Considerations and Recommendations Concerning Internet Research…
For SACHRP 13 March 2013 Page 6
or personal diaries are often also given as examples. Is it possible to define categories of
information on the Internet that are, by default, private and others that are, by default, public? For
instance, at one extreme, identifiable information that is available only with a subject’s permission,
or by using a password or other access mechanism under the subject’s control, could be considered
private. At the other extreme, information that is legally available to any Internet user, without
special authorization or access permission, could be considered public.
(b) A subject’s own expectation of privacy is not always ―reasonable.‖ A subject may assume—
perhaps in ignorance—that his or her information provided or available on the Internet is private,
but the first part of the regulatory definition of ―private information‖ specifies that the individual
―can reasonably [sic] expect that no observation or recording is taking place.‖ Information that is
archived online has, ipso facto, been recorded. Can it ever be reasonable to expect otherwise,
absent an explicit statement that no information will be recorded?
(c) Despite (b) above, the Belmont principle of beneficence may support a more conservative
approach. A subject who incorrectly assumed his/her identifiable information was private, or
restricted only to a select group, might not have posted the information on some social networking
site if s/he thought the information would be widely available, believing that the information could
be embarrassing or damaging. Should the investigator and the IRB consider the proposed research
to be subject to IRB review, even if under existing regulations the research is exempt because the
information is publicly available? Researchers and IRBs should consider the nature of the study
and the sensitivity of identifiable data; more details about the study, and thoughtful institutional
policy, taken in consideration with standard professional or disciplinary norms and practices,
would help inform such decisions.
(d) The second part of the definition cites a reasonable expectation that information provided for a
specific purpose will not be made public. When is an online venue, or social or professional
networking site, or other online activity considered ―public‖? Does it matter if a password is
required to join the venue? If the venue is moderated? If the venue is intended for use by
individuals who share a particular condition or interest? Are there "shared priorities" by the
members that dictate or determine norms?
One suggestion would be to follow the published privacy/confidentiality policy of the site; if there
is no policy the site could be considered public. Privacy policies may parallel "anonymous"
meeting standards (e.g., Alcoholics or Narcotics or Gamblers Anonymous), where members
operate according to a set of shared priorities and there is an expectation of privacy and
confidentiality within and outside of the meeting. Investigators should be aware of and respect
those shared expectations.
A less nuanced approach would be to say that any venue where membership or participation must
be authorized should be considered private. In contrast, venues where any individual can
participate without third party approval—even if a password (of the individual’s own choosing) is
required—would not be considered private. In addition, sites whose purpose is to present
participants’ comments for public review (such as the comment section follow a news article)
would be considered public even if participants must be vetted or authorized to participate.
In addition to the above considerations under the Common Rule, a researcher may need to consider
whether the entity receiving or hosting the individual’s information is subject to the HIPAA Rules, and
whether the information being maintained is protected health information. For example, a HIPAA