Security Intelligence

Security for Academic Researchers and Fieldworkers in High-Risk Environments | CloseProtectionHire

Q: "What duty of care obligations do UK universities have for staff conducting overseas fieldwork?"

"UK universities have a legal duty of care under the Health and Safety at Work Act 1974 and the Management of Health and Safety at Work Regulations 1999 to take reasonably practicable steps to protect employees (including academic staff and funded researchers) from foreseeable risks, including those arising from overseas fieldwork. The UCEA (Universities and Colleges Employers Association) Overseas Fieldwork Guidelines provide a sector-specific framework. Under ISO 31030:2021 (Travel Risk Management), which applies to any organisation sending personnel abroad, the institution must conduct a documented risk assessment, implement proportionate mitigations, and maintain a plan for emergency assistance. The institution cannot delegate this duty to the individual researcher. Ethics committee approval is required for fieldwork involving human subjects and is increasingly used as the vehicle for integrating security risk assessment into fieldwork design -- but ethical approval does not substitute for a security risk assessment."

Q: "How is researcher security different from journalist security in high-risk environments?"

"Academic researchers and journalists share many security challenges in high-risk environments but have operationally significant differences. Journalists typically work with editorial and news organisations that have institutional security frameworks, insurance arrangements, and 24/7 support desks (Reuters, BBC, AFP, AP all have security units). Many researchers work independently or through university structures that have limited operational security capability. Journalists typically have short deployments with clear editorial outputs; researchers often have extended deployments (weeks to months) that create greater risk from pattern-of-life analysis, local community integration risks, and sustained exposure to local security services. Researchers' cover story (academic research) may attract more sustained intelligence service attention than journalism in some authoritarian states, particularly for research into sensitive political, historical, or social science topics. The key operational difference is often the absence of institutional security support -- a freelance researcher at a remote field site has fewer resources available in an emergency than a BBC journalist in the same location."

Q: "What digital security protocols should researchers apply in authoritarian states?"

"Researchers visiting authoritarian states for fieldwork -- particularly those researching politically sensitive topics (governance, human rights, minority communities, religious practices, corruption, conflict) -- should apply the same clean device protocol recommended for journalists and executives. This means: a travel-dedicated device with minimal stored data, full-disk encryption (iOS/Android both offer this by default when a strong passcode is set), VPN access where legally permitted (check country-specific legality), Signal for communications with contacts, understanding that hotel room entry by security services is possible in high-risk authoritarian states (power off devices, use a tamper-evident indicator), and a plan for research data handling (field notes stored encrypted, transmission of sensitive data via SecureDrop or equivalent, not email). The NCSC and EFF both publish specific guidance for researchers in authoritarian environments. The additional consideration for researchers is that interview recordings and field notes may be evidence of informant relationships -- device seizure at a border crossing puts sources at risk, not just the researcher."

Q: "What is a fixer and what security vetting should apply to fieldwork fixers?"

"A fixer is a local contact (often a journalist, researcher, or community member) who provides translation, local knowledge, logistics support, and access to research communities. In high-risk environments, the fixer is one of the most significant security variables. A poorly vetted fixer may have relationships with local security services, militia, organised crime, or community factions that create risk for the researcher. Vetting should include: reference verification through the journalist community or academic community in the relevant country (colleagues at local universities, OSAC contacts, existing field relationships), understanding of the fixer's existing network relationships (who do they know in local security services or militia structures -- this is contextual intelligence rather than a disqualifier), digital security alignment (does the fixer use secure communications or does the fixer's communications profile expose your research network), and a contingency plan for what happens if the fixer is arrested, disappears, or is compromised. The fixer relationship also requires a clear briefing on the researcher's check-in protocol, emergency contact, and the concept of a duress word or phrase that signals distress without triggering an overt response."

Q: "What MEDEVAC and emergency planning should academic researchers have before high-risk fieldwork?"

"MEDEVAC planning for academic fieldwork in high-risk environments is non-negotiable under the university's duty of care obligation. The minimum requirement is: comprehensive travel insurance with a specific medical evacuation benefit (not just repatriation of remains), confirmed cover for the specific activities being undertaken (some policies exclude hazardous research contexts), a named assistance provider with 24/7 emergency response (International SOS, Global Rescue, or similar), and a check-in protocol that defines frequency and triggers emergency response if a check-in is missed. For remote fieldwork, the MEDEVAC logistics plan must address the specific access limitations of the field site -- helicopter access, ground evacuation route, nearest hospital with trauma capability, and the time-distance calculation to medical care. The Wilderness Medical Society and HRA (Himalayan Rescue Association) resources are relevant for researchers in high-altitude or remote natural environments."

