- Chatroom: An online location where individuals can come together to have text-based discussions that occur in real time.
- Data Mining: The process of analyzing collected data from different perspectives and summarizing it into useful information.
- Identifiable Private Information: For purposes of this guidance and as defined in the regulations, information is identifiable if the identity of the subject is or may readily be ascertained by the investigator or associated with the information.
- Private Information: For purposes of this guidance and as defined in the regulations, information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information that has been provided for specific purposes by an individual and that the individual can reasonably expect will not be made public.
Confidentiality or anonymity
Researchers conducting online research should be careful not to make guarantees of confidentiality or anonymity, as the security of transmissions over the Internet differs depending on the specific protections used. Investigators need to address how they intend to assure confidentiality of the data collected, keeping in mind that the degree of concern and protection is directly related to the sensitivity of the data.
- Anonymity means that either the project does not collect identifying information from individual subjects (name, address, email address, etc.) or the project cannot link individual responses with subjects' identities.
- Confidentiality means that only the investigator(s) or individuals collecting/analyzing data can identify the responses of individual subjects. However, the researchers must make every effort to prevent anyone outside of the project from connecting individual subjects with their responses.
- Data transmitted via email cannot be anonymous without employing additional steps.
- Data transmitted over the Internet can be anonymous only if software is used to store the information directly in a database without identifiers; otherwise, identifiers are attached to the data. Web servers automatically already store information about visitors to a website and that information can be accessed by others.
Public versus Private Space
A fundamental question is whether the Internet should be considered a public or private space. While there are no regulations for determining this, here are some guidelines:
- Normal public conventions should apply in the absence of information that indicates otherwise.
- When quoting comments from a public space, it may be appropriate to mask or hide the identity of the individual when negative consequences to the subject could reasonably arise from disclosure. Key considerations for hiding the identity of a subject include:
- Sensitivity of the topic
- Inclusion of abusive or offensive language
- Discussion of anything unlawful, embarrassing, or likely to negatively affect career opportunities
- Inclusion of personally identifiable information about the subject or others (except when it is about a well-known person in the public domain and it is not libelous)
- A private space is available only to other registered members in a location where users would expect their comments to be private. Although the process for gaining access may be nearly instantaneous, these spaces can be accessed and viewed only after the user has created a login and/or password designed to restrict all forms of access. Examples include many private forums, communities, and chatrooms, instant messaging systems, and forums/groups where an administrator or moderator controls admission and where content cannot be accessed or viewed by the general public.
- Because private spaces can be legitimately accessed only with a username and password granted and/or controlled by an administrator or moderator, researchers should obtain affirmative opt-in from subjects before using their content to conduct research.
- Researchers should also include reference to their role in interactions with members of the private space, so that existing and new members are never in doubt about the identity/role of the persons to whom they are talking.
- Researchers should observe great sensitivity when interacting with people in private spaces. As a general rule, they should not copy or collect content within private spaces, even if they have permission of the site owner, unless subjects are fully informed and have opted in to the process.
- If a researcher wishes to collect content in these environments, there should be total transparency, and the researcher should provide members with a process by which they may be excluded from such data collection.
- In a private space, researchers should seek explicit permission from subjects to quote their comments.
Web-based data collection methods can range from the use of existing data and observations to interventions and survey/interview procedures, and each require specific considerations.
Research utilizing data that are both existing and public is not considered human subjects research and does not require IRB review. Data accessible only through special permission are generally not considered public. However, if steps are required to access data (e.g., registration/login, payment, etc.) but access is not restricted beyond these steps (e.g., anyone who creates a username and password can access the data), the data may qualify as publicly available. When determining whether data are public, the investigator must decide if there exists an expectation of privacy. If it is determined that the data were not intended for public use, even if the data are technically available to the public, the data should be considered private. Researchers accessing data that are identifiable or that when combined could readily be identifiable must obtain IRB review and approval.
When online research procedures are employed, the investigator must be sensitive to the definition of public behavior. Despite navigating in a public space, an individual may have an expectation of privacy, and investigators must be sensitive to that expectation. For example, an investigator wishes to collect data from discussions posted in an online community support group for substance abusers. The online community is technically public, in that anyone can view the discussions and join the group, but some group participants are there to provide personal experiences and support regarding substance abuse and may believe that all discussions and personally identifiable information will remain private.
