This is an open-access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in the Journal of Medical Internet Research, is properly cited. The complete bibliographic information, a link to the original publication on http://www.jmir.org/, as well as this copyright and license information must be included.
The Internet and social media offer promising ways to improve the reach, efficiency, and effectiveness of recruitment efforts at a reasonable cost, but raise unique ethical dilemmas. We describe how we used social media to recruit cancer patients and family caregivers for a research study, the ethical issues we encountered, and the strategies we developed to address them.
Drawing on the principles of Privacy by Design (PbD), a globally recognized standard for privacy protection, we aimed to develop a PbD framework for online health research recruitment.
We proposed a focus group study on the dietary behaviors of cancer patients and their families, and the role of Web-based dietary self-management tools. Using an established blog on our hospital website, we proposed publishing a recruitment post and sharing the link on our Twitter and Facebook pages. The Research Ethics Board (REB) raised concern about the privacy risks associated with our recruitment strategy; by clicking on a recruitment post, an individual could inadvertently disclose personal health information to third-party companies engaged in tracking online behavior. The REB asked us to revise our social media recruitment strategy with the following questions in mind: (1) How will you inform users about the potential for privacy breaches and their implications? and (2) How will you protect users from privacy breaches or inadvertently sharing potentially identifying information about themselves?
Ethical guidelines recommend a proportionate approach to ethics assessment, which advocates for risk mitigation strategies that are proportional to the magnitude and probability of risks. We revised our social media recruitment strategy to inform users about privacy risks and to protect their privacy, while at the same time meeting our recruitment objectives. We provide a critical reflection of the perceived privacy risks associated with our social media recruitment strategy and the appropriateness of the risk mitigation strategies that we employed by assessing their alignment with PbD and by discussing the following: (1) What are the potential risks and who is at risk? (2) Is cancer considered “sensitive” personal information? (3) What is the probability of online disclosure of a cancer diagnosis in everyday life? and (4) What are the public’s expectations for privacy online and their views about online tracking, profiling, and targeting? We conclude with a PbD framework for online health research recruitment.
Researchers, REBs, ethicists, students, and potential study participants are often unaware of the privacy risks of social media research recruitment and there is no official guidance. Our PbD framework for online health research recruitment is a resource for these wide audiences.
Increasingly, health researchers are turning to the Internet to recruit people for research studies [
However, the use of the Internet and social media as a health research recruitment tool raises unique ethical issues in part because personal and sensitive information may be collected from individuals without their knowledge or consent before they enroll in a study. The simple act of clicking on a recruitment notice is providing data to online behavioral advertising companies, leaving a potentially identifiable trail [
Although regulators like the OPC are mandated to enforce privacy laws, privacy breaches are not uncommon, and there is little guidance for researchers seeking to use social media for research recruitment. There are basic ethical principles, such as Respect for Persons, Concern for Welfare, and Justice, codified in the UN Declaration of Human Rights [
Many forms of Internet-based research could be considered ethically challenging because of the blurred public and private boundaries of online spaces [
Critical dialogue is needed to understand the pertinent ethical issues involved in online health research recruitment and the procedural solutions to protect the rights and safety of potential research participants. In this paper, we describe how we used the Internet and social media to recruit cancer patients and their family caregivers for a focus group study on dietary self-management behaviors, the ethical concerns raised by our institutional Research Ethics Board (REB), and the privacy-enhancing strategies we developed to address them. We include a critical reflection of the perceived privacy risks associated with our social media recruitment strategy and the appropriateness of the risk mitigation strategies that we employed by assessing their alignment with the principles of Privacy by Design (PbD) [
We (JLB and ABC) explored the nutrition and culinary knowledge, attitudes, and behaviors of cancer patients and their family caregivers, and their views on Web-based tools to enhance dietary self-management behaviors. Lack of nutritional knowledge and culinary skills reduces the likelihood of practicing dietary self-management behaviors [
Initially, we relied on traditional recruitment methods, including posters placed at strategic locations (eg, elevators and clinics) in the hospital, in-person recruitment at our cooking and nutrition education classes, and targeted promotion of our study by email to our community partners. Despite this effort, these strategies did not help us reach our recruitment target and composition. Recruitment challenges are a persistent problem faced by researchers. A retrospective review of 404 clinical trials funded by two major funding agencies in the United Kingdom found that only 55% reached their recruitment target [
Encouraged by the evidence on the potential effectiveness of social media as a health research recruitment tool [
Initial social media recruitment strategy.
