Resources-url
This page is dedicated to providing legislative, regulatory, or other resources that might help scholars and ethics boards navigate their own region's specific requirements.
The AOIR ethics committee does not take any particular stance toward these regulatory frameworks. However, in our ethics guidelines documents, we stress the importance of understanding the tensions and contradictions between these more 'top down' approaches to determining ethics and more 'bottom up,' or context-specific determinations.
The European Commission and the European Parliament
European Commission, Justice, Protection of Personal Data Website: This site contains information on the planned reform of the current EU legal framework on the protection of Personal Data: http://ec.europa.eu/justice/data-protection/index_en.htm
The current Data Protection Directive is available at: European Parliament. (1995, October 24). On the protection of individuals with regard to the processing of personal data and on the free movement of such data (Directive 95/46/EC). Retrieved from__http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm__
Another relevant Directive deals with the Retention of Personal Data, and is available at: European Parliament. (2006, March 15). On the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending (Directive 2002/58/EC, Directive 2006/24/EC). Retrieved from__http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm__
A review of the Implementation of the Data Protection Directive with respect to Medical Research and Ethics Committees is available at: Privireal: Privacy in research ethics and law. Examining the implementation of the Data Protection Directive 95/46/EC in relation to medical research and the role of ethics committees. Retrieved from: http://privireal.group.shef.ac.uk/index.php
The ‘Safe Harbor Program’
The ‘Safe Harbor Program’ was developed to bridge the differenes in approaches to privacy protection implemented in the United States and the EU. It provides U.S. organizations with a streamlined means to meet the European Union ‘adequacy’ standard for privacy protection. Information about this programme is available at: http://export.gov/safeharbor/
Ireland
The Irish Data Protection Commissioner
The European headquarters of some major Internet companies, such as Facebook and Google, are situated in Ireland. As a result, decisions made by the Irish Data Protection Commissioner impact how these companies are regulated in a European context. Information in relation to the Data Protection Commissioner is available at: http://dataprotection.ie/docs/Home/4.htm
Information in relation to its European functions are available at: http://dataprotection.ie/ViewDoc.asp?fn=%2Fdocuments%2Feuropean%2FEuropeanFunctions%2Ehtm&CatID=9&m=u
Other Relevant Irish Legislation: The Data Protection Act, 1988: http://www.irishstatutebook.ie/1988/en/act/pub/0025/index.html The Data Protection Amendment Act, 2003: http://www.irishstatutebook.ie/2003/en/act/pub/0006/index.html
Denmark
Danish Legislative and Institutional Resources
Danish Data protection Agency (Datatilsynet): http://www.datatilsynet.dk/english
Norway
Norwegian Legislative and Institutional Resources
Legislation: The Personal Data Act (2000): Act of 14 April, 2000 No. 31 relating the processing of personal data (Personal Data Act) Available at: http://www.ub.uio.no/ujur/ulovdata/lov-20000414-031-eng.pdf.
The Personal Data Regulations (2000): Regulations on the Processing of Personal Data (Personal Data Regulations) Available at: http://www.regjeringen.no/upload/kilde/aad/red/2004/0099/ddd/pdfv/214083-personal_data_processing_regulations_120504.pdf.
The Norwegian Data Protection Authority: http://www.datatilsynet.no/English/ The Norwegian Social Science Data Services (NSD): NSD is the Data Protection Official for Research in Norway. The greater part of research projects involving personal data require notification to the NSD. In some cases, they require a license from the Data Inspectorate. More information is available at: http://www.nsd.uib.no/nsd/english/pvo.html
The National Commission for Research Ethics in the Social Science and the Humanities: NESH provides the following Guidelines for Researchers: National Committee for Research Ethics in the Social Sciences and the Humanities, Norway. (2006). Guidelines for research ethics in the social sciences, law and the humanities. Retrieved from:__http://www.etikkom.no/English/NESH/guidelines/__
NESH has also provided specific guidelines for Internet research: National Committee for Research Ethics in the Sciences and the Humanities, Norway (2003). Research ethics guidelines for Internet research. Retrieved from:__http://www.etikkom.no/English/Publications/internet02/view_publikasjon__
Sweden
Canada
United States
Sample Questions and Responses based in a U.S. Regulatory Perspective
While the main AoIR ethics guidelines document stresses pluralism and a commitment to your disciplinary standards, methods and ethics, common questions arise. Many of these have been addressed on the AoIR mailing list, and from there, we see great variation in perspectives. However, when working with your ethics board, or when considering a starting point in human subjects research, these basic issues have some consensus. Within the research process, as described above, there are a series of decisions that must be made in regards to ethics and methods. In general, we accept the process-based model and encourage each researcher to evaluate the nuances and specificity of each case and each decision point.
