Guidance

Research worker security: a quick reference guide

Published 1 December 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/defence-research-security/research-worker-security-a-quick-reference-guide

This quick reference guide is part of the defence research security guide for researchers.

Take accountability for the security of the information, data and assets you’re given by doing all of the following:

  • always follow the security requirements in your contract and related documents
  • create a strong security culture by following best practices set by the National Protective Security Authority (NPSA) and the National Cyber Security Centre (NCSC) to support defence contract delivery
  • adopt, apply and encourage positive security behaviours within your area of responsibility
  • ensure only people with permission and a genuine ‘need to know’ can access or see the information - unauthorised access is a security breach and must be reported
  • only discuss Ministry of Defence (MOD) information in an appropriate facility where no one else can overhear
  • don’t use personal devices for storing, transferring or communicating sensitive information which will include all Defence Related Classified Material (DRCM)
  • maintain the security of DRCM by using the right security controls to communicate electronically
  • challenge poor behaviour of colleagues and visitors
  • report all breaches, incidents or ‘near-misses’ quickly and through the correct process

Be aware of your environment both inside and outside of your workspace by doing all of the following:

  • do not let anyone without permission access your workspace or access the sensitive information you are working on
  • ensure work is carried out securely at all times
  • ensure your facilities are suitable for securing information and any equipment containing sensitive information (for example, corporate phones, tablets, memory cards and so on) when unattended
  • consider your environment and the sensitivity of information if you are permitted to work remotely
  • don’t take MOD information overseas unless it’s been approved by the Contracting Authority (CA)
  • ensure all sensitive information is protected from anyone without permission

Manage information effectively by doing all of the following:

  • protect all sensitive and security classified information
  • correctly classify information (ask the Project Security Officer if you’re not sure)
  • consider if your recipient has a genuine ‘need to know’ before sending information to them
  • ensure anyone accessing DRCM (even at OFFICIAL) has been security screened or security cleared and approved by the CA
  • get administrators who may need to progress a contract security screened
  • lock both hard and soft copy information away when not at your desk, even if only for a short period of time
  • understand the security aspects that require protection and ask for clarification if unsure
  • remember you are bound by the Official Secrets Act 1989 and the National Security Act 2023

Apply good cyber hygiene by doing all of the following:

  • understand and address the cyber risks
  • obtain Defence Cyber Certification as appropriate for the contract cyber risk profile
  • don’t move data to a cloud-based model or to an overseas location without CA authorisation - if permission is granted, you will most likely need additional cyber assurances
  • follow good practice as established by the NCSC

Protect your identity by:

  • not disclosing sensitive information about your work on social media or professional networking sites
  • not disclosing your level of security clearance on social media or professional networking sites or discuss with anyone who doesn’t ‘need to know’
  • not advertising your relationship with the CA unless it has been approved
  • checking the FCDO travel advice before travelling as UK adversaries can operate overseas - if you have a security clearance, contact your security team early on for travel advice

When working with others:

  • check the background of prospective suppliers and raise any concerns with the CA
  • ensure correct permissions are in place to sub-contract in the UK or overseas
  • ensure all project participants understand the security aspects and how to meet the requirements
  • ensure all relevant requirements are passed on to everyone involved in the supply chain, including service providers
  • monitor sub-contractor or service providers compliance

To avoid delay, complete all security documents and application forms, such as the Dstl Research Worker Personal Particulars form, and attach requested document copies to your submission.

Back to top