Columbia University: Institutional Review Board Annual Educational Conference

Similar documents
Ethical Internet Research: Informed Consent Regulations and Realities

Social Media, Research, and Ethics: Challenges and Strategies

SOP 502L: INTERNET/SOCIAL MEDIA-BASED RESEARCH

3/14/2012. Disclaimer. Objectives

How To Protect Your Health Information Under Hiopaa

IRB Challenge: Research on the Internet

Purpose. Introduction to the Guidelines. Social Media Definition.

I. INTRODUCTION DEFINITIONS AND GENERAL PRINCIPLE

Considerations and Recommendations Concerning Internet Research and Human Subjects Research Regulations, with Revisions

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule

WHEN I WANT TO: I NEED TO SUBMIT: {for CIRB studies, see the specific FAQ}

Instructions for Form: Application for Claim of Exemption

State University of New York at Canton Institutional Review Board. Sample Informed Consent Document

RESEARCH INVOLVING DATA AND/OR BIOLOGICAL SPECIMENS

Agenda. About Our Work and Team. Background 5/11/2015. Background Prevention Incident Response Process

Assessing Risk in Social and Behavioral Sciences

Facebook Smart Card FB _1800

Memorandum. Factual Background

Claim of Exemption Form Page 1 of 6

Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research

Communications 01: Social Media

IRB Application for Medical Records Review Request

Human Subjects Research at OSU

ACCEPTABLE USE POLICY

Social Media Charter

State Records Guideline No 18. Managing Social Media Records

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Computer Facilities and External Networks Acceptable Use by Students

1 Appropriateness and Fit to Programme Objectives and Overall Value to the JISC community

Guidelines for University Communications and Marketing Professionals

Introduction to Social Media

Data Use and the Liquid Grids Model

CRY Code of Ethics for Virtual Volunteers,

Third Party Application Privacy Impact Assessment

Disclosure Statement: I have no industry relationships to disclose.

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Human Research Protection Program University of California, San Diego ISSUES ON DNA AND INFORMED CONSENT

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

NATIONAL BOARD FOR CERTIFIED COUNSELORS (NBCC) CODE OF ETHICS

CAMBRIDGE ELEMENTARY CONSENT CHECKLIST

City of Edmonton Social Media Guidelines

Social Networking Policy

Synapse Privacy Policy

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

Guidance on IRB Continuing Review of Research

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee

NYC Department of Education Social Media Guidelines

Caldwell Community College and Technical Institute

Social Media Measurement Meeting Robert Wood Johnson Foundation April 25, 2013 SOCIAL MEDIA MONITORING TOOLS

Guidance on Withdrawal of Subjects from Research: Data Retention and Other Related Issues

Covered California. Terms and Conditions of Use

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

Research Involving Human Biological Materials: Ethical Issues and Policy Guidance Executive Summary

Policy. Social Media Acceptable Use Policy. Executive Lead. Review Date. Low

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association

ACCEPTABLE USE POLICY

SOCIAL MEDIA GUIDELINES FOR CANADIAN RED CROSS STAFF AND VOLUNTEERS

What is Covered by HIPAA at VCU?

Social Media Policy & E- Safeguarding Staff & Student Guidance

Division: Chapter: Policy:

Facebook and Social Networking Security

HIPAA Basics for Clinical Research

Using Social Media in Research: Regulatory and IRB Considerations

MCCP Online Orientation

HIPAA Privacy & Security Rules

Delivery date: 18 October 2014

Outbound and Data Loss Prevention in Today s Enterprise, 2010

2 Applicability: Effective Date: 1/15/2010 Revised: 8/13/2010, 9/10/10, 5/9/14

IGO GROUP GOVERNANCE STANDARD 4 - SOCIAL MEDIA INDEPENDENCE GROUP NL

ETHICAL ELECTRIC PRIVACY POLICY. Last Revised: December 15, 2015

Hertfordshire County Council

Provider secure web portal & Member Care Information portal Registration Form

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

IRB REVIEW OF USE OF RESEARCH REPOSITORIES

EVALUATION BRIEF Understanding the Institutional Review Board (IRB) January 2008

While we are excited about these resources, we want to make sure that you - our social media users - are aware of your rights and boundaries.

Keeping a Finger on the Pulse of Social Media in Healthcare: Understanding Evolving Roles and Risks

YU General Guidelines for Use of Social Media

Toronto School of Theology Guidelines for the Preparation and Ethics Review of Doctor of Ministry Thesis Projects Involving Human Subjects

Gaston County HIPAA Manual

SOCIAL MEDIA POLICY. Introduction

Web 2.0 Technologies and Community Building Online

Medical Research Law & Policy Report

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

The British Academy of Management. Website and Social Media Policy

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:

This form may not be modified without prior approval from the Department of Justice.

