by Dr. Jessica Santos, Global Head of Compliance and Quality, DPO, Cerner Enviza, Surrey, United Kingdom, Jessica.santos@cernerenviza.com
As qualitative consultants, we have recently needed to add another tool to our toolbox—an understanding of data privacy. It is now necessary to navigate and practice amidst complex global privacy and compliance rules. Because we are the ones who have direct contact with data subjects, we are responsible for providing the necessary documentation, putting all checks in place, and executing our research according to complex and often-changing rules.
With data breaches, cyberattacks, illegal disclosures, record-breaking fines, and an increasing number of class action lawsuits, the stakes can be high if something goes wrong. How can qualitative experts navigate this environment successfully? This article provides some practical suggestions to help quallies better understand and navigate the complexities. (Please note this is not a complete list, nor legal advice. Please check the jurisdictions involved in your research areas.)
Know Your Research Jurisdictions
Given that many qualitative research projects involve multiple parties residing in different jurisdictions, navigating applicable laws can be challenging. For example, a study sponsor in Japan collaborates with a life sciences company in Germany; the life sciences company hires a researcher living in Boston to interview study participants in California and Kansas—and study observers will join from the U.K. and Canada. While this may sound like a far-fetched example, it can happen!
Typically, there are qualifiers that include:
- Geographic location of the commissioning company: As an example, if a company is registered in Japan, the company needs to follow APPI. (See the table below for a list of key privacy laws by jurisdictions.) Typically, legal obligations are passed down to subcontractors. This means that when we sign a project contract commissioned by a Japan-based end sponsor, the contract will state we need to be in compliance with APPI. This holds true even when we don’t know the end client, and it is a nonnegotiable part of the contractual obligation.
- Use of equipment: While more clarity is needed, use of equipment includes computers, recording equipment, servers, the cloud, and remote access. For example, if a project requires the interview recording be sent to Germany, GDPR will need to be followed.
- Geographic location of study participants: Study participants can and should claim their protected rights given by their geolocation. In practice, when we recruit participants living in California, we adhere to the CCPA.
What Is Personal Data/Information?
Different laws have slightly different definitions of personal information, personal data, or personal identifiable information.
Under GDPR, personal data means any information which is related to an identified or identifiable natural person (data subjects). Please note that information can be personal data even if you do not know the individual’s name, email address, phone number, or other “obvious” identifiers. E.U. personal data refers to personal data originating, controlled, or processed in the E.U. Such data can now include online identifiers such as cookies or IP addresses, as well as identification numbers assigned to a data set.
According to the CCPA, personal information is defined as: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular consumer or household.
For qualitative researchers, personal information includes name, telephone number, and email address. It’s also likely that the video or audio files we record, process, and store are considered personal information and should be treated accordingly.
What Are Some Best Practices for Processing Personal Data/Information?
The most frequently used legal basis for qualitative researchers is consent. Some may suggest using other legal bases (e.g., legitimate interest or public interest), but because qualitative researchers have a direct relationship with the data subject (participant), consent is the preferred method for most privacy matters. If you have a direct relationship with the participant and can easily present terms for review and acceptance, consent is the preferred pathway. Typically, there is no excuse for skipping consent if you have a direct interaction with the participant. However, in doing so, we must ensure that we can comply with the “Rights of Individuals” under GDPR (other legislations such as CCPA all have similar requirements).
- Right of access: “What do you know about me?”
- Right to erasure/right to be forgotten: “Remove me from your database.”
- Right to rectification: “Amend/correct my details.”
- Right to restrict data processing: e.g., “Stop filming me.”
- Right to withdrawal of consent: “I don’t want to complete this survey.”
- Right of data portability: “Move my personal data to your competitor X” (very unlikely).
- Right to reject automated profiling: This is a rather new concept. Profiling refers to automated processing that is used to evaluate personal aspects of an individual (e.g., refusing a loan or insurance based on automated algorithm).
What Does Consent Cover? Who Is Responsible for Obtaining Consent?
Most qualitative researchers are familiar with consent, but requirements continue to evolve. Consent must be freely given, and it must be specific, informed, and unambiguous. To obtain freely given consent, the participant must give it on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence that could affect the outcome of that choice renders the consent invalid. Here is an example list (taken from the Information Commissioner’s Office in the U.K.)1 of how to execute consent management.
When asking for consent:
- Ask people to positively opt in.
- Don’t use pre-ticked boxes or any other type of default consent.
- Use clear, plain language that is easy to understand.
- Specify why the data is wanted and how it will be used.
- Give separate, distinct (“granular”) options to consent for different purposes. For example, “I agree my data will be used for research purposes,” and “I agree my name and email will be used to contact me later for marketing by the sponsor.”
- Name the organization and any third-party controllers who will rely on the consent.
- Tell data subjects they can withdraw their consent.
- Reinforce that data subjects can refuse to consent without detriment.
- Avoid making consent a precondition of a service.
- If online services are offered directly to children, only seek consent if age-verification measures (and parental-consent measures for younger children) are in place.
- If the interview is recorded or being observed, say it clearly.
Recording consent:
- Keep a record of when and how consent was received from the individual. Remember that without evidence, consent can’t be approved. This can be digital, recorded verbally, or on paper.
- Keep a record of exactly what they were told at the time.
Managing consent:
- Regularly review consent records to check that the relationship, processing, and purposes have not changed.
- Have processes in place to refresh consent at appropriate intervals, including any parental consents.
- Consider using privacy dashboards or other preference-management tools as a matter of good practice.
- Make it easy for individuals to withdraw their consent at any time and publicize how to do so.
