March 9, 2007
In addition to being governed by ethical standards, codes, laws, and regulations, HCI researchers may be governed by privacy protection laws and/or regulations depending on where they live and the situational context for their research. In Europe, many countries have national privacy laws that govern all use of personal data. Similar privacy laws are in place in Canada and Australia when personal data is collected for commercial or government purposes. For example, in Canada the Personal Information Protection and Electronic Documents Act (PIPEDA, 2004) governs the use of personal information for commercial purposes and the Privacy Act governs uses within the government sector. In the US, in contrast, there are no national standards but instead an ad-hoc collection of privacy laws and regulations depending on the industry. The Health Insurance Portability and Accountability Act of 1996 (HIPPA, 1996) governs the use of personal information in the health care domain, for example. Also, US commercial organizations who wish to share personal data with parties in Europe are required to voluntarily adopt the Safe Harbor principles (U.S. Department of Commerce, 2000), which are based on the OECD privacy guidelines (see below).
Thus, researchers working in commercial or government settings may be subject to national or local privacy laws. Researchers working in academic settings may or may not be so governed, however. The PIPEDA in Canada, for example, applies only to commercial activities, where “commercial” is usually interpreted by examining whether the purpose of the research is profit-related or not. With the close ties that are now common between universities and industrial partners, however, it is currently not clear how far the laws will be applied and, as of early 2006, no test cases have been brought to the Privacy Commissioner’s Office. If university researchers are working with commercial partners, and/or their research will likely lead to commercial gains or advantages, then it is likely that PIPEDA would apply.
Privacy protection is also a question of ethics. Even if an HCI researcher is not covered by privacy protection laws, they should be aware of privacy protection issues and best practices. Serious concerns about privacy protection emerged in the 1970s due to the increased use of computer technologies to process vast amounts of personal information. This concern resulted in a series of statements about privacy and “fair information practices” culminating in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data published in 1980 (Organisation for Economic Co-operation and Development, 1980). The OECD Guidelines laid out key principles for protecting human rights and harmonizing policies and legislation. The Guidelines also established some key definitions:
- data controller: a party who decides about the contents and use of personal data
- personal data: any information relating to an identified or identifiable individual
- data subject: the individual about whom the personal data concerns
The OECD Guidelines also established exclusions to privacy protection based on national sovereignty, national security, and public policy, but the guidelines indicated that such exclusion should be as minimal as possible and known to the public. Most importantly, the OECD Guidelines established a set of eight privacy protection principles, which are described in the table below.
The Principles of the OECD Privacy Guidelines.
|1. Collection Limitation||There should be limitations on the collection of data, it should only be collected in legal and fair means and, where appropriate, with the knowledge and consent of the data subject.|
|2. Data Quality||Personal data should be relevant to the purposes for which it was collected and used, and it should be accurate, complete, and up-to-date.|
|3. Purpose Specification||The purposes for which personal data is collected should be stated at the time it is collected and subsequent use should be limited to those purposes.|
|4. Use Limitation||Personal data should not be disclosed or used for purposes other than those specified unless it is with the consent of the data subject or under the authority of law.|
|5. Security Safeguards||Personal data should be protected by reasonable security safeguards against unauthorized access, use, or disclosure.|
|6. Openness||There should be openness about the practices and policies concerning personal data.
Means should be readily available to establish the existence and nature of personal data, the purpose of their use, and the identity of the data controller.
|7. Individual Participation||An individual should have the right to find out if a data controller has personal information about him or her and be able to challenge data
relating to him or her including having the data erased, corrected, completed or modified.
|8. Accountability||The data controller should be accountable for adhering to these principles.|
These OECD principles have been used as the basis for most privacy legislation and regulations including the European Data Protection Directive (95/46/EC; European Parliament, 1995), national privacy laws in European countries required by the Directive, and laws in other countries (e.g., federal and provincial privacy laws in Canada). Thus, they provide a good framework for establishing privacy best practices for HCI researchers.
Recently, privacy organizations have gone beyond statements of principles and frameworks to provide specific advice and tools. One of the most advanced activities in this area is the Privacy Diagnostic Tool (PDT; Ontario Information and Privacy Commissioner, 2001) developed by the Information and Privacy Commissioner of the Province of Ontario in Canada . The PDT is a voluntary workbook that uses a series of questions to allow organizations to examine their privacy practices and make improvements. The questions are based on the privacy principles discussed above.
