eResearch: Ethics, Privacy & Security
The first edition of the TCPS published in 1998 had zero references to the word "internet", so you can imagine how research ethics boards and researchers struggle to review research in an ethical way without guidelines in the national ethics policy.
First Edition link:
http://www.pre.ethics.gc.ca/eng/policy-politique/tcps-eptc/To fill this void in ethics policy, many organizations came forward with guidelines for contacting ethical reserach involving humans on the internet.
Second Edition TCPS:
http://www.pre.ethics.gc.ca/eng/policy-politique/initiatives/revised-revisee/Default/After years of national consultations, the revised second edition of the TCPS will be ready for release in fall 2010. A search on the current draft found 8 references to the word "internet" and that does include words related like "chatrooms", "Cybermaterial", "encryption", "virtual settings", "digital sites", "electronic data", "mobile device" and "data security".
I will list here the new sections important to know when following the new guidelines:
Scope of Research:
http://www.pre.ethics.gc.ca/eng/policy-politique/initiatives/revised-revisee/chapter2-chapitre2/#toc02-1REB review is also not required where research uses exclusively publicly available information that may contain identifiable information, and for which there is no reasonable expectation of privacy.For example, identifiable information may be disseminated in the public domain through print or electronic publications, film, audio, or digital recordings, press accounts, official publications of private or public institutions, artistic installations, exhibitions, or literary events freely open to the public, or publications accessible in public libraries. Research that is non-intrusive, does not involve direct interaction between the researcher and individuals through the Internet medium, is not required to obtain REB review. Cyber-material such as documents, records, performances, online archival materials or published third-party interviews to which the public is given uncontrolled access on the Internet for which there is no expectation of privacy is considered to be publicly available information.
Exemption from REB review is based on the information being accessible in the public domain, and that the individuals to whom the information refers have no reasonable expectation of privacy. Information contained in publicly accessible material may, however, be subject to copyright and/or intellectual property rights protections or dissemination restrictions imposed by the legal entity controlling the information.
There are, however, publicly accessible digital sites where there is a reasonable expectation of privacy.When accessing identifiable information in publicly accessible digital sites, such as Internet chatrooms, and self-help groups with restricted membership, the privacy expectation of contributors of these sites is much higher. Researchers shall submit their proposal for REB review. (See Articles 10.3 and 10.4).
Where data linkage of different sources of publicly available information is involved, it could give rise to new forms of identifiable information that would raise issues of privacy and confidentiality when used in research, and would therefore require REB review. (See Article 5.7).
Where in doubt about the applicability of this article to their research, researchers should consult their REBs.
C. Safeguarding Information
Article 5.3 Researchers shall provide details to the REB regarding their proposed measures for safeguarding information, for the full life cycle of information – that is, its collection, use, dissemination, retention and/or disposal.
Application Researchers shall assess privacy risks and threats to the security of information for all stages of the research life cycle and implement appropriate measures to protect information. Safeguarding information helps respect the privacy of research participants and helps researchers fulfill their confidentiality obligations. In adopting measures to safeguard information, researchers should follow disciplinary standards and practices for the collection and protection of information for research purposes. Formal privacy impact assessments are required in some institutions and under legislation or policy in some jurisdictions. Security measures should take into account the nature, type and state of data (e.g. paper records or electronic data stored on a mobile device, whether information contains direct or indirect identifiers, whether data is in transit and more vulnerable to unauthorized access). Measures for safeguarding information apply both to original documents and copies of information.
Factors relevant to the REB’s assessment of the adequacy of the researchers’ proposed measures for safeguarding information include:
(a) the type of information to be collected;
(b) the purpose for which the information will be used, and purpose of any secondary use of identifiable information;
(c) limits on the use, disclosure and retention of the information;
(d) risks of re-identification of individuals;
(e) appropriate security safeguards for the full life cycle of information;
(f) any recording of observations(e.g. photographs, videos, sound recordings) in the research that may allow identification of particular participants;
(g) any anticipated uses of personal information from the research; and
(h) any anticipated linkage of data gathered in the research with other data about participants, whether those data are contained in public or personal records. (See also Section E).