- Act on withdrawals of consent as soon as possible.
- Don’t penalize individuals who wish to withdraw consent.
There are often multiple parties involved in a qualitative study, including moderators, recruiters, research agencies, observers, sponsors, facilities, software providers, and others. There is no specific requirement regarding which party is responsible for drafting, obtaining, and retaining consent; however, because qualitative researchers have the closest relationship with study participants, it typically is the responsibility of the researcher. But do not assume this is the case; it is important to check with the other parties to ensure that there is a consent plan and owner in place.
What Is Sponsor Disclosure versus Double Blind?
Most qualitative research is done in a “double blind” format. To avoid bias and distraction, most sponsors wish to remain unknown to participants, which can put qualitative researchers in a difficult position. Again, different legislations have different obligations for disclosure. CCPA, for example, requires disclosure at the category level,2 which typically means disclosure includes referring to the sponsor as, for example, “a big… retailer.”
Yet GDPR demands that the data controller is disclosed to the data subject. The data controller is a legal or natural person, an agency, a public authority, or any other body that, alone or when joined with others, determines the purposes for any personal data and the means of processing it. This has sparked a lengthy debate in the research industry regarding who is the data controller, data processor, or joint data controller.
One common approach is to disclose the sponsor’s name at the end of the interview. This helps satisfy the GDPR requirement while avoiding bias as part of the research design. If a study requires sponsor anonymity, then compliance and privacy officers need to work collaboratively to find a risk-based approach and solution on a case-by-case basis. Some industry guidelines on this topic may be found on the websites of EphMRA3 and BHBIA.4
What Is a Privacy Policy versus Privacy Notice? Is It Necessary?
Privacy notices to inform external parties (including study participants, clients, vendors, and regulators) are a legal obligation for businesses in many countries. A privacy notice refers to an external statement provided to consumers letting them know how a business is using their data. A privacy policy is an internal statement used by companies to define guidelines on the handling of the personal data.5 It is possible to use an internal privacy policy for external notice purposes, or the external privacy notice is identical to the internal policy.
A privacy notice should, at the least, include the following:
- Company name, entity name, and brand
- Information collection details: types of personal data that your site/app/company collects and how it is collected
- Use of information: how and why you plan to use the information
- Third-party disclosure information
- Information protection: Reassure users that the personal information stored is secure. While exactly how the data are secured does not need to be included, make it clear that steps are taken to protect the data and protocols for security are in place.
- Rights of users
- Cookies
- Notification of changes
- Contact information
If a qualitative researcher acts as an independent freelancer without a website or registered company, it is still recommended that they draft an internal privacy policy as it is very useful when negotiating with the clients about data retention, information processing terms, etc. For the majority of researchers needing a privacy notice, the best examples to start with are industry peers (as all privacy notices should be in the public domain) or use an online tool6 to help draft it.7
International Data Transfer
Because many studies involve stakeholders in multiple jurisdictions where different rules apply, international data transfer is inevitable. A few examples researchers experience regularly include: collaborating with an observer from another country; interviewing a study participant not based where you live; or transferring audio/video files to another jurisdiction. Most countries have some level of international data transfer restrictions that depend on the type of data, recipient countries, and nature of the data transfer.
The most notable one is from the E.U. to the U.S. GDPR restricts transferring personal data from Europe to countries that do not ensure an “adequate” level of legal data protection.8 The U.S. is determined as inadequate by the European Commission because the U.S. does not have a “comprehensive data protection law” nor a regulator.
To facilitate transfer from the E.U. to the U.S., researchers can employ the following steps:
- Minimize data (limit the amount of the data transfer or don’t transfer)
- Anonymize data (an aggregated report is less risky than an original unmasked video file)
- Set up Standard Contractual Clauses (SCC)9 or other transfer mechanism
Final Thoughts
Further changes to the privacy landscape will continue to gain speed around the world, and it is likely that more privacy legislation and bills will be passed in 2022. As qualitative consultants, trust is paramount for our practices. We must demonstrate trust and care of people and their data. One of the first steps to gaining trust with study participants is sharing with them how their data are protected and ethically used for good science. This can help study participants feel comfortable sharing their most personal stories and experiences.
As our industry and stakeholders navigate the complex and evolving world of privacy, working collaboratively and intentionally to guard people’s basic rights will help build trust and help qualitative researchers deliver on their passion for making a positive difference through their work.
Sources:
- https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent
- https://oag.ca.gov/privacy/ccpa
- www.ephmra.org/media/5186/4-ephmra-code-2021-final-21921.pdf
- www.bhbia.org.uk/guidelines-and-legislation/legal-and-ethical-guidelines
- https://simpleprivacynotice.com/2018/06/13/differences-in-a-privacy-notice-vs-privacy-policy
- www.freeprivacypolicy.com/blog/write-privacy-policy
- https://simpleprivacynotice.com/2-2
- https://gdpr-info.eu/issues/third-countries
- https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
Table of Key Privacy Legislation/Guidelines and Regions
Legislations Country/Region
APPI (Act on the Protection of Personal Information) Japan
GDPR (General Data Protection Regulation) E.U. (European Union)
CCPA (California Consumer Privacy Act) California
CPRA (California Privacy Rights Act) California
U.K. Data Protection Act U.K.
Industry Guidelines
Insights Association U.S.
BHBIA (British Healthcare Business Intelligence Association) U.K.
EphMRA (The European Pharmaceutical Market Research Association) International
Do You Like This Topic?
You may be interested in a certificate program presented by Lisa Horwich, Stuart Pardau, and Jessica Santos, which can be found in the QRCA Qualology Learning Hub.