Model Policy for a Law Enforcement Agency s use of Social Networking

Social Media. A brief overview of the Social Media module

Engaging the growing Washington, DC Chapter through a dynamic online presence

University of Mississippi Medical Center Office of Integrity and Compliance

Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms. v , rev

Department of Veterans Affairs VHA HANDBOOK Washington, DC March 9, 2009 USE OF DATA AND DATA REPOSITORIES IN VHA RESEARCH

Component 4: Introduction to Information and Computer Science. Topic III: Cloud Computing. Distributed computing

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Social Media Guidelines

Social Media Guidelines

Privacy Policy and Notice of Information Practices

Hope In-Home Care CODE OF CONDUCT AND ETHICS

Transcription:

Columbia University: Institutional Review Board Annual Educational Conference Internet Research Ethics Elizabeth Buchanan, Ph.D. and Maritza Johnson Endowed Chair in Ethics Doctoral Candidate Center for Applied Ethics Columbia University University of Wisconsin-Stout Deprt. of Comp Sc (Portions of this talk are attributed to collaboration with Laura Odwazny, JD., Senior Counsel, OHRP)

Evaluating Privacy Settings

Study Format Part 1: Survey of privacy attitudes Part 2: Collect sharing intentions Part 3a: Identify potential violations Part 3b: Present potential violations

Data Collected Responses to survey questions Sharing intentions Identifiers of data items with potential violations (temporary) Responses to violations

Data Protection Study assigned identifiers Did not store the data items in question Separate database for identifying information Copied data to a local machine Secure data transmission? No.

Confounding Relationships Regulations/Regulatory Boards (Policy) System/App ideology Research Participants/Online Norms/ Self-Community Generated Ethical Frameworks Researchers/Disciplinary Practices/ Professional Ethics

The Conflicts of Research Ethics 2.0 Misunderstanding of human subjects research vis-à-vis technologies and e-research Rigid regulatory models versus research fluidity (How much wiggle room do we have) Intentionality/Context Oversharing may lead to Research Creep may lead to Mission Creep Cultural/Institutional/disciplinary difference (Anglo-American models tend to be more utilitarian-based while Scandinavian countries tend to be more deontological, as they emphasize that the rights of human subjects must never be compromised, no matter the potential benefits.)

Context and Background 1999, Frankel and Siang AAAS report 2002, AoIR Ethical Decision Making 2003, Buchanan, Readings in Virtual Research Ethics; Chen and Hall, Online Social Research Scattered literature across disciplines IRBs facing new lexicon and challenges in their charge to protect human subjects (worms, bots, agents, aggregators) A redefinition of what counts as a human subject (avatars, turks, etc) A redefinition of what counts as research (computer science, ie) Fed level interest (SACHRP meeting in July 2010, NSF, NIH funding)

Confounding Bases for Review The Same? New Problems? Ethical research is that which seeks to do no harm. The greater the vulnerability of the author/participant, the greater the obligation of the researcher to protect the author / subject. Greased, convergent nature of internet data harm may be downstream Ubiquitous nature of internet data who/what/ is vulnerable and when? Research integrity itself (good methods and ethics=good research) Communal nature of internet populations; verifiability of internet agents/subjects; reality of internet data/representation by subjects/ participants

New Review Suggestions and Questions Does the researcher understand the venue or the tool? He/she should be able to articulate a basic level of information about it in his/her protocol. Is interaction perceived as public or private by the author/participant/subjects? Does the author/participant consider personal network of connections sensitive information? How is profile, location, or other personally identifying information used or stored by researcher? If the content of a subject s communication were to become known beyond the confines of the venue being studied would harm likely result? How do terms of service agreements articulate privacy of content and/or how it is shared with 3rd parties?

New Review Questions How can researcher ensure that author/participant understands and agrees that content or interaction may be used for research purposes? Is the data easily searchable and retrievable? Is the data subject to open data laws or regulations? What third party policies impact the research? How long does the third party provider or ISP preserve the data and where? Can the researcher provide adequate information to participants concerning how the third party will protect their data? How is protection of privacy of participant/author achieved through anonymization of email content and/or header information? Regardless of terms of service, what are community or individual norms and/or expectations for privacy?

The Distance Principle as a Guiding Principle The specificity of Internet research complicates human subjects review in particular. As the distance between the researcher and subject/author/participant decreases, we are more likely to define the research scenario as one that involves humans. As the distance increases, we are more likely to define the research scenario as one that does not involve human. The definition of one's data as text versus person (or non-human subjects versus human subjects) may be based on the distance between the product of research and the person who produced it. The distance principle should be used in tandem with Sveningson s continuum.

The Distance Principle In Action Second Life interview produces data that is near the participant (little distance between researcher and respondent ) Aggregation of surfing behaviors collected by a bot (greater distance between researcher and respondent) Tweeter A (private) followed by Tweeter B (public) Tweeter B retweets A = Tweet A is now visible to Tweeter B s (any essentially any public) feed (distance implodes!)