Many of the questions developed for the PDT can be adapted to provide a good starting point for HCI researchers to examine and improve their privacy practices. To begin with, the PDT defines personal information as any information about an identifiable individual, including name, address, gender, age, ID numbers, income, ethnic origin, employee files, credit records, or medical records. Personal information does not necessarily have to have a name attached to it in order for it to be considered personal information. As long as there is a reasonable chance that an individual can be identified, then the information is worthy of protection. For HCI research, we add to the list of personal information demographic data, performance measurements, opinions and attitudes, behavioral observations, audio and video recordings, etc. Although most of the personal information collected by HCI researchers is not particularly sensitive, usually only involving performance scores or opinion ratings, some information might be quite sensitive and improper disclosure could lead to substantial harm to the research participants. Such sensitive personal information that might be collected during HCI research includes attitudes towards work or employers, WWW browsing habits, and histories of online transactions.
In the following section we review the significant privacy areas covered in the PDT and provide specific questions that HCI researchers can use to evaluate and improve their privacy practices.
The importance of informed consent in ethical HCI research is well known. In the context of privacy, consent is required for the collection and use of personal information during the course of a research study.
Failure to obtain consent for the collection and use of personal information is unethical, and may lead to mistrust from the research participants and refusal to participate in future studies. Failure to obtain consent may also be counter to laws or regulations and could lead to legal liabilities.
Questions to Consider:
- Do you periodically review your consent procedures and forms?
- Do you document any cases where consent was not given by a research participant?
- Have you established informed consent procedures for cases where data will be shared with collaborators?
- Do you take into account the sensitivity of the information when determining how to seek consent? (e.g., Collecting particularly sensitive information may require that explicit, written consent statements be signed and witnessed.)
Researchers should limit the collection of personal information to that which is absolutely necessary for the research being conducted.
Failure to limit the collection of personal information increases the amount of data to be processed and unnecessarily increases privacy risks. Collecting personal information that is unrelated to the stated purposes of the research could lead to mistrust by the participants.
Questions to Consider:
- Is it necessary to collect any personal information, or could the research proceed with anonymous data?
- If anonymous collection is intended, what measures are in place to ensure the anonymity of participants? (e.g., This may be especially important in online data collection where Internet traffic logs might be used to link personal data to Internet host numbers, which can often be linked to specific individuals.)
- If personal information is collected, it is restricted to data that the participant has consented to?
- Are participants given an option to restrict the collection of some personal data? (e.g., Can participants opt-out of some portions of the research?)
- Do you regularly review your collection practices to ensure that data that was collected was truly necessary?
The purpose for which personal information is collected shall be determined before it is collected.
Collecting more information than is needed could expose the researcher and data subject to unnecessary risks. Collecting unintended information could also add to the costs and complexity of the research. Failure to explain to research subjects the purposes for collecting personal information could lead to mistrust and ill-will, and may be unethical.
Questions to Consider:
- Are the reasons for collecting personal information considered by the researchers and explained to the research participants before any data collection is done?
- Are the purposes for collecting personal information reviewed and updated regularly? (e.g., Avoiding using survey questions simple because “we have always collected that information”.)
- Are steps in place to ensure that research participants understand the personal information that is collected and the intended purposes? (e.g., Ensuring that consent forms are understandable and that questions are answered fully before data collection begins.)
- Is a procedure in place to seek informed consent from research participants before any personal information is used for purposes that were not disclosed at the time of collection? (e.g., Having contact information so that participants can be reached in the future.)
Limiting Use, Disclosure, and Retention
Researchers will not use or disclose personal information for purposes other than those for which it was intended, except with the informed consent of the research participant. Personal information shall only be retained for the minimum time necessary to conduct the research, and it will then be destroyed or rendered anonymous.
Using personal information for purposes other than the original research agreed to by the participants is unethical and could lead to legal repercussions. Retaining personal information for unduly long periods increases the risk of improper use and disclosure.
Questions to Consider:
- Is personal information only used for the purposes it was collected?
