UW Privacy Office

Guidance for Using Vendor Crowdsourcing Platforms

ON THIS PAGE:

Purpose

Enable UW units to responsibly use crowdsourcing platforms (e.g., Prolific, CloudResearch, Upwork) for recruiting research participants by:

  • Informing them of the privacy risks.
  • Helping them meet their privacy responsibilities.
  • Providing them with a summary of best practices for managing risks and protecting individuals.

Summary of privacy risks

Vendor crowdsourcing platforms can be a valuable tool for recruiting participants for UW research studies. Use of such platforms also presents privacy risks, depending on the vendor’s business model, privacy practices, and willingness to agree to the UW’s privacy and data protection requirements. The risks vary from vendor to vendor, but the following risks are common across the platforms that UW researchers or their college/school have requested the Privacy Office assess.

Terms of Service: Purpose and use of participants’ data

Under the vendor’s terms of service, the vendor may use privacy-specific terms such as controller and processor (defined in the Glossary of Privacy Terms). If the vendor positions itself as a controller, it means that the vendor determines the purpose(s) and use(s) of the participant and researcher data it collects. As a controller, the vendor’s use of that data often is not limited solely to the purposes of the research study conducted by the UW. For example, the vendor’s terms of service may allow the vendor to use the data in ways that are not expected by the researcher or participant or aligned with UW policies. If the vendor positions itself as a processor, it means that UW determines the purpose(s) and use(s) of the participant and researcher data.

Collection and use of researchers’ data

Depending on the vendor’s business model, UW researchers may be required to share more (or more sensitive) information than what may generally be expected or needed to sign up for a researcher account (e.g., their own passport or other photo ID for the vendor’s validation processes or for other purposes).

Use of messaging or chat features

The vendor platform may make available a messaging system or other opportunities for the researcher to communicate with participants. Depending on the vendor’s business model, the vendor may regularly access the contents of those communications or for purposes not strictly necessary to provide the service.

Vendor access to researcher and participant data

The vendor may make available opportunities for offering feedback or making posts or providing other information about the researcher, participants, or research studies on the platform. The vendor also may request that the researcher participate in user research. In addition, the vendor’s terms of service may allow the vendor to access and use that data to send promotional content or for other business purposes.

Access to student education records

If students create their own researcher accounts or access and use the platform in a manner that identifies them, the vendor may have access to personally identifiable student education records protected by the Family Education Rights and Privacy Act (FERPA). FERPA requires appropriate terms and conditions to be in place between the UW and the vendor before the UW can disclose such information to the vendor. It may also limit the vendor’s ability to use that information for its own secondary purposes. Please contact the Privacy Office at uwprivacy@uw.edu for assistance or advice because the determination of requirements under FERPA is highly nuanced.

Other legal requirements

Other state, federal, or international laws may apply to your use of the vendor’s platform, for example:

  • State of Washington law requires a data sharing agreement to be in place for sharing information that is Category 3 “Confidential information” or Category 4 “Confidential information requiring special handling” as defined under the policies of the Washington State Office of the Chief Information Officer (OCIO).
  • Research studies that are conducted internationally, including but not limited to the EU, UK, Kenya, or China, or that target participants in those jurisdictions or internationally, may be subject to international data protection laws and regulations that impose various requirements on data collection, storage, usage and sharing.

Determining applicability and interoperability of these laws and policies can be highly nuanced. Please contact uwprivacy@uw.edu for assistance or advice.

Privacy best practices

To help manage the privacy risk of harm to individuals and include privacy in the design of a research study, you should apply the privacy best practices, in the order below, when using crowdsourcing vendors.

Step 1: Inventory personal data collection and use

Document the study for which you are engaging the vendor in the TrustArc Privacy Management Platform to assess privacy risks and as part of the UW’s data inventory initiative. The UW faculty member or principal investigator (PI) responsible for the study or their delegated research administrator or support staff is the person responsible for documenting the study in TrustArc. The data inventory is required by certain laws and regulations. If the study involves high-risk data processing, you may need to complete a privacy assessment. Reach out to the Privacy Office at uwprivacy@uw.edu to request a business process questionnaire to inventory the research study if you do not have system access to TrustArc.

Step 2: Assess need for a Data Processing Agreement

Download and complete the DPA-SCC Decision Support Tool to determine if processing of personal data is involved and whether a data processing agreement (DPA) is required. If a DPA is required determine if the vendor will agree to use the UW Controller-to-Processor (C-to-P) DPA. A C-to-P DPA positions the UW as a controller of the data, which means that the UW makes decisions about the purpose and use for processing personal data. The vendor is positioned as the processor, which means that they only collect, use, and store the personal data on behalf of the UW. The UW C-to-P DPA prohibits the vendor from using the personal data for its own supplemental purposes (e.g., data analysis, marketing for other non-UW research studies, etc.). The C-to-P DPA also addresses law and regulations that apply to the UW and student education records (e.g., FERPA).

