This page presents principles and protocols for a research ethics that enables researchers to balance individuals’ rights, research and public interests, and the common good in the context of research on cloud-based support for disaster management as it is pursued by the SecInCoRe project. The SecInCoRe research team will be working under the general ethics orientation to Do No Harm (non-maleficence) and Do Good (beneficence).
Collecting personal data ethically
The EU Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data states that “personal data shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his [or her] physical, physiological, mental, economic, cultural or social identity”.
The definition is broad and in practice encompasses any type of data that can be related to an identifiable person, e.g. a picture, registration number of a vehicle, a medical record, membership in an organization, or an IP-address.
The EU Directive also explicitly mentions certain categories of sensitive data, viz. data concerning racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, health, sexual life and criminal activities.
According to the Directive ‘processing of personal data’ means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Research benefits from some exemptions in relation to data protection regulation based on these definitions. For example, Section 33 of the UK Data Protection Act 1998 (DPA) provides an exception to those engaged in historical or other research. But it is important to note that:
The exemption is, however, quite narrow and only affects the three data protection principles relating to the purpose for which data were obtained (the second data protection principle); the duration for which they can be kept (the fifth data protection principle); and the data subject’s access provisions (relating to a data subject’s right of access under s.7 DPA).
Section 33 does not give a blanket exemption from all the data protection principles which apply to personal data provided and/or used for research purposes. Researchers wishing to use personal data should be aware that most of the data protection principles will still apply (notably the requirement to keep data secure).
This section delineates key principles and protocols that support SecInCoRe researchers in treating research participants in a way that complies with the relevant regulations, including the relevant standards and guidelines of FP7.
Ethical standards of FP7, which reflect wider consideration on research ethics will be rigorously applied, regardless of the country in which the research is carried out. WP2 supports the project team through a range of measures, including these evolving Open Research Ethics Protocols and a Research Ethics Code of Conduct signed by all SecInCoRe members.
The SecInCoRe consortium has sought appropriate authorisation from the relevant national authorities prior to the commencement of research with human subjects. For example, Lancaster University is subject to the laws and guidelines that are relevant for this project in the UK (e.g. the Data Protection Act 1998 and the RCUK Policy and Guidelines on Governance of Good Research Conduct).
Data processing and sharing within the consortium
In each country where research has been authorized, the initial transcription, analysis and processing of data will predominantly take place in the nation where it has been gathered. The project partners will carry out collaborative analysis and act as data controllers in common for the SecInCoRe project. Partners in other countries who will participate in collaborative domain analysis, who have not yet received authorization from their relevant authorities will not be given access to personal data collected by other SecInCoRe members. They will only have access to data that has been published and – after signing the Research Ethics Code of Conduct – depersonalized data. Once partners have obtained approval for SecInCoRe research with human subjects, they may also share personal data provided by research participants based on informed consent agreements. This may, for example include video recordings of disaster re-enactments, focus group discussions, interviews or experimental implementations of prototypes.
Qualitative research and the SecInCoRe inventory and CIS
Data collected for the purpose of research in SecInCoRe will not be entered into the SecInCoRe Pan-European Inventory or Common Information Space (CIS) unless it has been previously published in other media. In other words, if data or findings from research undertaken in SecInCoRe would be useful to include in the inventory, then they must first be published (in project reports marked PU (Public) or in academic or practitioner oriented outlets) in line with the protocols outlined in this document.
Interaction with volunteers based on informed consent
The project takes an approach that is informed by domain analysis and collaborative design and, thus, seeks the voluntary participation of research participants, all of whom will be healthy adults of sound mind. All research that involves human participants requires ‘informed consent’, that is, consent “given by a competent individual who has received the necessary information; who has adequately understood the information; and who, after considering the information, has arrived at a decision without having been subjected to coercion, undue influence or inducement, or intimidation” (Source: Council for International Organizations of Medical Sciences). Research activities may include:
- Interviews – semi-structured or open conversations around questions about crisis management, collaborations with others, practices of information sharing, ethical, legal and social challenges, opportunities for ‘better’ emergency service provision.
- Participant observation – to understand the practicalities of work, involving shadowing an individual or group, or observing interaction (e.g. during an exercise). We may transcribe communications to share with colleagues and analyse in more depth.
- Co-design workshops – bringing various practitioners together with the SecInCoRe team in order to collaboratively think through current practices and future potentialities regarding the sharing of data/information before, during, and after disaster events, and how SecInCoRe can assist in designing new processes and technologies to encourage interoperability between different agencies and EU countries.
- Information resource research – collection and analysis of the information materials participants use in their work, including analysis of data sets and internal post-disaster reports with permission by the author/owner
- Electronic note taking – we may record interviews and observations in both audio and video. Electronic note-taking can ensure richness and accuracy in observations. We may use note-taking recordings for collaborative analysis and publication.
- Video ethnography – we may record interactions between people and between people and technologies for detail and ‘replay-ability’ that is invaluable for collaborative analysis and design.
