IRB Guideline X - Guidelines for Computer- and Internet-Based Research Involving Human Participants
Computer- and internet-based methods of collecting, storing, utilizing, and transmitting data in research involving human participants are developing at a rapid rate. As these new methods become more widespread in research in the social, psychological, and social sciences, they present new challenges to the protection of research participants. The Institutional Review Board (IRB) believes that computer- and internet-based research protocols must address fundamentally the same risks (e.g., violation of privacy, legal risks, psychosocial stress) and provide the same level of protection as any other types of research involving human participants. All studies including those using computer and internet technologies must (a) ensure that the procedures fulfill the principles of voluntary participation and informed consent, (b) maintain the confidentiality of information obtained from or about human participants, and (c) adequately address possible risks to participants including psychosocial stress and related risks.
At the same time, the IRB recognizes that computer- and internet-based research presents unique problems and issues involving the protection of human participants. The IRB further recognizes that computer and internet technologies are evolving rapidly, that these advances may pose new challenges to the protection of human participants in research, and that both the IRB and researchers employing new technologies must maintain their diligence in addressing new problems, issues, and risks as they arise in the coming years.
The purpose of these guidelines is to help researchers plan, propose, and implement computer- and internet-based research protocols that provide the same level of protection of human participants as more traditional research methodologies. The guidelines are comprised of requirements and recommendations that are consistent with the basic IRB principles applied to all research involving human participants.
- Computer- and internet-based procedures for advertising and recruiting potential study participants (e.g., internet advertising, e-mail solicitation, banner ads) must follow the IRB guidelines for recruitment that apply to any traditional media, such as newspapers and bulletin boards (see IRB Guideline III - Subject Recruitment and Advertising).
- Investigators are advised that University policies AD20 and AD56 prohibit unsolicited group e-mailings to faculty, staff, and students. Recruitment of research participants by unsolicited group e-mailings ("spam") is against University policy. Exceptions to these policies may be considered on a case-by-case basis.
- Investigators are advised that authentication - that is, proper qualification and/or identification of respondents - is a major challenge in computer- and internet-based research and one that threatens the integrity of research samples and the validity of research results. Researchers are advised to take steps to authenticate participants. For example, investigators can provide each study participant (in person or by U.S. Postal Service mail) with a Personal Identification Number (PIN) to be used for authentication in subsequent computer- and internet- based data collection.
- It is strongly recommended that any data collected from human participants over computer networks be transmitted in encrypted format. This helps insure that any data intercepted during transmission cannot be decoded and that individual responses cannot be traced back to an individual respondent.
- It is recommended that the highest level of data encryption be used, within the limits of availability and feasibility. This may require that the study participants be encouraged or required to use a specific type or version of browser software.
- Researchers are cautioned that encryption standards vary from country to country and that there are legal restrictions regarding the export of certain encryption software outside US boundaries.
- It is recommended that for online data collection a professionally administered survey server be used.
- If researchers choose to run a separate server for data collection and/or storage, the IRB recommends that:
- a. The server is administered by a professionally trained person with expertise in computer and internet security (see c and d below).
- b. Access to the server is limited to key project personnel.
- c. There are frequent, regularly scheduled security audits of the server.
- d. The server is subject to the periodic ISS security scan of servers within the PSU domain.
- If a server is used for data storage, personal identifying information should be kept separate from the data, and data should be stored in encrypted format.
- It is recommended that data backups be stored in a safe location, such as a secure data room that is environmentally controlled and has limited access.
- 3. It is recommended that competent data destruction services be used to ensure that no data can be recovered from obsolete electronic media.
INFORMED CONSENT PROCESS FOR INTERNET-BASED RESEARCH:
For Internet-based surveys, it is usually appropriate to use implied informed consent. Participants would still need to be presented with the consent information, but would be informed that their consent is implied by submitting the completed survey. Please see the following sites for implied informed consent templates:
- Exempt Studies: Guidelines, Templates and Sample Consent Forms
- Expedited & Full Review Studies: Guidelines, Templates and Sample Consent Forms
- Internet-based surveys can include "I agree" or "I do not agree" buttons on the website for participants to click their choice of whether or not they consent to participate.
- If the IRB determines that some sort of documented consent is required, the consent form can be mailed or emailed to the participant who can then sign the form and return it via fax or postal mail.
- Researchers conducting web-based research should be careful not to make guarantees of confidentiality or anonymity, as the security of online transmissions is in question. A statement in the informed consent form indicating the limits to confidentiality is typically required. The following statement may be used: "Your confidentiality will be maintained to the degree permitted by the technology used. Specifically, no guarantees can be made regarding the interception of data sent via the Internet by any third parties."
The Office for Research Protections
The 330 Building, Suite 205
University Park, PA 16802
Telephone: (814) 865-1775
Fax: (814) 863-8699
Security Operations and Services
Information Technology Services
Approved: Social Science IRB: February 15, 2007; Biomedical IRB: February 15, 2007