Regulatory Exemptions 101 (b)(1): Online environments have become "normal" educational practice and as such are appropriate for exemption. Two particular issues were addressed: Is the particular intervention typical in that learning group? And, was the intervention ongoing before a researcher studied it? 101 (b)(2): This exemption does not apply to observations of minors, and thus, robust age verification measures must be taken by the researcher. This could include age verification software, proxy for age verification, or statements of age verification embedded throughout a given research instrument or venue. From the regulatory perspective, check boxes of verification may be sufficient.

Regulatory Exemptions 101 (b)(2) and 101(b)(4): Regarding online observation and exemptions for existing data, the issue of researcher "entry requirements" and "threshold of access" is significant. The OHRP standard is "what is readily ascertainable." If there are costs, restrictions, or other measures that prevent data from being "readily ascertainable, "the exemption does not apply and the data should be considered private. 101(b)(2) calls attention to identifiers. OHRP has not issued a formal statement on IP addresses as PII, however, for purposes of the HIPAA Privacy Rule, one office of HHS (the Office on Civil Rights) has opined that an IP address is considered to be a direct identifier of an individual. Other European data regulations do consider IPs as identifiers.

Regulatory Exemptions 102(f): New forms of representations, such as avatars, are considered human subjects if PII about living individuals is obtained. PII can be obtained by researchers through scraping data sources, profiles or avatars, or other pieces of data made available by the human "behind the avatar." Observation (per 101(b)(2) and 101(b) (4)) may be an acceptable exemption for intervention or interaction. 102(i): Minimal risk: Internet research presents many different possibilities for reconceptualizing minimal risk. The concepts of universal precautions, individual precautions and responsibility are key. Researchers and boards must balance presenting risks related to the specific research with risks related to the technologies in use. Sample language could be included in information sheets and consent documents, such as "There are potential risks of data loss, data manipulation, or unauthorized access by outside parties in this form of research. All appropriate precautions will be taken to ensure the security of the data."

Regulatory Exemptions Additional risks associated with online research include that there is often no direct contact with participants, so distress may not be evident to the researcher; breaches of confidentiality; failure of measures to control invalid access. 103(a): According to regulations, an institution or agency that only releases data is not "engaged" in HS research. This has implications for data management banks and repositories. There is an exception: if the institution is the direct awardee of an HHS grant for the research, the institution releasing data would be presumed engaged on that basis.

Regulatory Exemptions: IC 116 (d): Elements of informed consent: Many IRBs report waiving elements of IC for minimal risk research. This should be consistent in the Internet research setting as well. Best practices should include "knowledge checks" throughout the IC process to ensure understanding, especially in Internet research settings. In some online environments, obtaining consent is impracticable. As with onground research, if the scientific value overrides the need for IC and the criteria for waiver of consent appear to be met, the researcher should clearly justify these conditions. 117: Documentation of IC will depend on jurisdiction but OHRP policy holds that electronic signatures are valid if allowable under the pertinent law.

Best Data Management and Security Practices in a Cloudy Environment Grid and cloud research/third party apps demand: A data management plan that correlates with a tiered data security approach A plan of shared responsibility between and among the researcher, information technology departments/cios, and the IRB/HRECs. A plan for the data custodianship should be established within this model of shared responsibility. The research review board should be involved early in the development of any data management plan. A data "destruction" plan is necessary. Given the emergence of cloud storage and management, institutions must be clear on their "data hygiene. 107(a): OHRP strongly supports supplementing boards with expert consultants.

Term Definition Example Facebook A popular online social networking site, designed originally to mimic a school yearbook. http://www.facebook.com Flickr A social networking site built around sharing photographs. http://www.flickr.com Livejournal A blog hosting site that hosts both individual and community blogs. http://www.livejournal.com MMORPG An acronym for "Massively MultiPlayer Online Role Playing Game". These types of games often involve hundreds of players participating in virtual worlds. MySpace A popular social networking site. http://www.myspace.com Second Life Tumblr tweet Twitter Wordpress World of Warcraft Youtube An online virtual environment, run by LindenLabs. A blog hosting site that emphasizes the sharing of multimedia content A term for a single post on Twitter. A blogging site that limits messages to 140 characters. A blogging tool and online publishing platform. A popular massive multiplayer online role playing game centered around completing tasks within the fantasy world. A large video sharing website on the Internet, owned by Google. The "World of Warcraft" is a popular MMORPG. The Second Life homepage, which includes screenshots of the virtual environment can be found at: http:// www.secondlife.com http://www.tumblr.com An example of a "tweet" from the NASA Twitter page can be found at: http:// twitter.com/nasa/status/20146648791 http://www.twitter.com http://www.wordpress.com The World of Warcraft homepage, which includes screenshots of the virtual environment can be found at: http:// www.worldofwarcraft.com/index.xml http://www.youtube.com

API Application programming interface Facebook, Myspace, Twitter, Flickr, iphone apps

Facebook API

Best Practices? APIs Online services 23

Thank you! (Funding for this research comes from the National Science Foundation; The views and opinions represented here do not reflect the opinions of the NSF. Questions/Follow up: elizabeth@internetresearchethics.org or buchanane@uwstout.edu maritzaj@cs.columbia.edu

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information