Our institutional REB raised concerns about the privacy risks associated with our proposed use of the Internet and social media for research recruitment. Specifically, they were concerned that by clicking on our social media recruitment messages (eg, “Seeking cancer patients for a study of nutrition and cooking”), individuals may unknowingly add personal and sensitive health information to their online profile, leaving an identifiable trail that may be used and disclosed by marketers.
The REB asked us to revise our social media recruitment strategy with the following questions in mind:
1. How will you inform users about the potential for privacy breaches and their implications?
2. How will you protect users from privacy breaches or inadvertently sharing potentially identifying information about themselves?
Our revised social media recruitment strategy served to inform users about privacy risks and protect their privacy, while at the same time meeting our recruitment objectives. This
PbD was developed by the former Information and Privacy Commissioner of Ontario, Canada, Dr Ann Cavoukian in the late 1990s. It is an overarching framework for embedding privacy and data protection into information technologies, organizational processes, networked architectures, and entire systems of oversight in a credible and effective way [
In this section, we describe our revised social media recruitment strategy and reflect on the extent to which the privacy-enhancing measures that we used aligned with PbD. The principles of PbD and their descriptions are summarized verbatim in
Applying the principles of Privacy by Design [
Principle | Short description | Alignment with Privacy by Design |
1.Proactive not Reactive; |
PbDb seeks to anticipate and prevent privacy-invasive events before they happen. PbD does not wait for privacy risks to materialize nor offer remedies after the fact. | Privacy notices proactively informed users about the privacy risks of social media, but required individuals to take action to protect their privacy. On the other hand, marketing headlines proactively protected individuals’ privacy by ensuring that those interested in the study were concealed within a broader population than just those targeted for recruitment. In contrast, editing or removing posts after publication represents a remedial, after-the-fact solution. |
2.Privacy as the Default |
PbD seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected. No action is required on the part of the individual to protect their privacy. It is built into the system, by default. | We built privacy protection into the recruitment strategy using marketing headlines and a hospital blog with a disabled comment feature to recruit interested individuals. Those that chose to enroll in the study did so through the hospital’s private data collection system without tracing back to social media. |
3.Privacy Embedded into |
PbD is embedded into the design and architecture of the system. It is not bolted on as an add-on, after the fact. Privacy is integral to the system, without diminishing functionality. | We embedded privacy into the design of the recruitment strategy using marketing headlines, without diminishing the functionality of social media. On the other hand, we lost functionality that could have enhanced the spread and exposure of our recruitment messages by opting to use a blog with a disabled comment feature and by proposing to edit and delete sensitive posts before publication. |
4. Full Functionality |
PbD seeks to accommodate all legitimate interests and objectives in a positive-sum, win-win manner, not through a dated, zero-sum approach where unnecessary trade-offs are made. | Using marketing headlines is an example of a win-win, privacy-enhancing strategy. It increased the reach of the recruitment strategy (which one would expect to increase enrollment) without compromising privacy. Disabling the comment feature on the hospital blog, on the other hand, is not win-win because we traded function for privacy. |
5. End-to-End Security |
PbD explains that strong security measures are essential to PbD from start to finish. Embedding PbD into the system prior to the first element of information being collected ensures that all data are securely retained throughout the entire lifecycle of the data involved. | We used social media to garner interest in the research study, embedding privacy protection in the |
6.Visibility and Transparency |
PbD seeks to assure all stakeholders that whatever the business practice or technology involved, it is, in fact, operating according to the stated promises and objectives, subject to independent verification. | Our aim with privacy notices was two-fold: (1) to inform users about privacy risks and their implications; and (2) to be as open and transparent as possible. We also adhered to the procedural practices and requirements set by our governing bodies to protect the rights and safety of potential research participants. This included Research Ethics Board review of the research protocol and approval of all social media posts and privacy notices prior to publication. |
7. Respect for User Privacy |
PbD requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. | We were cautious in our use of marketing headlines so as not to risk deceiving people or wasting their time. We used privacy notices to offer users appropriate notice and attempted to design them effectively, but we did not use a user-centered design approach to develop them nor did we test their effectiveness. In addition, we do not know people’s views on the marketing headline strategy. Some may have disliked the lack of directness in the notice to get them to the second site. |
aThe principles and their descriptions are described verbatim [
bPbD: Privacy by Design.
Providing notice and choice about data practices is an essential element of data protection frameworks like PbD [
We developed privacy notices for the hospital blog and Facebook page and regularly tweeted disclaimers about the privacy risks of Twitter. We also included privacy notices in our email requests to community partners to spread the word about our research study. Privacy notices were written in plain language [
Privacy notices and disclaimers.