In considering the adequacy of proposed measures for safeguarding information during its full life cycle, REBs should not automatically impose a requirement that researchers destroy the research data. Stored information may be useful for a variety of future purposes. Appropriate data retention periods vary depending on the research discipline, research purpose and kind of data involved. In some situations, formal data sharing with participants may occur – for example, by giving individual participants copies of a recording or transcript as a gift for personal, family or other archival use. Similarly, some funding bodies, such as the Social Sciences and Humanities Research Council and the Canadian Institutes of Health Research, have specific policies on data archiving and sharing.3 Researchers should address how the participant’s information will be handled if participants choose to withdraw from research.
In disseminating research results, researchers should not disclose direct identifiers without the consent of research participants. Researchers should take reasonable measures to ensure against inadvertent identification of individuals or groups in publications or other means of dissemination, and they must address this issue to the satisfaction of the REB.
Consideration of future uses of personal information refers not just to research, but also to other purposes, such as the future use of research materials for educational purposes.
Research data sent over the Internet may require encryption or use of special denominalization software to prevent interception by unauthorizedpersons or other risks todata security. In general, identifiable data obtained through research that is kept on a computer and connected to the Internet should be encrypted.
Article 5.4 Institutions or organizations where research data are held have a responsibility to establish appropriate institutional security safeguards.
Application In addition to the security measures researchers implement to protect data, safeguards put in place at the institutional or organizational level also provide important protection. Such data security safeguards should include physical, administrative and technical measures and should address the full life cycle of information. This includes institutional or organizational safeguards for information while it is currently in use by researchers and for any long-term retention of information.
Chapter 10 - Qualitative Research:
http://www.pre.ethics.gc.ca/eng/policy-politique/initiatives/revised-revisee/chapter10-chapitre10/#toc10-1aProportionate Approach to Review of Observational Studies
Article 10.3 Research ethics review is required for research involving observation in places where personal information is being collected. When considering research involving observation in such environments or settings where the researcher collects personal information and where individuals or groups have a reasonable presumption of privacy, REBs should apply a proportionate approach to ethics review.
Application In qualitative research, observation is used to study behaviour in a natural environment. It often takes place in living, natural and complex communities or settings; in physical environments; or in virtual settings such as the Internet. Observational studies may be undertaken in public spaces or in virtual settings where individuals might have some limited expectation of privacy or in private or controlled spaces where individuals have an expectation of privacy. The spectrum of settings where observational research typically requiring review may occur include, for example, classrooms, hospital emergency wards, private Internet chat rooms, or within members-only communities or organizations.
Observational Studies Exempt from REB Review
Article 10.4 REB review is not required for research involving the observation of people in public places where:
(a) it does not involve any intervention staged by the researcher or direct interaction with the individuals or groups;
(b) it does not involve collecting personal information that will be disseminated through photographic, film or video footage in the research results; and
(c) where individuals or groups targeted for observation have no reasonable expectation of privacy.
Application For the purpose of this Policy, data collection through observation of acts or behaviours occurring in public places intended to attract public attention are exempt from review by the REB. Research involving observation of people in public spaces where there is no presumption of privacy and where no personal information is being collected directly from the individuals – for example, political rallies, demonstrations, or other public events or settings (e.g. a free concert in a public park) – does not require REB review, since it can be expected that participants are aware of the public nature of the event or gathering. Similarly, where individuals should reasonably expect that their identities will be evident – for instance, as a result of their celebrity or public persona – research that refers to their presence does not require REB review. To determine whether Article 10.4 applies, when designing their research researchers shall pay attention to whether dissemination of research results will allow the identification of individuals in published reports. When in doubt, researchers should consult the REB prior to the conduct of the research involving observation in public places.
Some activities carried on in public places may be intended to involve a particular community of interest and may be based on a limited presumption of privacy. For example, individuals involved in religious services or practices, or chat rooms on the internet, may assume that participants and observers will accord the proceedings some degree of respect. Data collection for research purposes through observation of such acts or behaviours occurring in public places are subject to research ethics review and Article 10.3 of this Policy.