It is important that participants in a chatroom are able to let the researcher know if they are not comfortable with the researcher's presence there and that the researcher will respect their privacy. Because access to chatrooms can prove difficult for investigators and chatroom participants are not always eager to have a researcher in their midst, an alternative technique is for investigators to create their own chatrooms just for research purposes. Investigators can greet individuals joining the chatroom with a message informing them about the study and asking them for their informed consent. This is a good way to be sure that all participants are fully aware of the research and have consented to participate.
Survey research is one of the most common forms of web-based research. Researchers are advised to format survey instruments in a way that will allow subjects to refuse to answer specific questions. For example, the list of responses can include an option such as “Decline to answer”. In addition, subjects must always be given the option to withdraw from a study, even while in the middle of a survey.
Use of third-party online survey tools is permitted for most minimal risk studies employing online survey procedures. Investigators should review confidentiality measures and data security policies for the given online survey tool and make sure that they are described in the protocol. If security measures are not in line with what the IRB requires, use of the given survey tool may not be approved. Research subjects also need to be informed of data security measures:
- Researchers should have a familiarity with the survey software being used, the types of information being collected (e.g., IP address, email address), the options the survey software offers regarding what information to collect, the ways in which information will be stored, and how any identifying information will be de-linked from survey data.
- IU provides a number of survey tools that faculty, staff, and students can utilize for conducting online research surveys. They include:
- REDCap (REsearch Data Capture): a secure web application for building and managing online surveys and databases.
- Qualtrics: a cloud-based survey tool available for licensing through IU.
- Note: Qualtrics should not be used for surveys collecting PHI unless permission has been obtained from the relevant HIPAA Security Officer.
- For additional information, see IU's Information Security & Policy on the Use of Survey Tools.
Conducting interviews online allows researchers to gather information from respondents who would have been difficult to contact otherwise, such as those at too great a geographic distance or otherwise unable to participate in person. Interviews may be conducted online using email or chat applications. When conversing with a research subject via online chat in text only, investigators should take into account the inability to read visual and auditory cues, which can lead to possible misinterpretation of both questions and responses. Voice intonation and facial expressions are often used to convey meaning. Thus, investigators may need to ask clarifying questions in order to accurately interpret responses, and may need to provide additional information in order to be sure that subjects understand the questions. If interviews are to be audio- or video-recorded, subjects should be informed prior to agreeing to participate.
Investigators are using social media and other online forums to identify and contact potential subjects for participation in all kinds of research, from surveys to clinical trials. Because subjects self-identify on social media and other websites and choose which sites and forums to join, investigators can target subjects with specific interests, making recruitment efforts more effective and efficient. Online recruitment is conducted via many different forums and methods, including electronic flyers posted on social media sites, messages to social media groups, websites devoted to clinical trials, and even posts on blogs and discussion groups/boards. Regardless of the specific recruitment method, investigators should consider the following guidelines when using online forums for recruitment purposes.
- Recruitment materials available on the online should follow the same guidelines applicable to traditional recruitment methods.
- Recruitment is the first step in the informed consent process. As such, all materials presented to potential subjects must be reviewed and approved by the IRB.
- Recruitment materials should include investigator contact information, information about the purpose of the study, any eligibility criteria, benefits to the subject, and time commitment required for participation in the study.
- Materials should never promise free medical treatment, imply unanticipated benefits, or emphasize payment.
- Websites and recruitment materials for clinical trials and FDA-regulated research may not make claims inconsistent with approved FDA labeling, must indicate when drugs and/or devices are investigational, and may not offer post-approval discounts on drug/device costs in return for participation in the study.
Initial contact of potential subjects
- Despite the public nature of social media and the web, investigators should carefully consider ethical recruitment practices and subjects' privacy when determining how subjects will be contacted.
- Contact methods must be clearly described in IRB documentation.
- Unsolicited recruitment (“cold contact”) of individual potential subjects via social media is strongly discouraged. The IRBs would generally expect that initial contact with a potential subject be conducted by someone whom the potential subject would recognize, either because the individual has connected with or followed the study team or has otherwise agreed to be contacted, or because the recruiting individual is a part of the potential subject's care team.