Security planning for academic researchers conducting fieldwork in high-risk countries: university duty of care, GISF guidelines, digital security in authoritarian states, fixer management, check-in protocols, and MEDEVAC planning.

4 May 2026

Written by James Whitfield

Speak to the Team

Academic researchers who conduct fieldwork in high-risk environments face security challenges that are operationally distinct from both the corporate traveller and the professional journalist. They often operate with fewer institutional resources, longer deployment periods, more sensitive data relationships with local communities, and less established security infrastructure than either comparator group. At the same time, their universities carry a legal duty of care that institutional procedures frequently fail to operationalise adequately.

This guide covers the specific security requirements for academic researchers conducting fieldwork in high-risk environments, drawing on the legal duty of care framework, GISF guidelines, and practical operational security considerations.

The Duty of Care Framework

UK universities are employers under the Health and Safety at Work Act 1974 and are bound by the Management of Health and Safety at Work Regulations 1999 to take reasonably practicable steps to protect employees from foreseeable risks. Overseas fieldwork in conflict-affected, authoritarian, or high-crime environments is a foreseeable risk environment, and the institution cannot delegate responsibility to the individual researcher through a form-signing process.

ISO 31030:2021 (Travel Risk Management) applies to any organisation sending personnel abroad. It requires documented risk assessment, proportionate mitigations, a duty of care programme, and emergency assistance arrangements. UCEA (Universities and Colleges Employers Association) has produced specific Overseas Fieldwork Guidelines that apply the general framework to the academic context.

The integration of security risk assessment with ethics committee approval is common but insufficient. Ethics committees review research design and participant protection. Security risk assessment addresses the physical and digital safety of the researcher in the field environment. These are related but separate obligations, and ethics committee sign-off does not discharge the security risk assessment duty.

How Academic Researcher Security Differs from Journalism Security

Journalists working for major news organisations benefit from institutional security frameworks: the BBC, Reuters, AFP, and AP all have specialist security units, 24/7 support desks, K&R insurance arrangements, and operational experience in high-risk environments. A reporter for the BBC in Lagos operates with institutional security backing that most academic researchers cannot access.

The operationally significant differences for researchers are:

Extended deployments: Months-long fieldwork in a single location creates observable patterns of life that short journalistic visits do not. The researcher who visits the same community daily for three months, stays in the same accommodation, and maintains fixed meeting times is predictable in ways that create exploitable vulnerabilities.

Research topic sensitivity: Research into governance, human rights, minority communities, conflict dynamics, religious practice, or economic corruption in authoritarian states may attract more sustained security services attention than journalism on comparable topics. The researcher’s academic position does not provide the same journalistic protection framework.

Source relationships: The researcher’s field notes, interview recordings, and contact lists are evidence of relationships with community members who trusted the researcher. Device seizure exposes sources to risk. This is source protection as much as personal security.

Institutional resource gap: A freelance postdoctoral researcher at a remote field site typically has no 24/7 security support desk, no K&R policy, and no institutional security advisor. The gap between duty of care obligation and operational resource is widest for this group.

Check-In Protocols

A check-in protocol is the minimum operational security requirement for any solo or small-group fieldwork deployment in a high-risk environment. The elements are:

Frequency: Daily check-ins for high-risk environments (FCDO Level 3 or 4 advisories); every 48 hours for moderate-risk environments.

Contact: A named designated contact (not an automated system) who is empowered to initiate the emergency protocol if a check-in is missed.

Missed check-in protocol: What happens if a check-in is missed at time T – a specific sequence of escalation steps, with defined decision points and contacts.

Duress signal: A predetermined word or phrase that signals distress without triggering an overt response. A researcher who reports in normally but says their duress phrase is communicating that they are under coercion.

The check-in protocol must be documented before departure, shared with the designated contact, and tested before the researcher leaves the field base.

Digital Security in Authoritarian States

Researchers investigating politically sensitive topics in authoritarian states face an active digital security threat. Security services in states like Russia, China, Belarus, Eritrea, Iran, and others actively monitor communications of foreign researchers and have technical capability to access devices at border crossings.