Informed consent will be sought for all research activities, normally by asking participants to read SecInCoRe’s Project Information Sheet and to sign an Informed Consent Form. In written project information sheets researchers are named and clear contact details provided. An external contact is also provided. In circumstances where informed consent cannot be documented by signing the Informed Consent Form – for example, for an ad-hoc interview during a tour of a fire station – informed consent may be documented by audio or video recording. Researchers will ensure that risks are discussed with research participants in order to secure proper informed consent.
In some situations, informed consent may be impracticable or meaningless, such as research on social media crisis informatics or during large scale training exercises with large numbers of volunteers. People in such semi-public situations cannot expect the same degree of privacy as in their own homes. The fact that research is undertaken will be publicized and contact details will be provided. Observation and recording in such spaces does not then require individual informed consent. People will be able to ask to be deleted from the research records if this is practicable. We will not seek to infringe privacy unless justified by a clear research interest or where we have obtained informed consent.
How will the collected data be used?
The information collected during the research will be used as part of ongoing collaborative research and design within the SecInCoRe Project. The collected data might be used in stakeholder workshops to which participants may be invited. Participants in such workshops may include emergency response professionals, policy makers, technology designers, psychologists and social scientists. Data will be shared between SecInCoRe project partners who have obtained the appropriate authorization. Under no circumstances will independent access to the collected personal data (e.g. audio, video) be given to people who are not partners in the project unless a separate agreement about such use has been established. Data will be analyzed, and – if used in public contexts – depersonalized. The research will be documented in reports and/or publications, which will be disseminated to a wider audience. In some cases, the reports and/or publications (including media publications) might make use of excerpts from conversations and interviews.
and risk assessment
All collected data will be treated confidentially in accordance with the UK Data Protection Act 1998, the European Data Protection Directive (Directive 95/46/EC 1998), Lancaster University’s Information Security Policy and Processes and Policy on Protecting and Categorising Data, and any revision to these and applicable new regulation to be issued over the course of the project. The collected personal data (e.g. notes, information resource material, video/audio recordings) will be stored securely on password protected servers and devices, and access will only be given to those responsible for analyzing the data in the project consortium, that is, project members at University of Paderborn, Technical University of Dortmund, Lancaster University, T6 ECO, Airbus, CloudSigma, BAPCO, KEMEA. Mobile devices and laptops holding data, identifiable data (such as recordings of participants’ voices) will be encrypted. If it cannot be encrypted, identifiable data on mobile devices will be deleted as quickly as possible.
Unless otherwise agreed with participants through their informed consent or written confirmation, the SecInCoRe team will seek to ensure the anonymity of research participants in all public accounts of the research to the best of our abilities. Research participants will also be notified that any right to privacy/confidentiality can only extend as far as permitted by UK legislation.
Anonymisation is a means of protecting the privacy of research subjects. There are some risks, because anonymisation – or the process of depersonalizing data is no easy task in today’s data rich environments. Anonymisation is difficult, not least because “[a]nonymity is interpreted differently across the EU” (EU Opinion 05/2014 on Anonymisation Techniques: 27). According to the EU Opinion 05/2014, adopted on 10 April 2014, the term ‘anonymised data’ refers to data which has been irreversibly “stripped of sufficient elements such that the data subject can no longer be identified” by either the data controller(s) or by any third party at any point in time. Even if a data set might be considered ‘anonymous’ for legal purposes, the EU Opinion 05/2014 highlights how, given rapidly shifting socio-technical environments, it can be hard to know whether ‘anonymous data’ today will be ‘anonymous data’ tomorrow. It furthermore acknowledges tensions between data subjects’ rights to privacy and their rights to access data provided, as well as tensions between anonymisation and the production of ‘useful data’ (data too abstracted can lose its usefulness). Given these difficulties, the EU Opinion 05/2014 speaks of “anonymisation techniques” assessed on a case-by-case basis instead of ‘anonymised data’, thus acknowledging anonymisation as a continual, context-specific process rather than an objective end-state.
SecInCoRe does not produce ‘anonymised data’ in the above sense, but does engage in rigorous anonymisation techniques appropriate for qualitative data and all collected data will be depersonalized before being used in any project reports or resulting publications (unless a separate agreement about this has been arranged with participants). The UK Data Archive (see: Website) highlights pseudonymisation (i.e. the replacement of personal identifiers with non-personal identifiers) and abstraction (referring to the process of de-contextualizing data to allow for greater anonymity) as anonymisation techniques appropriate for qualitative data, and SecInCoRe engages in both. Hence, SecInCoRe reports and publications will not contain any information which can directly identify a person as an individual. Participants are given the opportunity to choose their own pseudonym for the depersonalization of data, which enables them to identify their own contribution to the research in the resulting publications and reports. If they prefer not to pick their own pseudonym, we will choose one on their behalf. <
In addition, a process of context sensitive risk assessment is needed. For example, just removing obvious personal identifiers, such as names or social numbers, through pseudonymisation is not enough. As the UK Anonymisation Network notes:
The term ‘identifiers’ is often misunderstood to simply mean formal identifiers such as the data subject’s name, address and unique identification numbers e.g. a Social Security or National Health Service number. But, identifiers could in principle include any piece of information, or combination of pieces of information, that makes an individual unique in a dataset and as such vulnerable to re-identification. (http://ukanon.net)
Acknowledging that pseudonymisation is often not enough to protect the identities of research participants, and drawing upon the UK Information Commissioner’s code of practice ‘Anonymisation: managing data protection risk code of practice’ (2012) as well as the UK Data Archive’s advice on anonymisation of qualitative data, SecInCoRe has developed an Anonymisation Guide to be used within the consortium. This Guide aims to assist SecInCoRe members in the production of depersonalized data and, consequently, all SecInCoRe members will be asked to confirm that they have read this guide by signing SecInCoRe’s Research Ethics Code of Conduct.