- Recruitment from the researcher's own social media page or recruitment within a public group on a social media site is generally acceptable. However, researchers should not join a private social media group for the purposes of recruiting subjects into a research study.
Sharing of potential subject data
- The recruitment process logistically necessitates the sharing of data between the potential subject and the study team. During initial IRB review, investigators must describe provisions for protecting confidentiality of potential subjects and subjects. Such provisions are especially critical when recruitment is conducted online.
- Investigators should never request that potential subjects provide identifiable information via public forums, including tweeting, private messaging, posting, etc.
- Potential subjects interested in participation should be directed to contact the study team via non-public means.
- Health information should never be shared via email or social media contact methods.
Online forums may be an effective way to stay in contact with subjects after they've agreed to participate in the study. However, subjects should prospectively be informed of and consent to the possibility of electronic contact.
- The informed consent process should clearly describe any anticipated contact via social media or other electronic forum.
- Subjects should provide consent to be contacted via social media.
- If they agree, subjects should provide their Facebook profile names, Twitter handles, etc., to the study team for contact purposes.
- If contact via social media and other electronic means is anticipated, the HIPAA authorization should clearly request authorization for such contact.
- If subjects do not prospectively consent to contact via social media or other online forums, the study team may request permission to do so from the IRB by requesting a waiver of informed consent for this purpose and justifying it appropriately. Such a request should include:
- A plan for ensuring that the study team identifies the correct individuals.
- A copy of the planned contact language. Language must not imply or share potential confidential information, including protected health information.
Many websites used to recruit research subjects or conduct research procedures include terms and conditions to which members and/or visitors of the website are bound.
- Researchers should familiarize themselves with the terms and conditions of any websites they intend to recruit from or conduct research on to ensure subjects are not asked to violate a service agreement.
- Researchers should consider informing subjects that they should be aware of the terms and conditions of the website to understand what, if any, data may be used/maintained by the website itself. For example: Before you begin, please note that the data you provide may be collected and used by [survey agency/website] according to its user privacy agreement or terms of service.
- Collecting data over the Internet can increase potential risks to confidentiality because of third-party sites, the risk of third-party interception when transmitting data across a network, and the impossibility of ensuring that data is completely destroyed once the work is complete. Subjects should be informed of these potential risks in the informed consent and study information. Some examples of statements you may want to share with subjects include:
- “Although every reasonable effort has been taken, confidentiality during actual Internet communication procedures cannot be guaranteed.”
- “Your confidentiality will be kept to the degree permitted by the technology being used. No guarantees can be made regarding the interception of data sent via the Internet by any third parties.”
- “Data may exist on backups or server logs beyond the time frame of this research project.”
- Recruitment via social media or other sites may unintentionally reveal information about the subject to a third party unless ads specifically target individuals with traits already publicly disclosed.
As with research conducted in offline settings, researchers employing web-based surveys still have a responsibility to inform prospective subjects about the research and any potential risks associated with their participation.
- For most web-based surveys, it is not practical to obtain signed consent from subjects. As such, for non-exempt studies, the researcher should request from the IRB a waiver of documentation of informed consent.
- Generally, it is appropriate to simply state in the information provided to potential subjects that by completing and submitting a survey, or completing a research task, consent is implied. Other times, researchers may wish to include an “I agree” button that must be clicked before proceeding to the research procedures.
- Research conducted via a third-party site may result in the retention by the third party of data provided by subjects, and should be noted as appropriate.
- A written consent form may not be the best way to ensure that subjects are informed about the study. While still needed so that subjects can save or print a form for their own records, the consent process may involve videos, interactive forms, or other online methods that more effectively convey the needed information.
Obtaining parental consent for online research with minors will rarely be practical. Even if a researcher attempts to obtain parental consent, it is likely not verifiable.
- A waiver of parental consent will likely be needed for any online research involving children. However, depending on the nature of the research, the researcher should suggest that their potential child subjects inform their parents of the research and their involvement, as appropriate.