- Is personal information only disclosed where it is necessary to conduct the research, and consent for this disclosure has been obtained from the participants?
- Do you have policy and technical measures in place to limit use and disclosure to the predetermined purposes?
- Have you established data retention times and methods before data are collected?
- Do you ensure that personal information is properly destroyed or rendered anonymous when the data retention time has elapsed?
- Do you have measures in place to ensure that data thought to be rendered anonymous cannot be tied to an individual now or in the future?
Personal information should be protected by security measures that are appropriate for the sensitivity of the information.
Without appropriate security measures, unauthorized people could access the personal information and possibly misuse or disclose it. If the information is sensitive, it could cause significant harm to the participants and damage the reputation for the researcher.
Questions to Consider:
- Is the research environment appropriate for handling personal information? (e.g., Does the physical setup and protocol allow the researcher or others to observe personal information as it is recorded, such as “shoulder surfing” when participants are in a study?)
- Do you have facilities to securely store personal information?
- Do you use encryption or other digital secure storage mechanisms when appropriate?
- Do you regularly audit and evaluate your security procedures?
- Are all people involved with the project aware of the safeguards that are in place?
- Do you have a documented policy for access to personal information and restrict access to authorized personnel?
- Does each person with authority to access personal information have their own identifier and key (e.g., login and password) to facilitate monitoring?
- Are the access controls in place appropriate for the sensitivity of the information?
- If data records are stored on computers, are appropriate security and intrusion detection mechanisms in place?
Information about the policies and practices related to the handling of personal information should be readily available to research participants and other stakeholders.
Not making information about policies and practices known to others can lead to a failure to develop trust, and may prevent potential participants from giving informed consent.
Questions to Consider:
- Are you open about your policies and practices regarding the handling of personal information?
- Do you make it clear what types of information are collected and
- Do you make it easy for participants and others to learn about your policies and practices?
A participant or other stakeholder should be able to address a challenge concerning the handling of personal information, and that challenge should be responded to effectively.
Without an effective challenge and response mechanism, interested parties will not be able to assess your policies and practices. Failure to provide such mechanisms could lead to a lack of trust and confidence in the researchers.
Questions to Consider:
- Do you have a simple and accessible means for people to communicate questions and concerns?
- Do you have mechanisms in place to ensure fair, accurate, and timely responses to challenges?
- Do you regularly evaluate any challenges and responses that do occur?
A researcher is responsible for the personal information under their control and, if necessary, shall designate a person or persons to establish and maintain privacy principles and practices.
Unclear accountability could lead to a lack of control of the information. Failing to have an accountable person will make it difficult to review practices and deal with any problems.
Questions to Consider:
- Do you regularly review your privacy policies and practices,
including having discussions with any staff or collaborators?
- Do you have written policies and procedures in place for handling personal information?
- Are you and your staff trained to handle personal information properly?
- Have you developed a privacy monitoring system?
- Have you clearly articulated the responsibilities of each individual for privacy protection?
- Is the handling of personal information included in the performance evaluation of staff and research projects?
In conclusion, establishing good privacy protection practices is important for HCI research. Not only is privacy protection required when conducting ethical, scientific research, but there may also be a legal requirement depending on the context of the research. Fortunately, guidelines for ensuring good privacy practices are now available to be adopted by the HCI research community.
European Parliament (1995). Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data. Official Journal of the European Communities (1995), p. 31. http://www.cdt.org/privacy/eudirective/EU_Directive_.html
HIPPA – Health insurance portability and accountability act of 1996 (1996). http://aspe.hhs.gov/admnsimp/pl104191.htm
Ontario Information and Privacy Commissioner (2001). Privacy Diagnostic Tool (PDT) Workbook. http://www.ipc.on.ca/scripts/index_.asp?action=31&P_ID=12081&N_ID=1&PT_ID=15&U_ID=0
Organisation for Economic Co-operation and Development (1980). OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html
PIPEDA – Personal Information Protection and Electronic Documents Act (2004). http://laws.justice.gc.ca/en/p-8.6/93196.html
U.S. Department of Commerce (2000). Safe harbor privacy principles. http://www.export.gov/safeharbor/SHPRINCIPLESFINAL.htm