Privacy Settings in Recollective
Some studies, whether due to the location of the participants and the applicable regional legislation, or due to the sensitive nature of the subject matter, require additional measures to ensure the privacy and confidentiality of the participants and the responses they provide.
Recollective provides a number of configuration options to allow for fully customized, role-based privacy settings to ensure that sensitive information—particularly personally identifiable information—follows the principles of least privilege.
Settings at the Study Level
Study-level settings allow administrators to customize each study space with unique visibility and permission settings. Privacy-related settings at the study level can be found by going to Admin > Study Settings and include:
Control the appearance of participant identities within the study space.
From Admin > Study Settings > Privacy, administrators can control how participants appear within the study space to other participants, to clients, and to other administrators (analysts and moderators) respectively. The identity appearance options include:
- Full name: participants will be identifiable by their first and last name as they appear in their panelist accounts (Eg: John Doe)
- First name and last initial: participants will be identifiable by their first name and last initial as they appear in their panelist accounts (Eg: John D)
- First name and unique ID: participants will be identifiable by their first name as it appears in their panelist accounts and the unique, automatically generated panelist ID number associated with their accounts (Eg: John 1234)
- Username only: participants will be identifiable by their usernames as they appear in their panelist accounts (Eg: johnny)
- NOTE: If you have chosen not to assign usernames to participants when their accounts are created, their usernames will be automatically generated based on their first name and last initial (Eg. John_D). Similarly, if participants are invited to a study without their accounts having been created beforehand, they will be asked to choose their own username, and may choose something containing personally identifiable information. To use usernames and ensure the confidentiality of participants, ensure to have assigned a username for participants when creating their accounts via a bulk import.
- Unique ID only: participants will be identifiable only by the unique, automatically generated panelist ID number associated with their accounts (Eg: Participant 1234)
By default, participants and clients see participants by username only, and other administrators (Analysts and Moderators) see participants by their full name.
Control the visibility of the Participant Directory, Participant Profile Pages, and Profile Photos.
Also from Admin > Study Settings > Privacy, administrators can control whether participants and clients can see, respectively:
- The Participant Directory: the list of all active participants in the study
- Participant Profile Pages: the participant view displays the stream of that participant’s responses to all activities with shared responses; the client view displays the stream of all responses along with some additional metadata such as number of study visits, number of activities completed, number of excerpts, etc.
- Profile Photos: the display photo uploaded by the participant to their panelist account.
By default, participants have access to the directory and profile pages, and clients have access to the directory, profile pages, and profile photos. Each can be disabled for either or both account types.
Other administrators (Analysts and Moderators) always have access to the directory, profile pages, and profile photos.
Control clients’ ability to see participant email addresses and profile fields.
Disabled by default, administrators have the option to allow client access to view participant email addresses and profile fields. Two options exist to allow access to profile fields: one gives access to profile fields without personally identifiable information, and the other gives access to fields with personally identifiable information.
This setting can also be found at Admin > Study Settings > Privacy.
NOTE: profile fields containing personally identifiable information must be manually tagged as such by administrators—the platform does not automatically recognize whether the type of information entered in a field, or the type of question being asked in the field, contains personally identifiable information. See below for more information about personally identifiable information in profile fields.
Define custom permissions for clients within each study space.
From Admin > Study Settings > Permissions, administrators have the option to give clients additional permissions beyond the observational role they play by default. While most options (Collaborate in backroom, view action logs, view points, etc) do not give clients access to anything that might compromise the privacy of participants, some options might:
- View private messages: the private messaging function allows Analysts and Moderators to talk to participants individually, sometimes to help troubleshoot issues or resolve any concerns. This less formal method of communication with participants leaves room for sensitive information to be shared, so private/confidential studies should avoid giving clients this permission.
- Generate transcripts and exports: some export options may contain participant profiling information. Additionally, this permission allows clients to export any photos or videos that may have been uploaded by participants.
Information received in study responses
All information received from participants over the course of the study, whether in discussions, standard/journal activities, or live video activities, is visible to all administrators who have access to the study. It is not possible to hide all or any part of a response received from all or specific administrators. If a project requires that absolutely no personally identifiable information be received on any participants, administrators are responsible for ensuring that participants are informed (and regularly reminded of) this requirement by requesting that they do not provide this information. If information is received from participants that cannot be viewed by any or all administrators, the response may be deleted in its entirety. Responses may be exported prior to deletion to preserve a copy of the data.
Standard and Journal activities, as well as discussions, are by default socialized. On activities, the default setting is that responses are hidden until participants respond, which means that, upon completion of an activity, participants will be brought to that activity’s response stream, where they can view, rate, and comment on the responses of other participants. This can be disabled by selecting “No sharing of responses among participants” on the actvity’s setup page.
On discussions, replies and comments are by default visible to all participants immediately. Discussion topics can be made private by selecting “No sharing of replies among participants” on the discussion topic setup page.
