Guidance for Reviewing Protocols that Include Online Sources or Mobile Devices

Below is guidance for IRB Members when reviewing protocols that include online sources or mobile devices.

Is Data Collected from Online Sources or Mobile Devices Publicly Available?

Blogs, twitter feeds, public websites, chat rooms, and other comparable data sources are ‘public’ in the sense that they are freely available to all web users, and ‘published’ in the sense that the data is published on the web.  In most cases uses of these sources should be classified as non-human subjects research, even when they include identifiers via videos, photos, and text.  This is by virtue of the fact that they do not include private identifiable data because the data is publicly available.   

IRB Members should take the following issues into consideration in their reviews:

  • Reviewers should ask investigators to verify that there is no language on the blog or other online source that provides guidelines on how information/comments on the site can and cannot be used.  Any such language should be used in helping to determine whether the data should be considered private identifiable human subjects data rather than public data.
  • Reviewers should take into consideration that some online data may be restricted or private – e.g., ‘belonging to,’ being invited (‘friend’ on Facebook), role play (World of Warcraft, online game involving personas/avatar).  For instance, wherever a user must register and be approved by a moderator to join a listserv, join a restricted blog or website, or become a twitter follower, the source can no longer be considered public but rather private and should be reviewed accordingly.
  • Reviewers should take into consideration whether the investigator or anyone on the study team has a previous or existing relationship with the blog/twitter author(s).  If the source is public, but the investigator or study team members have a previous or existing relationship with the author(s), the committee should request more information from the investigator regarding the nature of the relationship and may recommend that the investigator notify the author(s) that he/she is no longer just a visitor/follower but is actively collecting data from the blog/twitter feed.  This is not a regulatory requirement but an ethical recommendation that recognizes that an expectation of privacy may exist.
  • Results from data analysis should be presented in aggregate form to ensure no identifiable information on any individual is released.

Is Data Collected from Online Sources or Mobile Devices Considered 'Existing' Data?

Blogs and twitter feeds and comparable online data sources can generally be considered ‘existing’ data.  Yet they come into being at a much faster rate than other types of publications or reports, such that under some circumstances accessing these data sources might more accurately be seen as prospective data collection.  HRP staff and IRB reviewers should carefully review whether it is feasible or important to consider the collection of blog or twitter data prospective data collection and therefore to require IRB review.

In instances where the investigator proposes to ‘interact’ with others on the blog/twitter feed/etc., the data can no longer be considered existing data.  In these instances, the protocol entails prospective human-subjects data collection and must undergo IRB review.

Issues to Consider Regarding Recruitment

  • Computer or Internet-based recruitment efforts should follow the same guidelines as traditional media (i.e., letters, telephone scripts, newspaper ads, and bulletin boards), pre-approved by IRB prior to use.
  • Recruitment materials should appropriately identify target participants through clearly defined eligibility requirements. Recruitment efforts may be forwarded or otherwise accessible to other individuals who are not the intended recipient.

Issues to Consider Regarding Consent

IRB members should take the following issues into consideration regarding the consent process:

  • Subjects should be provided an option to indicate their consent to participate, e.g., “Submitting the completed survey implies their consent" or “By completing the survey, you are agreeing to participate in the research.”
  • When conventional written consent is not obtained, a Cover Letter should be submitted that includes all required elements of regular consent
  • When Obtaining Virtual Identities (Personas / Avatars):
  1. Character names are to be treated like real persons because these personas and their reputations can be traced to real individuals
  2. In some instances, consent from the avatar as proxy for real person / controller may be sufficient; however, the IRB should consider whether in other instances, consenting both the virtual persona and human controller may be more appropriate.
  • Studies using Amazon Mechanical Turk (AMT) should include the following language in the consent document: “Thank you for agreeing to participate in our research. Before you begin, please note that the data you provide may be collected and used by Amazon as per its privacy agreement.  This study contains a number of checks to make sure that participants are finishing the tasks honestly and completely. As long as you read the instructions and complete the tasks, your HIT will be approved. If you fail these checks, your HIT will be rejected.  Additionally, this research is for residents of the United States over the age of 18; if you are not a resident of the United States and/or under the age of 18, please do not complete this survey.

Issues to Consider When Reviewing Mobile Applications (Apps)

When submitting a protocol involving mobile applications (Apps), the Lead Researcher (LR) should describe the following:

  • How app will be deactivated at the end of the study (e.g., part of study’s exit procedures or instructions provided on how to deactivate app)?
  • The plan to ensure ceasing of data collection once study is complete
  • The confidentiality measures in place (under team’s control, no access by 3rd party.)?
  • Will the device be provided by researcher?

Reviewing Online Surveys

There are many types of online surveys that the IRB may review: email, surveys developed using UCI software (e.g., EEE), or surveys utilizing a 3rd party hosting service.

  • For studies involving Mechanical Turk – The LR should make clear that the study is for research (not a job) –  It is suggested that the LR include the following language in the consent form: “This is an academic not-for-profit research study. This [Consent] form is designed to give you information about this study.  We will describe this study to you and answer any of your questions.”
  • Compensation – The IRB should ensure that the complexity of the task and time commitment are reasonable for the amount of compensation proposed.
  • The LR should address whether there are alternative means of filling out the survey (e.g., is there a pen/paper option that can be mailed via US postal service to the study team?).
  • The survey should be formatted in a way to allow participant to skip questions (e.g., including a response of ‘I choose not to answer’).
  • If completing the entire survey is a requirement of participation, participants should have the option to either choose not to participate or to stop participation at any time.
  • If the survey is to be anonymous, the LR should disclose the limitation that the study team may not be able to extract or delete their specific data should the participant choose to withdraw from the study.

Security of Data

The LR should address the following in the Protocol Narrative regarding security of data.

  • Backups are to be stored in safe location (e.g., secure data room, environmentally controlled, limited access).
  • The LR should use of competent data destruction services, and a secure web server administered by a trained person with expertise in computer and internet security, and encryption technology.
  • Address potential risks to confidentiality (i.e., risk of third party inception when transmitting data across the network and the impossibility of ensuring that data is completely destroyed once complete). For example:
  1. “Although every reasonable effort has been taken, confidentiality during actual internet communication procedures cannot be guaranteed”
  2. "Data may exist on backups or server logs beyond the timeframe of this research project”
  • Subjects should be asked to agree to “Terms of Use” for the entity administering the survey. The LR should include the following language in the consent form/study information sheet and explain the following to the subject: “The data you provide may be collected and used by [Amazon, Google Docs, etc.] as per its privacy agreement.  Note: There is no reasonable expectation that data is anonymous."

For more about data security, visit our webpage, visit the UCI Office of Information Technology, or contact your Electronic Security Coordinator in your department.

News & Announcements

View More