What is considered the most effective method to protect research participants?

With the rise of global action around data privacy and protection laws, researchers need to think about how participant privacy is maintained before, during, and after a research study. While the data collected is valuable to researchers, it is even more important to the participants in a research study. It is our responsibility to make sure we do not violate research- ethics principles and we respect participant involvement every step of the way.

Why Protecting Participant Data Is Important

As data collection and dependence on the Internet have risen, so have data breaches and cyber threats. Research participants are more vulnerable than ever as researchers conduct remote usability tests, use third party applications, or store and share data online. In 2021, according to Politico, nearly 50 million people in the U.S. faced a health-data breach. Data breaches pose huge privacy and security concerns for consumers and cost the health-care industry billions of dollars. To avoid such data losses and privacy infringements, regardless of industry, we need to develop privacy and security practices that seamlessly fit into the user-research process.

Key Terms

Data-privacy terminology isn’t always the easiest to understand. Before discussing best practices for data privacy and protection, we need to define a few terms.

• Encryption is the process of scrambling data or converting it into code. Encrypted formats make the data unreadable, which is important when transferring and sharing data online. Encrypted data comes with a key provided by the sender. This often takes the form of a password or passphrase.
• Confidentiality vs. anonymity: These terms are often used interchangeably but understanding the difference between them is critical for protecting research participants. Confidentiality is the state of keeping information private. When data is confidential, it means that it is known and associated with a particular participant, but that information is not shared with others. In contrast, the information is anonymous if it cannot be linked back to the identity of the participant who was the source of that information.
• Informed consent is the process through which research participants (1) are informed of what data will be collected and how it will be used and (2) agree to these terms.

6 Best Practices for Protecting Participant Data in User Research

While data-protection efforts should be considered carefully for each study, below you will find a list of foundational best practices to follow before, during, and after a study.

Before Data Collection Begins

1. Establish a data-management process.

When it comes to data, you want to be proactive.  Create guidelines about how data should be collected, stored, protected, and shared with others. Then make sure you communicate these to all the members of a team. A designated editor can update the guidelines as laws or company policies change. Guidelines should include information about:

• Consent forms and what they should include
• Storing and sharing participant data
• Deleting data when a study is complete
• A plan in case there is a data breach

2. Develop a data-collection plan for preserving participants’ confidentiality.

Before collecting your data, understand the laws and regulations that require data to be confidential. Laws are dependent on where you live, but a good place to start is European Union’s General Data Protection Regulation (GDPR), which is considered the strictest privacy and security law in the world. While laws and regulations are complex, they exist to minimize the risk of data breaches and cyber threats. Researchers need to follow the law and use it as a guiding framework when developing a data-collection plan. Your data-collection plan should include what data will be collected, how it will be used, and who it will potentially be shared with. Developing a data-collection plan around confidentiality requires researchers to ask themselves the following questions:

• Do I need to collect this identifiable data? Will this data affect my results?  As a researcher, you need to be able to justify the identifiable data you are collecting. A good way to do this is to make a list of identifiers you are collecting and describe why you need each and how it will be used. This information will be helpful for creating participant-consent forms, as well.
• What tools should I use to collect data safely and securely? When multiple people are conducting research, you often end up with multiple tools and, as a result, multiple ways in which data is stored. Teams need to decide which tools to use before data collection, to avoid having data stored in multiple places and, thus, manage the risk associated with a data breach.

3. Informed Consent

Informed consent creates a two-way street between the researcher and the participant before the start of data collection. Researchers inform participants about what their involvement in the study entails, what data will be collected, and how it will be used. Then, participants are given the opportunity to make an informed decision about their involvement based on the information that is provided. This communication is typically presented as a consent form, which should include the following:

• Information about the study and the activities involved
• What data will be collected
• How the data collected will be used
• Steps researchers will take to secure their data

During and After Data Collection

4. Maintain participant anonymity.

Anonymity should be preserved while taking notes, while cleaning data and preparing it for storage, or while disseminating results. Qualitative researchers need to pay close attention to how they present participants’ personal details. While they may not be using names and other key identifiers, personal information can still be deduced based on individual or group traits represented in the data. With that in mind, research teams should follow these best practices:

• Be intentional about the data they collect and ask only for information they really need from participants.
• Do not use participant names or any other key identifies (e.g., Social Security number, date of birth) in notes and file names.
• In usability testing, pause the recording while participants type in usernames, passwords, addresses, or other identifying information. You can also consider using fake credentials if appropriate for the study.
• If, in spite of precautions, a video or audio recording does include identifying information, make sure to delete that part of the recording or blur it as soon as possible.

5. Share files in a secure way with only those people who need them.

In general, researchers should control who has access to data and when they have access to it. Access should only be given to people who actually need it. Researchers should not collect and share data on cloud-storage services like Google Drive, Dropbox, and One Drive. The challenging part about cloud storage is that you don’t have complete control over data. For example, if cloud services are down or hacked, you don’t have the control to fix the issue. While using cloud services makes it easy to share information, researchers do not have complete control over data stored in the cloud and further expose research participants to data breaches and cyber threats. Instead, researchers should consider using an external drive to storing encrypted data and find more-secure ways to share data (e.g., using secure file-transfer services like Hightail).  

6. Delete data that is no longer needed.

It can be tempting to hold on to data but one of the best ways to protect data is to delete it once you are done with it. This practice reduces data-breach risks. There will also be instances where your client or participant wants data permanently removed. To make this as easy as possible, researchers should have:

• A clear way to identify and retrieve a participant’s individual data. For example, researchers could follow a standard format for how they name data files and folders. This practice makes it easier to navigate to the appropriate folder with all the data from that participant. If you include participant data in a presentation or other deliverables, you could use tags in data files to indicate where that data point was used externally.
• No duplications of data in multiple places
• A consistent way of storing data so it can be found easily in the case it needs to be deleted immediately. Researchers shouldn’t be searching for places where the data files could be. They should already know where it is. Consistency helps researchers keep track of the data effectively and efficiently.

Applying Best Practices

Applying privacy and security best practices shouldn’t involve extra work. Rather, it should fit seamlessly into the 5 steps of the user-research process:

1. Develop a research plan
2. Recruit participants
3. Conduct research
4. Synthesize Data
5. Share Data

To heighten the value and impact of privacy and security of research participants at scale, these best practices should be implemented into existing Research Operations (ResearchOps). ResearchOps streamlines dedicated roles and efforts toward managing operational aspects associated with privacy and security. Building in these practices and finding ways to operationalize them allows researchers to spend more time conducting studies and uncovering insights at scale, in a safe and secure way.

Conclusion

Maintaining participant data privacy and security should be a priority for all researchers. As researchers continue to develop new technologies and work with more research participants to do so, following these best practices is an important place to start.

Reference

Kaiser, K., 2009. Protecting Respondent Confidentiality in Qualitative Research. [ebook] Chicago: Qualitative Health Research. (Nov. 2009), DOI: https://doi.org/10.1177/1049732309350879