I sit on the Board for the Community Research Ethics Office. Our organization helps community organizations have access to support and research ethics reviews traditionally only offered to members of an academic institution. We field a number of applications each month that explain a research project to us, and we evaluate the degree of ethical considerations made by the organization/researchers and sign-off on projects that align with the requirements set out in Canada’s Tri-Council Policy Statement on Conducting Research on Human Participants.
At each of our monthly meetings, the Board dives into lively discussion on topics not often considered in the course of normal research. During our last meeting, we had a discussion concerning the use of email during the data processing phase of a project. In a review we conducted, there was mention of researchers using email to share data across geographic distances (the study was occurring in multiple cities).
When we consider email, especially at a corporate level, our intuition is that it’s reasonably safe. There are the occasional reports of data breaches, but if you use adequate security measures, your content is relatively safe.
But there is a crucial consideration that we need to make when we conduct research. In research, the most important element is the rights of the participants. If a researcher wants safeguard the participant’s interests while the participant freely participates in a research project, then a number of additional measures must play into your research system.
The participant, by agreeing to participate in a study, trusts that the researcher will not only always make research decisions that respect the participant’s wishes, but also the researcher must work to actively protect the participant’s right to safety, security and privacy to the fullest extent possible.
This is where emailing data to researchers gets complicated.
The intuitive thought is that as long as your computer terminal is secure, the data is safe – if you can prevent anyone (except maybe a super spy) from breaching your data, you have done your due diligence.
So, here is your security weak-points and your measures to guard against a breach:
- Physically accessing terminal location – lock the building/room and restrict access
- Accessing computer terminal – password protect computer terminal
- Accessing data/email on terminal – ensure login credentials are enabled and encrypt the data before sending
Yes, there’s a problem with the third bullet: email is more complicated that that.
When you send an email, you are not taking a document/letter, folding up a copy and sending the only copy via the web to the recipient. If that were the case, then email would be fairly secure. But, what happens with email instead is you end up copying the information to various sources as it gets uploaded, transmitted, copied, and downloaded over the web. There is a copy created in your computer’s cached memory, there’s a copy that get uploaded and saved to your email server, the data is transmitted to your recipient’s server, and that information is downloaded as a copy to your recipients device.
That’s right, device, not necessarily a computer. You see, a further layer of complexity is when we route mail to our mobile devices, which is yet another copy of the information. A computer is cumbersome to physically lose, but cell phones are lost/misplaced all the time. Same with external hard drives and flash drives. And don’t forget your mobile device; if you send the data on the same email platform that is accessible on an app on your phone, that information can be retrieved from your sent messages folder.
All of these points are potential security breaches. So, let’s update the list above as to the number of ways data can be compromised:
- Physically accessing your terminal location
- Accessing computer terminal
- Accessing data/email on terminal
- Your mobile device
- Email server(s)
- Recipients physical terminal location
- Recipients computer terminal
- Recipients data/email on terminal
- Recipients mobile device
There are probably other ways the data could be breached that I’m not considering in this example, but I think I’ve made my point that ethical and security issues are ridiculously complex when considering research projects. Regardless of whether you think your data, if exposed, will actually harm your participants in any meaningful way, that is missing the point entirely. Your participant’s data was important enough for your to collect in the first place, and therefore you have an obligation to protect the rights and well-being of your participant to the fullest extent that you can.
The point of our ethics reviews is not to halt research. Our purpose is to help the researchers think of all of the ways we can conduct good research and ensure that our good practices ensure we can continue to conduct research in the future. We must learn from past mistakes and the harm that has come to people who participated in research (inadvertently AND in good faith). Respecting our duty to care is the cornerstone of what it means to do good research.