The clean device protocol – a travel-dedicated device with minimal stored data, no access credentials for institutional systems, full-disk encryption, and no pre-installed research data – is the baseline. Sensitive field notes and interview materials should be stored encrypted and transmitted to secure institutional storage at regular intervals, not accumulated on the travel device.

Signal is the default communications platform for sensitive contact. Interview recordings on a device that crosses a border create risk for sources. The established protocol is to encrypt and transmit recordings to secure storage before any border crossing or movement through high-risk checkpoints.

For NGO and humanitarian workers facing comparable security challenges in the field, see our NGO and humanitarian worker security guide. For the university campus security framework covering institutional obligations under Martyn’s Law and the Counter-Terrorism and Security Act 2015, see our university campus security guide.

Sources

Health and Safety at Work Act 1974. Management of Health and Safety at Work Regulations 1999. UCEA: Overseas Fieldwork Guidelines 2024. ISO 31030:2021 Travel Risk Management. GISF: Safety Management for Academic Field Research 2024. NCSC: Digital Security Guidance for Researchers 2024. EFF: Security in a Box for Researchers and Journalists 2024. Wilderness Medical Society: Field Practice Guidelines 2019. HRA (Himalayan Rescue Association): Remote Fieldwork Medical Planning 2024. FCDO: Travel Advisories April 2026. International SOS: Academic Sector Duty of Care Survey 2024. OSAC: Country Security Reports for high-risk fieldwork destinations 2024.

For policy research organisations and think tanks – which face a closely related threat profile including state-sponsored targeting, conference elicitation at academic events, and email compromise of researchers – see our security for think tanks and policy research guide. For NGO and development sector workers – who often operate alongside academic fieldwork teams in high-risk environments and whose HEAT training, Saving Lives Together protocols, and duty of care frameworks are directly relevant – see our security for NGO and development sector workers guide.

James Whitfield is a Senior Security Consultant with 20 years of experience in corporate security, travel risk management, and security programme design across high-risk environments globally.

Summary

Key takeaways

The university duty of care under HSWA 1974 and ISO 31030:2021 is not discharged by ethics committee approval -- security risk assessment is a separate institutional obligation

Ethics committees assess research methodology and participant protection. Security risk assessment addresses the physical and digital safety of the researcher and their sources. Some universities have integrated both into a single field research approval process; many have not. A researcher in a high-risk environment who has ethics committee approval but no documented security risk assessment, no emergency contact protocol, and no MEDEVAC arrangement is not covered by the institution's duty of care -- and the institution may face liability if something goes wrong.

Researchers' interview recordings and field notes are potential evidence of informant relationships -- device security is also source protection

In states where research into sensitive topics is politically dangerous, a researcher's device contains more than their own personal data. It contains the names, contact details, and recorded statements of community members who trusted the researcher. Device seizure at a border crossing, hotel room search, or field arrest can put those sources at physical risk. Encryption, minimal data storage on the travel device, and transmission of sensitive data to secure institutional storage before any border crossing are source protection measures as much as personal security measures.

Extended fieldwork deployments create pattern-of-life vulnerabilities that short visits do not -- vary routines, accommodation, and routes as standard practice

A researcher who spends three months conducting interviews in the same community, staying at the same accommodation, using the same transport route, and visiting the same local contacts daily has created an observable, predictable pattern that any actor wishing to monitor or intercept them can exploit. Variation in accommodation, routes, meeting times, and the sequence of research activities is not paranoia -- it is standard operational security for any extended deployment in an environment with any security services interest.

The fixer is the most consequential security variable in high-risk fieldwork -- invest the same vetting rigour in the fixer that you would apply to a specialist security contractor

An unvetted fixer in a conflict-affected environment, or in a state where the security services actively recruit community members to monitor foreign researchers, represents a vulnerability that no amount of personal security planning can fully compensate for. Reference checks through the journalist and academic community in the relevant country, digital security assessment, and a clear briefing on emergency protocols are the minimum threshold before any high-risk fieldwork fixer relationship proceeds.

GISF's academic safety framework provides a sector-specific starting point for institutions developing fieldwork security policies -- it is more operationally specific than generic ISO 31030:2021 guidance

The Global Interagency Security Forum (GISF) has published specific guidance on safety management for academic field research, drawing on best practice from the humanitarian sector. For university security managers and research administrators developing fieldwork security frameworks, GISF's resources are more operationally specific to the academic context than generic travel risk management guidance. The GISF academic safety programme includes risk assessment templates, check-in protocol guidance, and incident reporting frameworks.