If the vendor will not agree to use the UW C-to-P DPA, use the following steps to manage the privacy risks

Seek contractual terms and conditions equivalent to the DPA

If the vendor does not agree to the best practice above, determine if equivalent terms and conditions can be included in the vendor’s own agreement or terms of service. This can be a complex analysis of terms and conditions. Please contact uwprivacy@uw.edu for assistance or advice.

Identify alternative recruitment mechanisms

If the vendor does not agree to the best practices above, determine whether alternative options exist for recruiting participants and managing the privacy risks. For example, instead of connecting with study participants via the vendor’s platform, determine if:

  • A list of participants and their contact information can be obtained from the vendor so that the researcher can contact the participants outside the vendor’s platform, which would prevent the vendor accessing those outside communications and using them for its purposes.
  • There is another crowdsourcing vendor that would reduce privacy risks.
Perform vendor assessment and review terms of service

If the best practices above are not attainable, perform a vendor assessment to help you make an informed decision about the vendor’s service. Please contact uwprivacy@uw.edu for assistance or advice, or to request a vendor assessment form. This may include gathering information about whether the UW’s use of the vendor’s service:

  • Complies with the use of the State of Washington resources (e.g., UW data, network, systems, facilities, and/or UW personnel) for private gain. See RCW 42.52.160.
  • Aligns with UW Administrative Policy Statements (APS), Executive Orders (EO) or other policies and rules.
  • Excludes high-risk data processing.
  • Provides UW researchers and research participants a choice (e.g., via opt-in or opt-out) about supplemental collection of their data for the vendor’s own purpose.
  • Limits the vendor’s supplemental purpose and use of data to services that benefit or provide opportunity to the UW researchers and research participants in a way that the UW researchers and research participants would not otherwise be able to obtain.

Based on the vendor assessment, review the vendor’s terms of service to determine if they are appropriate for the UW researchers and participants. Note: online terms of service can typically be changed by the vendor at will, so you should regularly review the vendor’s online terms of service for any changes and address any new or altered privacy risks.

Develop UW college or school privacy policy for use of crowdsourcing vendors

If the best practices above are not attainable, develop a UW college- or school-level policy to help manage the privacy risks in an efficient and cohesive manner. While a policy does not provide the same level of risk reduction as the best practices above, it does allow the UW college or school to acknowledge and document accountability for residual risk, including, but not limited to, costs of non-compliance with applicable laws and regulations. The policy should:

  • Inform researchers about the privacy risks above and their privacy responsibilities for managing the risks.
  • Include a process for the UW College or School to document the researchers’ understanding by requiring researchers to sign a form whereby they acknowledge those risks and agree to abide by such limitations.
  • Limit use of the vendor’s platform only to the purpose of recruiting participants. Research study documentation (e.g., proposals, protocols, etc.) and study data should not be uploaded to or stored on the platform.
  • If FERPA terms are not included in the agreement or terms of service, address privacy requirements around student researcher use and sharing personally identifiable information in student education records protected by FERPA. As the determination as to what may be required to address such requirements is highly nuanced, please contact the Privacy Office at uwprivacy@uw.edu for assistance or advice. Risk management processes may include:
    • Not disclosing such information to the vendor.
    • Creating anonymous accounts that do not reveal such information or violate the vendor’s agreement or terms of service.
    • Obtaining the consent of student researchers to disclose such information that meets FERPA requirements.
      Implementing operational controls to limit or prevent access to such information.

Consult the UW Privacy Office and other UW units

The UW Privacy Office is here to help! Please reach out to us early in the process (at uwprivacy@uw.edu) – prior to engaging the vendor platform – for assistance or advice on privacy risks and best practices.

In addition to the privacy risks and best practices above, the UW college or school should simultaneously consult the relevant UW offices regarding other issues (e.g., tax, procurement, accessibility, security) that may need to be addressed before engaging the vendor. Resolution of these issues can be pursued at the same time as addressing the privacy-related issues.

This guidance is iterative and will be updated to address evolving uses, risks, and best practices. It is based on past collaboration discussions on this topic with the College of Engineering, Foster School of Business, Accessibility, Office of Research, Procurement Services, and the UW Division of the Attorney General’s Office.