- Contacting adolescents for research purposes is different from contacting younger children. Adolescents are considerably more likely to already have an online presence and have much greater freedom and decision-making capacity than younger children.
- The minimum age/grade level for inclusion in online/mobile device research without parental consent is thirteen (13), in compliance with COPPA.
- Researchers should consider the possibility that a parent may discover that his/her child is taking part in a research study about which he/she was not previously notified. This could lead to increased risk for child subjects, as their confidentiality could be more at risk and they could be subject to punishment for participating without their parents' knowledge. The researcher and IU could also be put at risk.
- Researchers should note these risks and take appropriate measures to protect against them.
- Research conducted online meant to exclude children should consider including a statement in the study information that the research is intended only for individuals 18 years of age and older.
- For example: This research is intended for individuals 18 years of age or older. If you are under age 18, do not complete the survey.
As with all international research, activities and behavior that are acceptable/legal in the United States may not be in other countries.
- Researchers should carefully target their intended audience.
- Research on topics likely to be problematic (e.g., sexual behavior in Saudi Arabia, attitudes toward government censorship in China) should include information regarding any risks and plans to protect against them.
- Because the Internet reaches across borders, it can be difficult, if not impossible, to exclude individuals outside the United States from participating in research conducted online. Therefore, researchers should consider the inclusion of a statement in the study information that the research is intended for residents of the United States only. For example: This research is for residents of the United States. If you are not a U.S. resident, do not complete the survey. If researchers wish to target and/or include non-U.S. residents, or transnational subjects, they should be familiar with applicable local laws in the country(ies) where those subjects reside.
Many research projects utilize mobile applications either as a tool for collecting research data or as the object of the research. This type of research may involve the use of existing data and/or interaction with or intervention in the person's environment. Additional considerations apply to research that involves the collection of data via social media applications that are networked with mobile devices, or through installed applications on a person's mobile device to collect data.
- Researchers must explicitly inform subjects of the data they will be collecting via the mobile device, include GPS location.
- If the researchers do not plan to collect GPS location information from the subjects, they should explicitly inform subjects of this and provide instructions for deactivating the device's location services.
- If the study relies on the subject's data plan to transmit data, the researcher should advise the subject that participation could lead to increased costs, and if possible provide an estimate for data use.
- If the research involves installing a mobile application (app) on a person's smartphone or other device for the purposes of data collection:
- The researcher should describe how the app will be deactivated at the conclusion of the study, e.g. by making the deactivation part of the study's exit procedures or by providing instructions to study subjects on how to deactivate the app. Researchers should describe plans to ensure they do not continue to collect data once the study is complete, in case a subject does not effectively deactivate the app.
- If the app was created by a third party (e.g. someone other than the researcher), the researcher needs to be familiar with the terms and conditions and direct subjects to review it. The researcher should also know what information the app sends to the app developer.
- If the study involves the use of a mobile device provided by the researcher, the researcher should explain the confidentiality safeguards that are in place (e.g., how he/she will ensure the data is under the research team's control and that third parties do not have access to it), as appropriate to the study.
- Some mobile apps are regulated by the FDA as medical devices. In general, if a mobile app performs the same function as a medical device (i.e., intended for diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease), it may be subject to FDA regulations and requirements. IRB documentation should clearly describe the purpose of any mobile apps in order to assist HSO staff in determining whether FDA regulations may apply.
Mobile device studies are particularly likely to capture information about persons who are not the intended (and consented) subjects of the research (e.g. secondary subjects). Researchers should prepare themselves for this possibility and take steps to limit the amount of information gathered. Researchers should consider whether subjects should turn the device off to avoid recording information in inappropriate locations, or advise other people of their participation.
Depending on the level of sensitivity of the data being collected, consideration should be given to where the data will be stored.
- For example: the use of a third-party survey tool is likely adequate for a de-identified survey collecting innocuous data.
- Data that is not de-identified or anonymous and is more sensitive in nature, such as illegal activities, should utilize a more secure data collection and storage method.
- Researchers should consider informing subjects where their data will be stored, especially if a breach of the data could cause increased risk of harm to the subjects.
- IU provides additional resources to assist researchers in the appropriate means of data storage. See the Knowledge Base for more storage options.