Privacy and Confidentiality

The use of the PIEL Survey app for research and therapeutic purposes has been approved by many institutions in the U.S, Europe and the Asia-Pacific region. The following information is to assist users in providing appropriate information to their institutions and ensuring compliance to any regulatory requirements.

In this summary, we use the term 'Researcher' for the person who is primarily responsible for conducting the survey project. We recognize that this person may in fact be a therapist but the term 'Researcher' is used for convenience. A 'Participant' is the research subject or patient, the person who responds to the surveys. Institutions will have a process for approval of research or therapeutic projects. This will often include an Institutional Review Board (IRB) or Ethics Committee. We will use the term 'IRB' to refer to these approval processes.

The requirements of IRBs will differ based on the sensitivity of the data collected, whether the subject is identifiable, the effectiveness of informed consent and whether there is potential harm to the subject. Furthermore, there is often a layer of government legislation and regulation which may need to be followed. This will differ in each country.

Please contact us if you need further information.

Data Collected

The Researcher fully controls the type of data collected by the PIEL Survey app by providing survey metadata and survey questions in a Control File. The one exception is timestamp data (see below). The Control File is provided to Participants using email, file sharing or through a web link.

We can provide the following assurances.

  1. The metadata collected and saved in the data file are; Survey Name, Survey Author, Survey Version and Subject ID. These are all set by the Researcher and are optional. All of them, apart from Subject ID, can be omitted without impacting the function of the app.
  2. If the Researcher does not provide a Subject ID in the Control File, the PIEL Survey app will ask the user for a Subject ID. This functionality is designed for a situation where a user conducts surveys with multiple people on the same device. Generally, for Ecological Momentary Assessment (or Experience Sampling Method) style studies, we expect that the Researcher will provide an ID.
  3. The only data that the PIEL Survey app collects apart from that required in the Control File are timestamps (time and date data). The Data File will include a timestamp for the beginning and ending of each survey and the time that each question is answered.
  4. Some applications gather other data from the device such as geolocation, device information and contacts. The PIEL Survey collects no data from the device apart from the data specified in the Control File and timestamps. More specifically, no data is collected from the device that may have a link to the specific device or user.

Data Storage

Many questions relating to storage of data (such as location of the database, security and encryption) do not apply to the PIEL Survey app since the data management of the PIEL Survey app is based on a direct transaction between Participant and Researcher.

  1. The PIEL Survey app does not use a remote server or database. In fact, the app can be used without an internet connection unless Researchers and Participants decide to use the email function.
  2. All data is stored on the Participant's device in one or more Data Files until sent by email or transferred by file sharing.
  3. All data can be deleted by the Participant at any time, using commands within the app or by deleting the app from the device.
  4. The user interface makes it clear when there is data stored on the device. The 'action arrow' is enabled and the user can choose to email or delete the data.

Data Transmission

A key feature of the PIEL Survey app is that the Participant has complete control over when and if data is transmitted or transferred.

  1. No data is transmitted or transferred from the device unless the Participant emails it or connects the device to a computer for file-sharing. In both cases, the active cooperation of the Participant will be required. The PIEL Survey app does not upload or backup of data to a remote server or to a cloud service.
  2. If the Participant chooses to email the Data File, the device's email application is opened and a draft email is shown with the Data File attached. The Participant can then cancel the email, send the email or modify the email. In the latter case, the participant can change the recipient, remove the data file or add content to the email.
  3. If the Researcher and Participant decide to use file sharing to transfer the Data File, the Researcher will need physical access to the device and the password of the device.
  4. The Data File is not encrypted but it does not contain the text of the questions; they are identified only by question number. With one exception, the answers are saved as one or more numbers which correspond to the answer options as set in the Control File. The exception is 'text' questions. The answers to 'text' questions will be saved as text. Thus the data for all questions other than 'text' questions is unintelligible without the Control File. Is should be noted that the Control File is not transmitted or transferred from the device at any time.
  5. If encryption is required, the email account on the device should be setup to use SSL/TLS security using setting from the email provider.

Data Disclosure

There are many ethical and regulatory questions relating to disclosure of data. Since the PIEL Survey does not provide a web or other interface to the data, these requirements are the responsibility of the Researcher. The Data File is provided directly to the Researcher by email or file sharing. It is a transaction between the Participant and Researcher. Access to the data after that point is controlled by the Researcher.

Further Protection

The Researcher can consider the following protections as another layer of security.

  1. The Participant's ID should be an unidentifiable ID, not their name. Even the name of the project and Researcher can be an unidentifiable ID if you wish, or even omitted altogether.
  2. The Control File and the Data File should be stored in secure locations. The Data File will often not make much sense without the Control File. You may consider storing them in separate locations.
  3. The device should be password protected with a strong password.
  4. Participants can choose to use encrypted email (SSL or TLS) to send the Data File.
  5. The Researcher should take care that the email server is secure and that they take appropriate precautions with the data once received from the Participant. Universities usually have strong protections in place for their email servers and Researchers should confirm this.
  6. If you have any concerns about email transmission or your email server security, a secure method of obtaining the Data File is file transfer by directly connecting the Participant's device to the Researcher's computer and using iTunes.
  7. If the Participant does not want the Data File backed-up by iTunes, he/she can disable backup for that data or choose to encrypt the backup.
  8. The Researcher should consider giving Participants a procedure to follow if the device is lost or stolen. For example, the app "Find my iPhone" enables the locating and locking of stolen devices. If necessary, it also allows deletion of data on a lost or stolen device. The Researcher could recommend to Participants that this app be enabled. Even if not enabled, the Apple Account password can be changed.

Marketing

The PIEL App is provided as a free service to the research community through the Apple Store. We can provide the following assurances.

  1. There is no marketing material or request for donations within the PIEL Survey app.
  2. The PIEL Survey receives no sponsorship from commercial entities in exchange for advertising or data.
  3. The PIEL Survey does not have access to any personal details of users unless they initiate contact (for example using the contact form on the PIEL Survey website).
  4. No third party (apart from the Researcher and Participant) has access to the Control or Data Files through the PIEL Survey app or website.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The US Congress incorporated a number of provisions into The Health Insurance Portability and Accountability Act of 1996 (HIPAA) that mandate the adoption of Federal privacy protections by certain entities. These protections cover the privacy and security of Protected Health Information (PHI). PHI is any individually identifiable health information held by a covered entity that concerns health status, provision of health care. They concern how data is stored, used, disclosed and transmitted.

We recommend that Researchers refer to this useful summary provided by the U.S. Department of Human & Health Services. The information provided above should aid Researchers in determining the requirements that apply to their project and whether they meet those requirements. However, we make the following observations.

  1. The PIEL Survey app does not add any personally identifiable information. If the Researcher does not provide identifiable information in the Control File nor ask questions which result in identifiable information, the Data File will not contain PHI.
  2. The only data storage by the PIEL Survey is on the Participant's device. There are several layers of protection for the Participant as described in the above sections.
  3. There is no transmission of data without specific actions of the Participant.
  4. More specifically, patient initiated communication such as email is permitted.
    "Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications." U.S. Department of Health & Human Services