Guarding the Private Data of Research Participants
What do you think of when you hear the words, “data breach”?
Most of us have heard about data breaches from companies that failed to protect customer data, but we often forget that participants in research also have personal data that requires protection as well.
The biggest reason to protect data collected for user research is that all companies have an ethical responsibility to protect it. In addition, if a business fails to protect that data—they risk losing millions of dollars in a settlement, severely damaging their brand’s reputation, and putting individuals at risk for identity fraud.
At Spatial, we work diligently to protect the private user data that falls under our care. Our clients, which include global tech companies and government agencies, trust us to protect private data because you can’t ethically conduct user research without it.
As professionals in user research, we’ve had to become experts in data privacy as well. So, we wanted to dive into the ethics of privacy and security and explore, what private user data is collected during UX research and the best practices for protecting that private information.
HOW PRIVACY & SECURITY IS CRITICAL TO ETHICAL HUMAN IMPACT
In the corporate world, the ethical human impact of research is far too often an afterthought. In academia, the ethics of research are at the forefront because academics have to get their research approved by ethics committees, so the human impact must be considered. However, in the tech industry, there is less regulation surrounding the ethics and human impact of emerging technology.
Take XR technology as an example. While many tech companies were studying the physical impact of AR/VR tools, few companies were studying the psychological and social impact on users. Since there is clearly a gap, we created a Human Impact Framework that puts ethics at the centre of user research and product design, raising the ethical standards.
Another aspect involved in conducting ethical research that is often neglected is the privacy and security of user's personal data. While one obvious requirement is that companies must protect that private information, another aspect to consider is how that information is used.
And yet, some companies neglect to take adequate steps to protect that data and use it responsibly. LinkedIn’s recent social experiment serves as a lesson for all corporations to learn from. From 2015 to 2019, they conducted an experiment to test a psychological theory called the Weaker Ties theory on over 20 million users.
During those 5 years, LinkedIn was studying if you were more likely to get a job from a close friend or an acquaintance (the “weaker tie” in this case.) Participants were not informed of this test or invited to opt in. And the results harmed users in the control group who were less likely to get a job.
No matter whether you’re a small research company, an independent research consultant, or a large corporate enterprise, you are obligated to carefully guard participant information, consider the impact of your research, and use it as ethically as possible.
TYPES OF PRIVATE USER DATA
Private personal information of research participants includes a wide range of data that can be used to identify, contact, or locate an individual. Now, let’s examine the type of private data and why it needs to be protected. Here are some examples:
- Private personal information. This includes a participant’s identifiable information such as their contact information, demographics, biometric data, behavioural data, and even financial information. All of which can be used for identity theft and other criminal activity.
- Corporate IP. An example of this includes data related to pre-released hardware or software. It is important to safeguard this data not only to protect any proprietary information, but also to avoid the costs associated with IP theft and recovery.
- Opinions & feelings. This includes participant data like political, personal, and other opinions collected during research studies. By protecting this data, researchers not only uphold ethical standards but also enhance the quality and reliability of their research.
- Sensitive information. This might be related to a participant's health, medical records, criminal records, genetic data, psychological assessments, disability status, and more, which can also be used nefariously in different ways.
Ensuring the protection of this information is crucial in maintaining the trust and confidentiality of research participants, as well as adhering to legal requirements in your country.
Speaking of legal requirements in data privacy, let’s touch on 4 key principles worth knowing so you can maintain compliance while conducting research.
GDPR & PIPEDA PRINCIPLES
In both Canada and the European Union, regulations are in place to protect individuals' privacy. You can read more about the Personal Information Protection and Electronic Documents Act (PIPEDA) and the General Data Protection Regulation (GDPR) as well.
These are the 4 principles to know if when adhering to GDPR and PIPEDA guidelines.
- You should have informed consent for any and all data processing.
- You should only collect and store the information you need when you need it.
- You should ensure all user data is stored and processed securely (including by any third-party tools).
- You should give users control over their own data.
BEST PRACTICES FOR PROTECTING DATA PRIVACY
Now that you understand the types of data and basic expectations, let’s discuss some best practices when it comes to data privacy and protecting the personal information of your participants.
Informed Consent
In all kinds of research, consent should be voluntary, informed, and specific. For example, your company may use consent forms, verbal agreements, online checkboxes, and other methods to document your participants' consent.
Data Minimization
When conducting user research, it’s important to collect only necessary data from participants. For example, if you’re researching how users interact with a new product to improve their Out Of Box Experience, you probably don’t need to collect participants’ credit card information. In addition to that, it’s important to also limit your data retention. We have a short checklist that you can use at the bottom of this blog.
Anonymization & De-identification
Anonymization involves removing or modifying personal identifiers so participants cannot be directly or indirectly identified. This includes removing names, addresses, and other personal information from any materials (e.g. reports, highlight reels) that are shared with the client and project stakeholders.
De-identification goes a step further by ensuring that the data cannot be re-associated with individuals through any means, often using techniques like data masking, pseudonymization, and aggregation.
We see this happen when participants share their screens or do Zoom interviews, and they use their real names or usernames. To solve that, you can either blur their information in the footage or remind them to change it before recording.
Secure Data Handling
This involves implementing robust encryption methods to safeguard data both in transit and at rest, ensuring that unauthorized parties cannot access or interpret the information. Encryption transforms data into a secure format that can only be decrypted with the appropriate key, providing another layer of security against potential data breaches.
For Canadian businesses, another issue that comes up is that they may require physical and digital information to stay in Canada physically. For example, this sometimes means a company must explicitly discuss or negotiate the storage location of collected data with a research tool vendor (e.g. Zoom) such that requirements can be met and upheld.
So if you operate with businesses outside your own borders, always ensure you’re following privacy regulations for their country.
Regular Security Audits
Regular security audits help you to identify and address vulnerabilities in the data handling process. These audits involve systematic evaluations of the security measures in place, checking for compliance with industry standards, and updating protocols to adapt to evolving threats.
In addition, you can also audit the information you’re storing in third-party tools. For example, at Spatial we always take measures to remove all private data that may have been temporarily uploaded to other platforms after a project ends.
Participant Rights
Beyond consent, confidentiality, and privacy, participants also have the right to withdraw from a study at any time without any penalty or negative consequences. They also must have access to their own data if they want it.
So, how do we adhere to these best practices within a UX research project?
For one, you can examine a typical user research project lifecycle to identify where you collect data and how that data is used so you can understand how these principles should be applied. You can read more about that in our related blog on how we protect private data of research participants.
Now, as promised, here is our closing checklist for removing data after you’ve finished conducting user research.
CLOSING CHECKLIST FOR USER RESEARCH
Download your own copy of our participant privacy management checklist!
KEY TAKEAWAYS
Remember: data privacy isn't optional—it's a requirement. When doing user research, businesses need to do much more than just obtain consent and anonymize data.
They need to understand personal data, ensure data minimization, define appropriate data retention policies, and permanently delete all identifiable information. By following these data privacy practices, UX researchers can do their work ethically, while still gleaning valuable customer insights to guide your business strategy.
Want to learn more about data privacy in UX research?
If you want to connect with our UX research consultants, we’re happy to help. To learn more about our research services, contact our team today and we would be happy to answer any of your questions.