FAQ

Frequently Asked Questions

UK universities have a legal duty of care under the Health and Safety at Work Act 1974 and the Management of Health and Safety at Work Regulations 1999 to take reasonably practicable steps to protect employees (including academic staff and funded researchers) from foreseeable risks, including those arising from overseas fieldwork. The UCEA (Universities and Colleges Employers Association) Overseas Fieldwork Guidelines provide a sector-specific framework. Under ISO 31030:2021 (Travel Risk Management), which applies to any organisation sending personnel abroad, the institution must conduct a documented risk assessment, implement proportionate mitigations, and maintain a plan for emergency assistance. The institution cannot delegate this duty to the individual researcher. Ethics committee approval is required for fieldwork involving human subjects and is increasingly used as the vehicle for integrating security risk assessment into fieldwork design – but ethical approval does not substitute for a security risk assessment.

Academic researchers and journalists share many security challenges in high-risk environments but have operationally significant differences. Journalists typically work with editorial and news organisations that have institutional security frameworks, insurance arrangements, and 24/7 support desks (Reuters, BBC, AFP, AP all have security units). Many researchers work independently or through university structures that have limited operational security capability. Journalists typically have short deployments with clear editorial outputs; researchers often have extended deployments (weeks to months) that create greater risk from pattern-of-life analysis, local community integration risks, and sustained exposure to local security services. Researchers’ cover story (academic research) may attract more sustained intelligence service attention than journalism in some authoritarian states, particularly for research into sensitive political, historical, or social science topics. The key operational difference is often the absence of institutional security support – a freelance researcher at a remote field site has fewer resources available in an emergency than a BBC journalist in the same location.

Researchers visiting authoritarian states for fieldwork – particularly those researching politically sensitive topics (governance, human rights, minority communities, religious practices, corruption, conflict) – should apply the same clean device protocol recommended for journalists and executives. This means: a travel-dedicated device with minimal stored data, full-disk encryption (iOS/Android both offer this by default when a strong passcode is set), VPN access where legally permitted (check country-specific legality), Signal for communications with contacts, understanding that hotel room entry by security services is possible in high-risk authoritarian states (power off devices, use a tamper-evident indicator), and a plan for research data handling (field notes stored encrypted, transmission of sensitive data via SecureDrop or equivalent, not email). The NCSC and EFF both publish specific guidance for researchers in authoritarian environments. The additional consideration for researchers is that interview recordings and field notes may be evidence of informant relationships – device seizure at a border crossing puts sources at risk, not just the researcher.

A fixer is a local contact (often a journalist, researcher, or community member) who provides translation, local knowledge, logistics support, and access to research communities. In high-risk environments, the fixer is one of the most significant security variables. A poorly vetted fixer may have relationships with local security services, militia, organised crime, or community factions that create risk for the researcher. Vetting should include: reference verification through the journalist community or academic community in the relevant country (colleagues at local universities, OSAC contacts, existing field relationships), understanding of the fixer’s existing network relationships (who do they know in local security services or militia structures – this is contextual intelligence rather than a disqualifier), digital security alignment (does the fixer use secure communications or does the fixer’s communications profile expose your research network), and a contingency plan for what happens if the fixer is arrested, disappears, or is compromised. The fixer relationship also requires a clear briefing on the researcher’s check-in protocol, emergency contact, and the concept of a duress word or phrase that signals distress without triggering an overt response.

MEDEVAC planning for academic fieldwork in high-risk environments is non-negotiable under the university’s duty of care obligation. The minimum requirement is: comprehensive travel insurance with a specific medical evacuation benefit (not just repatriation of remains), confirmed cover for the specific activities being undertaken (some policies exclude hazardous research contexts), a named assistance provider with 24/7 emergency response (International SOS, Global Rescue, or similar), and a check-in protocol that defines frequency and triggers emergency response if a check-in is missed. For remote fieldwork, the MEDEVAC logistics plan must address the specific access limitations of the field site – helicopter access, ground evacuation route, nearest hospital with trauma capability, and the time-distance calculation to medical care. The Wilderness Medical Society and HRA (Himalayan Rescue Association) resources are relevant for researchers in high-altitude or remote natural environments.

Get in Touch

Request a Consultation

Describe your security requirements below. All enquiries are confidential and handled by licensed consultants.