Online Platforms in Research

Online Platforms, Social Media & Secondary Data usage

This guidance is intended for researchers who wish to use online survey platforms, online participant panel platforms and social media platforms for the purpose of participant recruitment and data collection, and/or for researchers who wish to access existing secondary data held by an external organisation. It lays out the ethical obligations specific to HREC requirements regarding written permissions and conditions for transferring and using such data in research conducted by UCD staff and students.[1]  Please note: Social media platforms must not be used to conduct surveys or gather data from participants. These platforms should only be used to advertise a research study and then direct potential participants to a project specific website which may host the survey. See Guidelines on the Recruitment of Participants for Research Studies.

Contextual Integrity

Researchers using data accessed from publicly available sources are responsible for using that data in a way that causes no harm or risk to the public or the data provider. It is also the researcher’s responsibility to ensure that user profile information should not be collected for purposes not intended.  Because the data is ‘publicly available’ does not necessarily mean that the data should, or can, be used for research purposes.

Definitions

Existing secondary data/database:  data collected by another researcher (internal or external to UCD) for a different purpose (the original purpose) to that which is intended by the researcher who wishes to access and use for their own research.

External organisation data/database:  in the context of this guideline, it means an organisation that has collected, owns or controls (data controller) the data/database which the UCD researcher wishes to access and use.

‘Safe harbour’ servers

The Committee considered the use of platforms which use ‘safe harbour’ servers located outside the EU and concluded that they do not fully comply with EU data protection law.

It is recommended that data centres and servers of chosen service providers are located and administered within the EU in full and direct compliance with EU data protection law and are GDPR compliant.

Server requirements

Researchers gathering personal or any other sensitive data via online surveys are required to use a platform which fully and directly complies with EU law and is GDPR compliant.

In instances whereby researchers seek to gather highly personal information of a sensitive nature it is very important that the Irish and EU data protection requirements are unambiguously fulfilled by the chosen service provider.

The Committee does not endorse any specific provider and the onus is on the researcher to identify a suitable tool.  It is also the responsibility of the researcher to obtain assurances from the data provider/controller regarding their GDPR compliance.[2]

Use of existing secondary personal data[3]

Although the organisation which holds and controls the data is legally responsible for ensuring its confidentiality and protection, UCD researchers are ethically responsible for respecting the right to privacy of individuals whose data they wish to use. Therefore, UCD researchers should neither accept nor store datasets which can reveal the identity of a person, unless the external organisation holding the data can provide written evidence that the person from whom the data was collected has provided their written and explicit consent for sharing their identities and other identifiable personal information with a third party for research purposes.

Furthermore, UCD Researchers should not access, use, or store data which does not comply with the current Irish and EU data protection laws and regulations, and should be aware of their corresponding legal and ethical responsibilities.

Permission to access data held by an external organisation

As part of their application, UCD researchers should supply a letter of permission from an external organisation, which should include the following:

• The name and address of the external organisation;
• The title of the research project for which data is being requested;
• Confirmation that the organisation is the data owner / controller and that sharing this data with UCD fully complies with the Irish law and EU Data Protection/GDPR;
• Confirmation that the organisation is granting access to data to a named UCD researcher (or researchers) for research purposes only;
• Confirmation that all data will be de-identified /anonymised by the external organisation before making it available to UCD researcher(s).

[1] This guideline excludes information about transfers of data from UCD to an external organisation Contact UCD Legal Office for information about data transfer.

[2] Researchers should consult with UCD IT Services for further advice about external servers.

[3] See separate HREC Guide- Personal Data Definitionsfor definitions and examples of personal data