers. Where anonymised data is supplied, JANET(UK) will require a binding undertaking from the researcher’s organisation that no attempt will be made to strip away the anonymity and no data or statistics will be published that would allow others to do so.

6. If anonymised data are unsuitable for a particular research task, then JANET(UK) may make unanonymised data available. The researcher must demonstrate which parts of the data cannot be anonymised; other parts will be anonymised in the normal way. Where use of a type of unanonymised data appears to present a particular risk of harm, JANET(UK) reserves the right to impose additional conditions or exclude the data from disclosure. Where unanonymised data is made available JANET(UK) will require a binding commitment from the researcher’s organisation that the data will be protected against misuse. In particular the data must be secured against unauthorised access, must only be used for the particular research for which they were disclosed and must be deleted or anonymised thereafter, and must not be used for any purpose that might affect the individual or organisation to which they relate. Data or statistics from which individuals or organisations could be identified must not be published.

7. Where data cannot be obtained from JANET(UK)’s existing network equipment and operational systems, but where the research is of value to the future operation, development or planning of the network, JANET(UK) may be able to enter into contracts with researchers’ organisations to connect additional data collection equipment to the network. This might be done, for example, to develop ways to protect the network from misuse or to investigate the behaviour of large flows on the network. Such contracts will include terms to protect the privacy of users and organisations connected to the JANET network.