If you have a research grant or are busily putting together an application for funding, you may have been asked to outline a data management plan describing how you intend to keep the personal data you collect from your participants safe and secure. You might have mentioned the Safe Harbour Agreement in your plan. This important agreement allows the transfer of data gathered in the European Union to servers in the US where it is covered by the same protection laws that apply here in the UK and elsewhere in Europe. This agreement is especially important for organisations such as Google and Facebook as without it neither would be able to operate legally in the EU.
However, in October 2015, the European Court of Justice (EUCJ) ruled the Safe Harbour Agreement did not provide adequate protection for the personal data belonging to European citizens and that the agreement was no longer valid. This should have been a wake-up call to any psychologist conducting research online to think carefully about the type of data they collect, where it is stored and whether they are unwittingly breaking any laws regarding data protection. If participants had been reassured their data would be properly safeguarded then, following this EUCJ ruling, the researcher may now be acting outside of the BPS guidelines on human research ethics.
So, how does the EUCJ ruling affect online studies carried out using, for example, Qualtrics or Inquisit or even Sona Systems? Well, if the data collected using any of these experimental platforms is transferred from the participant’s PC to a server in the US, researchers could be in breach of EU data protection law.
Is Qualtrics affected by this ruling? Yes, it is. But after some research, the picture is not quite as grim or restrictive as it may first appear. In its online security statement, Qualtrics explains that data processed in a particular location is also stored in that location. This is actually what they say:
Customer data are stored in a specific location; data does not float around in the “cloud.” In addition, all data are processed in that location, and are not moved to another jurisdictional area. In other words, if data are collected in the U.S., all data are processed in the U.S.
This does not explicitly address the Safe Harbour issue but further delving suggests that data from European clients is held at a data centre in Ireland opened early in 2015. So, as far as Qualtrics is concerned, it looks as though operationally it meets EU requirements for data protection. Well, it does as long as researchers do not collaborate with colleagues outside of Europe in a way that involves a transfer of personal data. This may happen in a number of ways. Qualtrics gives as an example:
One scenario of cross-border data transfer is when a Qualtrics customer, whose region is the U.S., receives data from an E.U. user. The data are transferred from the user’s browser, over a secure connection, to a data center in the U.S. If the data include Personal Information (as defined by E.U. privacy directives), then a transfer of personal data has occurred.
So, we do have to be careful—even with the data we collect in Qualtrics—if we intend to share personal information with international colleagues. But what of all the other online platforms used to gather data from participants? Well, you should find out where that data is stored—ideally, on servers in the UK or Europe—and satisfy yourself that the organisation adheres to a well-developed security and privacy statement.
All of this should remind us that as researchers we are responsible for the safekeeping of data we collect, throughout its lifetime, and that any management plan must comply with prevailing laws on data protection and be sufficiently adaptable to accommodate changes in legislation.