Back to Forum Back to Top


Balancing User Experience with IRB/Institutional Policy when using Commercial Tools in Research

fitness tracker heart rate monitoring wearable sensor Mobile Apps

Back to Forum

Browsing: Balancing User Experience with IRB/Institutional Policy when using Commercial Tools in Research

Matthew Amsden

Posts: 4

Consumer devices, applications and services are becoming increasingly common in human subjects research. I'm interested in how various institutions are navigating the following situation:

  • A study requires participants use an third-party commercially available product. Data will be collected via this product of interest to the research study. This might be a something like a Fitbit or a downloadable app. It might also be creation of an account on the third party's website.

  • Some participants will already have downloaded the application and/or created an account. Many more will do so to take part in the study.

  • There are no access concerns related to cost, resources or technology.

  • The third-party commercial entity has agreed to provide any data in a secure format. The format meets all confidentiality, security and research needs.

  • The external commercial entity has a user agreement/privacy policy. It is consistent with GDPR and California Shine the Light Laws. It explains how data is collected, how it's shared and how the participant may manage this data. Informed consent identifies how data will be stored used & shared within the study.

  • The participant risk of engaging with this third party commercial entity are low. They are no more or no less than a of a general consumer. Informed consent outlines any extra risks presented by the research study.

All good, but ...

  • Language in the end user agreement/privacy policy creates discomfort among reviewers. "Is the end user agreement/privacy policy compatible with our institutional policies?" The concerns are often a combination of business, legal, ethical and regulatory interests.

  • Given GDPR, we're finding third party commercial entities are less willing to change privacy policies for specific research efforts.

Have these issues come up? How are you dealing with them? Do you have work arounds?

1) Are you only allowing participants who are current users/customers to take part in studies? How are you compensating for that bias?

2) Have you told participants to engage with the third party commercial entity just before the consent process? IE the participant is aware of the study, but has not officially joined.

3) Have you found consensus in disclosure language that directs participants to engage with third parties as part of the study? When do you present these disclosures?

Are there other approaches that have been successful and replicated across more than one study?

Thanks so much for your input. This is an emerging issue we're seeing frequently now with academic institutions as groups beyond the IRB become involved in reviews of digital health. Without a solution, it may seriously impact some institutions capacity to work with consumer health technology.

Camille Nebeker

Posts: 56

Hi Matt,

Researchers need to be responsible for conveying possible risks associated with enrolling in a 3rd party app or device. If the participant needs to download an app or register a device to be involved in the study, the Terms and Conditions and Privacy Policy should be conveyed to that person in accessible language so that they are aware how there data will be collected, stored, shared and/or sold. The work around is to create dummy accounts where the person is registered with a code that is not connected to their identity.