Page content relevant to:

    Guidance for Computer and Internet-Based Research Involving Human Participants

    Computer- and internet-based methods of collecting, storing, utilizing, and transmitting data in research involving human participants are developing at a rapid rate.  As these new methods become more widespread in research in the social, psychological, and social sciences, they present new challenges to the protection of research participants.  The Institutional Review Board (IRB) reviews computer- and internet-based research protocols using the same considerations and standards of approval of research (45 CFR 46.111) as all other research activities.  All studies including those using computer and internet technologies must (a) ensure that the procedures fulfill the principles of voluntary participation and informed consent, (b) maintain the confidentiality of information obtained from or about human participants, and (c) adequately address possible risks to participants including psychosocial stress and related risks.

    The purpose of these guidelines is to help researchers plan, propose, and implement computer- and internet-based research protocols that provide the same level of protection of human participants as more traditional research methodologies. The guidelines are comprised of requirements and recommendations that are consistent with the basic IRB principles applied to all research involving human participants.

    Internet-based research may not be suitable for greater than minimal risk studies where the research involves data that:

    1. places participants at risk of criminal or civil liability, or
    2. could damage their financial standing, employability, insurability, reputation, or
    3. could be stigmatizing, or
    4. could result in stolen identity.

    Recruitment:

    • Computer-and internet-based procedures for advertising and recruiting potentialstudy participants (e.g., internet advertising, e-mail solicitation,banner ads) must follow the IRB guidelines for recruitment that apply to  any traditional media, such as newspapers and bulletin boards.  All advertising and recruitment material must be reviewed and approved by the IRB.
    • Investigators are advised to review the University’s  policy on Use of Official Email Lists prior to soliciting participants by email.  Contact list moderators for individual list  policies regarding solicitations.
    • Investigators are advised that authentication – that is, proper qualification and/or identification of respondents – is a major challenge in computer- and internet-based research and one that threatens the integrity of research samples and the validity of research results.  Researchers are advised to take steps to authenticate participants.  For example, investigators can provide each study participant (in person or by U.S. Postal Service mail) with a Personal Identification Number (PIN) to  be used for authentication in subsequent computer- and internet- based data collection. The PIN used must not be one that could be used by others to identify the individual (e.g. social security number, etc.)

    Data Collection:

    • It is strongly recommended that any data collected from human participants over computer networks be transmitted in encrypted format.  This helps insure that any data intercepted during transmission cannot be decoded and that individual responses cannot be traced back to an individual respondent.
    • The level of security should be appropriate to the risk.  For most research, standard security measures like encryption and secure socket layer (SSL) will suffice. However, with sensitive topics additional protections include certified digital signatures for informed consent, encryption of data transmission, technical separation of identifiers.
    • Researchers are cautioned that encryption standards vary from country to country and that there are legal restrictions regarding the export of certain encryption software outside US boundaries.
    • Internet-based survey instruments must be formatted in a way that will allow participants to skip questions if they wish or provide a response such as “I choose not to answer.”  Also, at the end of the survey, there should be two buttons: one to allow participants to discard the data and the other to submit it for inclusion in the study.  Finally, if applicable, online surveys must include mechanisms for withdrawal.  For example, if a participant decides to withdraw, there should be a mechanism for identifying the responses of a participant for the purposes of discarding those responses.
    • Websites must also comply with the University’s Electronic Privacy and Disclaimer Notice.
    • Researchers working with children online are subject to Children’s Online Privacy Protection Act (COPPA – http://www.coppa.org/) in addition to human subjects regulations.  Researchers are prohibited from collecting personal information from a child without posting notices about how the information will be used and without getting verifiable (likely written) parental permission.  For minimal risk research written permission may be obtained by via paper mail or fax.  If the research is more than minimal risk, parental permission should be obtained in a face-to-face meeting.
    • Screen out minors by checking for internet monitoring software such as SafeSurf and RSACi rating or using Adult Check systems.

    Server Administration:

    Use of SurveyMonkey.com, Psychsurveys.com and other online  survey tools is permitted for minimal risk studies that do not involve the  collection of sensitive data.  As noted  above, the IRB recommends that data be transmitted in a secure format.  Therefore, researchers who wish to use  SurveyMonkey should upgrade to a Professional account which offers SSL  encryption.  Psychsurveys offers SSL  encryption for all studies.  The level of  encryption used by the online survey tool must be described in the IRB-1 and  IRB-5.

    For more than minimal risk studies that involve the  collection of sensitive data, the IRB recommends it be housed on an UConn  server.  The server should be  administered by a professionally trained person with expertise in computer and  internet security.  Access to the server should  be limited to key project personnel.  The  server should receive frequent, regularly scheduled security audits.

    Data Storage/Disposal:

    • If a server is used for data storage, personal identifying information should be kept separate from the data, and data should be stored in encrypted format.  Use of Social Security Numbers is not permitted (see Policy on Use of the Social Security Number at the University of Connecticut).
    • It is recommended that data backups be stored in a safe location, such as a secure data room that is environmentally controlled and has limited  access.
    • It is recommended that competent data destruction services be used to ensure that no data can be recovered from obsolete electronic media.
    • Researchers must adhere to the University’s Information Security Policy Manual.

    Informed Consent Process For Internet-Based Research:

    • For  anonymous internet-based surveys, include “I agree” or “I  do not agree” buttons on the website for participants to click to  indicate their active choice of whether or not they consent to  participate.  For anonymous surveys sent to and returned by participants through email, include an information sheet with consent information and inform participants that submitting the completed survey implies their consent.
    • If the IRB determines that written consent is required, the consent form can be mailed or emailed to the participant who can then sign the form and return it via fax or postal mail.
    • Researchers conducting web-based research should be  careful not to make guarantees of confidentiality or anonymity, as the security  of online transmissions is not guaranteed.  A statement in the informed consent form  indicating the limits to confidentiality is typically required.  The following statement may be used:  “Your confidentiality will be maintained to the  degree permitted by the technology used. Specifically, no guarantees can be  made regarding the interception of data sent via the Internet by any third  parties.”

    Source material for this policy guidance was provided by the  Pennsylvania State  University and the University of Georgia IRBs.  The UConn IRB gratefully acknowledges this  support.

    In addition, the IRB would like to acknowledge the support  of Elaine David, Assistant Vice President Information Services and Director of  IT Security, Policy and Quality Assurance.

    January 2009

    Back to Researcher’s Guide