As researchers, we also mediate our extant laws, regulations, and policies. We accept that ethics itself is pragmatic and to a great degree, regulated. Even law, regulations, and policies are subjected to interpretation and exceptions. We recognize the inherent dialectical tensions among contextual variables, ethical principles, and specific regulations or legal constraints and emphasize there are exceptions to “rules” all the time. Variation in research policy is significant across the world. We have compiled these commonly asked questions and provided a response that is predominantly based in the US framework and is intended to provide assistance when researchers are working with research ethics boards.
We encourage researchers to review the FAQ from other governmental sources, as these can be quite comprehensive and helpful, even in situations that seem unrelated to the purpose of the agency; for example, the National Science Foundation’s FAQ provides helpful guidance around US regulations and social and behavioral research (http://www.nsf.gov/bfa/dias/policy/hsfaqs.jsp)
Do I have an Ethics Board?
Not every country has a research ethics board, and some countries have boards that primarily deal only with medical/biomedical research. A complete listing of the international codes is found here:
http://www.hhs.gov/ohrp/international/intlcompilation/intlcompilation.html
When do I need to get ethics board review permission?
First, consider if you are conducting "research" as defined by the regulatory bodies of your country. In the US, "Research" as defined by the Department of Health and Human Services (__DHHS__), is a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
Second, in most countries, when conducting research that involves human subjects, ethics board "review" is required. In the US, you are conducting human subjects research if you are engaging in any of the following:
Intervention as defined by DHHS regulations means both physical procedures by which data are gathered (for example, venipuncture) and manipulations of the subject or the subject's environment that are performed for research purposes. [45 CFR 46.102(f)]
Interaction as defined by DHHS regulations means communication or interpersonal contact between investigator and subject. [45 CFR 46.102(f)]
Private information as defined by DHHS regulations means information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). [45 CFR 46.102(f)
Identifiable information as defined by DHHS means information that is individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information).
But, there are many activities have been "exempted" or "expedited" from review, such as survey research, oral history, classroom activities, and others. Just as in onground research, there is interpretation and evaluation in all internet research review.
Do I need to get informed consent?
Many researchers are unclear about whether they need to get informed consent from their participants:
There is no such thing as "passive consent" under the US regulations. You can get a waiver of consent or a waiver of documentation of consent, if you meet certain criteria. These are described in full detail at http://answers.hhs.gov/ohrp/categories/1566
In Internet research, multiple jurisdictions are often involved, so your consent process may be dictated by other legal or regulatory considerations, such as age of majority.
With online surveys, typically, a check box or completion of the survey is validating consent. In online or virtual spaces, such as MMORPGs or Second Life, researchers may post an information sheet to the guild or island home.
When documentation of consent is required , you may want to use electronic signatures to avoid having to mail consent forms to participants. Electronic signatures have different legal standing depending on jurisdiction; check with your research office.
How do I handle pseudynomity?
Discussions on the AoIR mailing list have included questions about options for consent and pseudonyms of participants on listservs: Some suggestions include:
consent to having their nickname and communicative text used for data analysis only (no publication of name or text); consent to having either their nickname or text published in an academic work, but never together (i.e., no identifiers); consent to having either their nickname or text published in an academic work, but never together (i.e., no identifiers) and providing they get to see the ‘write up’ prior to publication; consent to having both their nickname and text published in academic work, thereby being credited as the authors of their own words; or consent to having both their nickname and text published in academic work, thereby being credited as the authors of their own words, providing they get to see the ‘write up’ prior to publication (Lawson, 2004, p. 93).
I research minors and their online behaviors. Do I need to get their parents consent?
In the US, there are certain conditions under which a waiver of parental consent can be sought. These are described at http://answers.hhs.gov/ohrp/questions/7268
I am a member of an online support group. I have decided I'd like to research this group in addition to being a member. Do I have to seek their permission or get IRB review?
You know your community best. Consider if there are their any guidelines or member responsibilities that address use of the content by researchers. Some lists, like the AoIR list, state specifically:
Keep in mind that anything you send to air-l automatically goes to all subscribers – please keep posts on-topic for the list. Also remember when posting to the list that air-l is a public forum and that your words will be available to everyone subscribed to the list and placed in a public archive. Messages sent via email can easily be reproduced and circulated beyond their originally intended audience, and neither the list manager, the association’s officers, nor the server’s host are responsible for consequences arising from list messages being re-distributed.