Medium | Privacy notice/disclaimer |
“Please note that the security of email messages is not guaranteed. Messages may be forged, forwarded, kept indefinitely, or seen by others using the Internet. Do not use email to discuss information you think is sensitive. Do not use email in an emergency since email may be delayed.” | |
“Please also note that the privacy and confidentiality of content (text or pictures) shared on social media platforms is not guaranteed. Content may be forged, forwarded, kept indefinitely, or seen by others using the Internet whether you share publicly to everyone or privately to specific people. Do not use social media to discuss information you think is sensitive. While you may share this information with a select group of people, someone in your networks may share it more widely without your consent.” | |
“The security of social media is not guaranteed. Contact us about the study. Don’t post if concerned about privacy.”a |
aPlease note that this tweet focuses on security as a possible threat to privacy if data is leaked. Privacy is not limited to security issues.
Facebook recruitment post with privacy disclaimer.
We built privacy protection into our social media recruitment strategy using an Internet marketing approach known as
For example, we originally proposed the following tweet to recruit participants for our study: “Seeking cancer patients for a study of nutrition and cooking @ELLICSRKitchen [URL].” Upon request by our REB, we removed the term “cancer patient” from all social media posts. The following is an example of a privacy-enhanced tweet: “Does #nutrition matter to you? Tell us what you think about #cooking and #cancer @ELLICSRKitchen [URL].”
This small change accomplished two goals: (1) it broadened the reach of our recruitment strategy by attracting a larger population of social media users; and (2) it protected patients’ privacy by default. Used in this way, marketing headlines is a win-win because we attract more interest in our work while pooling cancer patients we wish to recruit into a broader population of people interested in the subject of our research.
We asked our community partners to use our privacy-enhanced social media messages. All social media messages were reviewed and approved by a plain-language expert and the REB, and were published without modification.
All social media messages included a link that directed interested individuals to the study recruitment notice on our hospital blog. At the time of publishing the recruitment notice on our hospital website, comments were not enabled on the blog platform due to hospital policy. Had commenting been enabled, we proposed to moderate any comments before they were made visible on the blog and remove references to potentially identifying or personal health information. While this strategy would have offered privacy protection, it does not represent a win-win because the blog software functionality was diminished to accomplish the privacy objectives. Allowing readers to freely post and share comments on the hospital blog could have generated online discussion about the study, which could have attracted more study participants, and represents a way to engage the public in spreading the word about a research project.
First, we used PbD to assess the appropriateness of our revised social media recruitment strategy
Guidelines for the ethical conduct of human subject research state that risk mitigation strategies should be proportional to the magnitude and probability of risks involved [
We reflect on the perceived privacy risks associated with our social media recruitment strategy and the appropriateness of the risk mitigation strategies that we employed by discussing the following: (1) What are the potential risks and who is at risk? (2) Is cancer considered sensitive personal information? (3) What is the probability of online disclosure of a cancer diagnosis in everyday life? and (4) What are the public’s expectations for privacy online and their views about online tracking, profiling, and targeting?
The primary risk associated with our recruitment strategy was the potential harm that a person may experience from the disclosure, collection, and use of personal and sensitive information—in this case a diagnosis of cancer—triggered by clicking on our social media recruitment messages. Potential harms associated with disclosure of health information like a cancer diagnosis could include stigmatization, discrimination, or damage to reputation, and may negatively affect relationships, job opportunities, and insurance options. However, we cannot assume that a person clicking on the recruitment message would experience these harms. What we do know is that they will likely receive advertising messages about cancer and/or eating well. It is possible that seeing such messages could be personally troubling for them, but we do not know if this is the case.
It is worth mentioning that there are documented cases of health data located in big data repositories or biobanks being repurposed by third parties for legal and security purposes. These unintended secondary uses of health data have included forensic investigations, civil lawsuits, border security, and identification of victims in mass casualty events [
In terms of who is at risk, it cannot be assumed that the person clicking on the recruitment message was revealing information about himself or herself at all. Spouses, children, siblings, other family members, and friends play a vital role in searching for health information. Research conducted by the Pew Research Center indicates that half of online health information research is on behalf of someone else [
The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) defines personal information as “information about an identifiable individual” [
It is highly probable that cancer patients who clicked on our social media recruitment messages already disclosed their cancer diagnosis online, thereby exposing themselves to related harms. First, the majority of cancer patients report using the Internet as a source of health information. For example, 86% of a sample of 202 thyroid cancer patients [
A total of 90% of Canadians are concerned about the privacy impact of new technologies and 98% want strong privacy laws [
A further challenge for researchers seeking to use the Internet and social media for research recruitment is the disparate norms about what is and what is not ethical across research communities. Researchers are guided by different disciplinary methodological approaches, norms, and conventions, and regulations for ethical online research vary across disciplines. What is considered ethically acceptable in one discipline may not be in another [
We have shown that PbD is a useful framework for designing, evaluating, and achieving privacy in online health research recruitment. Applying the principles of PbD helped to identify the privacy strengths, weaknesses, and gaps in our recruitment strategy. Based on alignment with PbD principles, use of marketing headlines was the strongest privacy measure used whereas privacy notices were the weakest. Contrary to the principles of PbD, we made trade-offs in favor of privacy protection, such as agreeing to disable the comment functionality on the hospital blog, which traded function for privacy. PbD also alerted us to areas in need of improvement, such as the privacy gaps created by engaging others in implementing our recruitment strategy. To fully embed privacy into the design of a recruitment strategy, all parties involved in implementing it should endorse the PbD approach.