Settings at the Site Level
Site-level settings apply to all studies and all panelists on the site; some settings also apply to administrators. The following settings at the site level can be leveraged to support the reduction of personally identifiable information that is collected by default, ensure participants are aware/have consented to the collection of information, and identify/remove personally identifiable information as needed.
Site-level settings can only be configured by administrators in the Analyst role. The following settings are available to Analysts:
Configure the default account fields that panelists are allowed to edit.
Recollective has 6 profile fields that are by default included on each panelist’s account page. They can each be disabled to help enforce privacy/confidentiality requirements for panelists on the site by going to Site Administration > Site Setup > Account Settings. They include:
- First Name: Disabling this field will prevent panelists from being able to edit or provide their first names. If this field is enabled, and no first name is associated with the panelist account when the panelist first registers on the site, panelists will be required to provide a first name upon registration. Administrators choosing to disable this field can either fill it in with a pseudonym or leave it blank.
- Last name: Disabling this field will prevent panelists from being able to edit or provide their last names. If this field is enabled, and no last name is associated with the panelist account when the panelist first registers on the site, panelists will be required to provide a last name upon registration. Administrators choosing to disable this field can either fill it in with a pseudonym or leave it blank.
- Username: The username field is required and cannot be left blank. Disabling this field will prevent panelists from being able to edit their usernames. Administrators choosing to disable this field can either set the username on the participant’s behalf when creating their accounts, or allow the system to automatically generate a username when the account is created. The content of an automatically-generated username depends on the other information that was provided when the account was created:
- If a first and last name were provided, the username will follow the format of Firstname_Lastinitial (Eg. John_D)
- If only a first name was provided, the username will be the first name (Eg. John)
- If only a last name was provided, the username will follow the format of p_[unique panelist ID#] (Eg. p_1234)
- If neither a first or last name was provided, the username will follow the format of p_[unique panelist ID#] (Eg. p_1234)
- If panelist accounts were not created prior to them registering on the site (ie, if they were invited by shared invitation link or with a direct email invitation), the disabling of the ability to edit usernames is temporarily circumvented as panelists will be required to define a username upon account registration. Once they have defined it, they will not be able to edit it again. For this reason, it is recommended in private studies to have created participant profiles in advance and assigned each one a sufficiently anonymous username.
- Email address: Disabling this field will prevent panelists from being able to edit or provide their email address. If this field is enabled, and no email address is associated with the panelist account when the panelist first registers on the site, panelists will be required to provide an email address upon registration. Administrators choosing to disable this field can leave it blank.
- Email addresses are used as the key identifier for each account. For instance, there cannot be more than one account associated with a single email address, and, when updating panelist accounts via a bulk import, the system uses the email address to identify panelists and update their accounts accordingly. Wherever an email address is not included, an External ID value must be defined as this is the only other field type that can play the role of identifying each account.
- NOTE: for the best possible experience on Recollective, both for Administrators and Panelists, it is strongly recommended to have an email address associated with panelist accounts. Email addresses are never visible to other panelists, can be hidden from clients in each study’s settings, and can easily be deleted after the conclusion of the study without compromising the data collected. Having an email address ensures that study participants can receive notifications and receive a password reset link if they’ve forgotten it; it also allows administrators to get in touch with panelists directly to help troubleshoot any issues. Studies involving panelists whose email addresses are not defined see significantly lower participation rates.
- Password: The password field is required and cannot be left blank. Disabling this field will prevent panelists from being able to edit their passwords. Administrators choosing to disable this field can either set a default password when creating their accounts, or allow the system to automatically generate a password when the account is created. In either case, upon account registration, participants will be required to select and confirm a new password; disabling the field only prevents them editing it later. This will also prevent them from being able to reset their passwords using the “Forgot Password” function on the login page. It is recommended that the option for panelists to edit their passwords remain enabled.
- Profile Photo: Disabling this field will prevent panelists from being able to provide a profile photo. When enabled, providing a profile photo is always optional and cannot be set as required. Administrators can manually add profile photos to individual panelist accounts if necessary.
Managing personally identifiable information (PII) in custom fields
In addition to the standard profile fields above, Recollective allows Analysts to define custom fields to gather additional profiling information on panelists. Some of these fields may contain personally identifiable information (PII). Fields containing PII should be manually tagged as such using the “May contain personal identifiable information (PII)” checkbox in the modal where the field is edited.
When a field is tagged as having PII, removing that PII later becomes easy. Recollective includes a function to quickly wipe PII from a single or a defined subsection of panelist accounts. Read about this in more detail here.
Use Agreements to inform and gather consent from participants on the collection and use of their information
Administrators running privacy-conscious studies should be aware of the Agreements feature in Recollective, which allows Analysts to require that participants accede to an agreement prior to being allowed to register on the site or get access to the study they have been invited to.