Also consider how you as a member would feel about the use of your content by researchers. Given the searchability of text, you may be exposing your members' words in your research.
I am not a member of a closed, member-only forum but would like to study it. How do I enter the space as a researcher?
Depending on what methods you are using, you may want to approach a list or forum administrator or “high-ranking” member and make initial contact, similar to the gate-keeper role. You may want this individual to post a sticky or note to a forum informing members of you and your research, and/ you may want to self-identify by having a tag entitled “researcher” on your profile, avatar, or name, depending on the type of locale.
Is a blog a human subject?
It depends. Under the current definitions of the US Code of Federal Regulations 45/46, no. This is based on the idea that most blogs are publicly accessible texts. However, the NSF notes that Common Rule defines a human subject as: "...a living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information. (__http://www.nsf.gov/bfa/dias/policy/hsfaqs.jsp#relation__ ). Defining a blog as a public object may not be the defining factor for whether or not a US regulatory body might determine that the research involves human subjects, but the extent to which a researcher is obtaining identifiable private information. If you are interviewing or engaging with the blog writer, you would want review. If you are using the blog as a public text, as in a textual analysis, your disciplinary norms would apply.
How do I get consent from members of a chat room?
Chat rooms are ideal locales where waiver of consent/documentation of consent is appropriate. It is generally impracticable to get consent due to the environment.
Are Twitter streams considered human subjects research?
It depends. Depending on the type of research and the sensitivity of the stream consent, your research may be reviewable. With Twitter and Facebook, for example, many public figures have streams that would be considered exempt: Studies of public officials or behavior observable in everyday public life is also exempt, if no identifiers are used.Be aware when researching in any social media world, that information or data not intended for use by the researcher may be available very easily. The researcher should exercise caution when in environments where other’s data or information outside the scope of the research are available.
What is an identifier?
There are many kinds of identifiers that can be collected, stored, and disseminated in the process of research. The commonly accepted forms of legally recognized identifies from the European Union and the US include:
A) Names; (B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of Census (1) the geographic units formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000; (C) All elements of dates (except year) for dates directly related to the individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; (D) Telephone numbers; (E) Fax numbers; (F) Electronic mail addresses: (G) Social security numbers; (H) Medical record numbers; (I) Health plan beneficiary numbers; (J) Account numbers; (K) Certificate/license numbers; (L) Vehicle identifiers and serial numbers, including license plate numbers; (M) Device identifiers and serial numbers; (N) Web Universal Resource Locators (URLs); (O) Internet Protocol (IP) address numbers; (P) Biometric identifiers, including finger and voice prints; (Q) Full face photographic images and any comparable images; and ® any other unique identifying number, characteristic, or code, except as permitted for re-identification purposes provided certain conditions are met. (Office of Civil Rights)
What if a product changes its terms of service and releases more information than I originally told my participants?
This is a common occurrence in Internet research, as more third party applications are used. As a researcher, you have the responsibility to inform your participants if a major change will affect their privacy, reputation, or standing in some significant way. You can control for this by discussing the possibility of change in your information sheet or consent document. Address the duration and life cycle of your data in open-ended ways.
I work with big data sets, which do include identifiers. Do I have to get consent from every participant in the data set?
While the US definition as referenced above would consider research human subjects research if personally identifiable information is collected, many big data sets are exempted from IRB review and consent is not necessary. For example there are established exemptions for data shared through ICPRS, the NIH, the Census, and general consensus is that publicly available data sets stripped of identifiers fo not require IRB review. If the dataset is not public, and contains identifiers, researchers will explain how the data was obtained, under what circumstances, and specify the data points that will be evaluated, noting this research is typically exempt review for deindentified data.
Obtaining consent would also be impracticable, but, in keeping with good methods and ethics, ensure that by virtue of mining and reuse of data, individuals cannot be harmed or violated if they were reidentified.
If working with sensitive data in data sets, secure “data enclaves” that meet Safe Harbor status or comply with laws such as HIPAA in the US can be created. (Researchers may also find the UK Data Archive’s recommendations on data sets and consent: __http://www.data-archive.ac.uk/create-manage/consent-ethics__ relevant). Help · About · Blog · Pricing · Privacy · Terms · Support · Upgrade Contributions to http://aoirethics.wikispaces.com/ are licensed under a Creative Commons Attribution 3.0 License. Creative Commons Attribution 3.0 License Portions not contributed by visitors are Copyright 2013 Tangient LLC.