Part of choosing and operationalizing an appropriate depersonalization technique includes engaging in risk assessment, where necessary on a case-by-case basis. While aiming for anonymity, SecInCoRe acknowledges that it cannot promise absolute anonymity to its research participants. Consequently, it clearly informs research participants of potential risks in the informed consent process. It also assesses the likelihood that a research subject could be re-identified and the potential for harm.
Freedom of Information Act
Public institutions within the consortium (e.g. University of Paderborn, Technical University Dortmund and Lancaster University) are subject to the Freedom of Information Act 2000 (FOIA), which currently stipulates that citizens and organizations have a right to access information held by them. There is an exemption from provision for information whose disclosure would prejudice the research or the interests of those involved in the research (including participants). However, data must nevertheless be provided if the public interest rests in disclosure. All participants will be made aware that if there are aspects of the information that they give that they would prefer not to be disclosed following a request for information under the FOIA, they must indicate that they provide that information with the expectation of confidentiality when they sign the Informed Consent Form. They will be further informed that SecInCoRe cannot guarantee that information will not be revealed through an FOIA request and that any right to privacy/confidentiality can only extend as far as permitted by UK legislation.
Data storage and retention
All collected personal data (e.g. notes, information resource material, video/audio recordings, interview transcripts) will be encrypted and stored securely in locked secured local storage, encrypted password protected servers, laptops or mobile devices. Excerpts may be shared through an online secure server, where access is restricted by means of username and password to project partners. At the end of the project (the project started on 1st May 2014 and ends on 31 March 2017), all collected data, including video and audio recordings, will be kept securely and accessible, controlled by the researchers at the organizations in the consortium for up to five years. Data which has been depersonalized will be kept securely for up to 15 years after the project ends. This is to allow further analysis and follow up research.
Risks and benefits
Participating in SecInCoRe research carries some small risks for participants. For example, while SecInCoRe will aim to maintain the privacy of all its research participants through techniques of depersonalization, we cannot guarantee absolute anonymity (as discussed above). Given the type of data that we collect, such as video recordings of re-enactments of past disaster response efforts (which provide an extremely rich and useful source of data), blanket depersonalization is not practical or reasonable in this project. Participants are asked to identify whether they consent to being recorded and/or whether they consent to having their person visually represented in public reports and/or publications. All participants will be made aware of risks before any research commences.
Risks may also arise in relation to the fact that our research is subject to the Freedom of Information Act. Based on information that participants give, insights into the complex ethical, legal and social challenges encountered in multi-agency emergency response may be discussed in publications and this could prompt external agencies (such as post-disaster review panels) to request the original data (e.g. a transcript of an interview) held by the researchers. Research participants will be made aware of the Freedom of Information Act in the Participant Information Sheet and asked to indicate in the Informed Consent Form whether the information they provide is given with the expectation of confidentiality. In such cases, we will depersonalise the data with extra care and delete the original related personal data as soon as possible.
While there are some small risks, the benefits of participating in the SecInCoRe project are substantial. At a personal level, participants have the ability to actively witness and shape socio-technical innovation in one of the most important areas of human life: everyday security, risk awareness, preparedness and crisis response. It contributes to a more informed public debate and understanding of the promises, premises and risks of advanced information technologies, including opportunities such as more efficient and collaborative crisis response through data sharing, as well as risks, such as violation of privacy and erosion of civil liberties, and challenges, such as partial automation of essentially social practices and communications.
Right to withdraw
All participants will be made aware of their right to withdraw from the study without providing any reason for their withdrawal. If the research they are participating in involves audio or video recording, they will be notified that they can ask the interviewer to stop, start or rewind the tape at any time, and that they can request that content is erased retrospectively. However, we will also advise participants that there is a time-limit for such requests. If they withdraw up to 2 weeks after their interview/participation, their data will be destroyed and not used; but after this point the data will remain in the study (in a depersonalized form).
Research will always be conducted in safe conditions. The data gathered is expected not to include distressing content (this will be reviewed by the monitor). Thus the probability of researchers being physically or emotionally adversely affected is estimated to be marginal.
Relevant authorizations, informed consent, anonymisation guide
All researchers are aware of relevant authorisations, the requirement for informed consent, and anonymisation guidelines. Copies of these are available on request.