By applying PbD, we also identified areas in need of further research. While PbD is becoming the standard for privacy protection in many jurisdictions around the world [
Another privacy tool, Privacy Impact Assessment (PIA), deserves mention. PIAs aim to “identify the potential privacy risks of new or redesigned programs and to eliminate or reduce those risks to an acceptable level” [
Based on our experiences with this case study, we offer a PbD framework for online health research recruitment. We drew on the principles of PbD [
Privacy by Design framework for online health research recruitment: Proposed considerations for researchers and institutional Research Ethics Boards.
Privacy-by-Design principles | Considerations | |
Justification | Why is it necessary to use the Internet and social media to recruit participants for your research project? | |
Context | Where does the study recruitment take place? What are the terms of use and privacy policies of the recruitment sites or applications? What are users’ privacy expectations regarding the recruitment sites or applications? | |
Sensitivity | What is the subject of study? Is the data considered personal information? Is the data considered “sensitive” personal information? What are the privacy expectations commonly associated with these types of data? | |
Vulnerability | Who are the recruitment targets? What additional privacy measures may be required to protect the privacy of vulnerable individuals? | |
Proactive not Reactive; Preventative not Remedial | What are the potential privacy risks and related harms associated with the recruitment strategy? Do certain data, people, or groups require more privacy protection? |
|
Privacy as the Default Setting | If an individual does nothing, is their privacy still intact when they are exposed to the recruitment strategy or do they have to take action (eg, opt out or add a privacy measure) to protect their privacy? |
|
Privacy Embedded into Design | Is your privacy-enhancing measure built into the design of your recruitment strategy or has it been bolted on as an add-on, after the fact? |
|
Full Functionality—Positive-Sum not Zero-Sum | Does your recruitment strategy offer privacy protection without sacrificing your recruitment goals and objectives? |
|
End-to-End Security—Full Lifecycle Protection | Are there any weak links or gaps in the implementation or oversight of your recruitment strategy? |
|
Visibility and Transparency—Keep it Open | Are all people and organizations involved in recruiting participants (directly or indirectly) operating according to stated promises and objectives, and is information about their privacy policies and practices readily available to the public? |
|
Respect for User Privacy—Keep it User Centric | Are your privacy measures user centric? Have they been designed with the user in mind? Are they simple to use and written in easy-to-understand plain language? Have they been tested and approved by users? |
aPbD: Privacy by Design.
Researchers, REBs, ethicists, students, and potential study participants are often unaware of the privacy risks of Internet and social media health research recruitment and there is no official guidance. From this case study, some may conclude that the REB’s perceptions of the potential risks involved in our research study and our revised privacy-enhanced recruitment strategy did not match the magnitude and probability of the risks involved. On the other hand, others may argue that given that hospitals occupy an important trust relationship with patients and the public, hospital REBs should apply the precautionary principle as their use of social media may provide a false sense of security. We have shown that PbD is a useful framework for designing, evaluating, and achieving privacy in Web-based research recruitment. We offer our PbD framework for online health research recruitment for researchers and REBs to guide the ethical design, review, and conduct of studies that use the Internet and social media as a health research recruitment tool. Future research should focus on designing effective privacy notices and measures and evaluating their impact.
Association of Internet Researchers
Children's Hospital of Eastern Ontario
Electronic Living Laboratory for Interdisciplinary Cancer Survivorship Research
National Committee on Vital and Health Statistics
online behavioral advertising
Office of the Privacy Commissioner of Canada
Privacy by Design
Privacy Impact Assessment
Personal Information Protection and Electronic Documents Act
Research Ethics Board
Tri-Council Policy Statement
None declared.