Understanding user research regulations: how much do you know about participant privacy?

January 19, 2022

In user research, the protection of participants’ personally identifiable information (PII) is paramount. Globally, privacy concerns and policy are becoming more center stage and it is increasingly important to be transparent and precise about the data processing activities (e.g., collecting health information, conducting interviews, streaming & recording sessions) and the parties involved in those activities. Bold Insight consents our participants with transparency, works with our clients to identify how processing activities impact research deliverables, and de-identifies deliverables with precision. What questions should you ask your research vendors as it relates to PII?

Are we in compliance with all local (state, county, country, or global region) regulations?

Different regulations present a variety of challenges about what is required at the state, country, or even global regional level. Among these regulations is the GDPR, which is required for countries operating in the European Economic Area (EEA) or countries processing EEA citizen data. In the United States, California’s CCPA applies similar principles and provides data subjects with certain rights over their data. Other countries are beginning to follow suit and implement their own regulations. Prior to kicking off research, it’s important to work with a trusted research partner who understands and adheres to these regulations and ensure your study procedures comply to avoid costly and time-consuming privacy violations.

What study information must be disclosed to the participant prior to releasing their PII?

It is important to understand how data collection and processing activities can affect study objectives and deliverables. For example, is your study still adequately double blinded if you receive and retain videos of sessions where participant’s faces are captured? In the EEA, personally identifiable information cannot be disclosed to any unidentified party. In other words, participants must know the name of the company conducting the research to transfer PII data to that company. In the US, we must provide clear notice to the participant of any data transfer to an undisclosed party containing PII. Does your consent form allow you to retain PII, including session videos that contain recordings of participants’ faces? These are things to consider when developing study protocols and defining the specifics and scope of study deliverables, as data scrubbing activities may be necessary.

How will participant privacy requirements impact time and cost of deliverables?

The GDPR is commonly recognized as the gold standard for data privacy. Bold Insight implements data handling practices using the GDPR framework, regardless of participant citizenship or country of collection. Participant consent is the first step in this process, and two key elements of consent are explicit notice and choice on the data that will be collected and how it will be used. Researchers must provide clear communication of the categories of personal data being collected and transferred to the study sponsor (or any other third party) and allow the participant to opt into each of these data processing activities. Each data processing activity may require some level of de-identification, which can impact deliverable effort and cost. Discuss with your research partner to understand how privacy requirements will affect study protocol development and deliverables and how this might impact time and cost.

With evolving guidelines at so many levels, it’s important to understand the data handling practices of your research partners. An experienced partner can clearly communicate the effort, impact to timeline, and flag any potential issues well in advance. This will help your team to successfully gain research insights, while adhering to participant privacy regulations.

About the author
Andrew Zawisza is Quality Director at Bold Insight. He has 10 years of experience in the medical device industry in various roles within quality assurance and regulatory affairs. During this time, he led preparation efforts for a successful first-time FDA inspection, research efforts to support 510(k) submissions, and investigation and resolution of product and process deficiencies. At Bold Insight, Andrew is responsible for the development and maintenance of the ISO-9001 certified quality system, ensuring the continuous improvement of processes and the quality of service provided to clients.