Research Design 3: Communicating and managing risk
Once you’ve completed your Risk Assessment and Mitigation Plan your next step is to decide how you will communicate with your participants with respect to the goals of your research, the tasks for participants and any potential risks of participating. This is generally done through a process of Informed Consent, and your Informed Consent materials should include details of these points along with any mitigating measures you will take.
Regardless of whether you are or are not collecting any Personal Data, you will normally need to seek consent of your Human Research Subjects before you start your research.
It’s important to bear in mind that it’s not enough to leave your volunteers (paid or otherwise) to work out for themselves what possible risks might arise. It is your responsibility as a researcher to pre-empt and flag any foreseeable risks to your participants and to communicate these points clearly. This is clearly demonstrated by a 2000 case against two American Research Performing Organisations, where participants successfully sued (and eventually received a $3.8 million settlement) for Informed Consent materials that did not specify the experimental conditions or that subjects could refuse to participate, and were not worded in a way that participants could understand.
Along with your Risk Analysis and Mitigation Plan, your Informed Consent Materials will form a key component of your application for Human Research approval, once you are ready to start your research.
“Informed Consent” covers two distinct, if overlapping, elements of Human Research Subjects’ agreement to participate in scientific research:
- Research Participation – obtaining consent to participate requires researchers to flag the potential physical, emotional or other risks that their participants might be exposed do by virtue of the research process or its findings.
- Data Processing and Privacy – in the context of European Privacy Law (GDPR – General Data Protection Regulation), Informed Consent is the most common (but not only) legal basis for collecting Personal Data from Human Research Subjects.
For both types of consent, the key function of the Informed Consent (IC) process is that this is where you (the Responsible Researcher) come to an agreement with your participants about what they will do for your research and what you will do, both legally and ethically, to ensure their physical, emotional and reputational security. It is key that they know exactly what – and particularly what potential risks – they are agreeing to, and that this is clear in your agreement.
The main ways in which you manage the risks you identify is to execute the mitigation steps you’ve identified in your risk design as agreed with your participants in your Informed Consent. Alongside your mitigation measures on, for example, health, safety and environment, a key part of honoring this agreement is the development and execution of your Data Management Plan, which is a requirement for all research conducted at the TU Delft. In the context of Human Research your Data Management Plan can be used to record data-processing decisions and as such serve as proof of GDPR (General Data Protection Regulation) compliance. It’s important that it’s clear in this plan who will be responsible for executing specific steps around Privacy which have been agreed with participants in the Informed Consent. These might include, for example, ensuring safe storage on an encrypted device, restricted access to date and ultimately executing data deletion.
Planning for risk, ensuring compliance with GDPR, obtaining Informed Consent and developing and executing your Data Management Plan are all part of TU Delft’s Personal Research Data Workflow (PRDW). You can find out more about the PRDW and TU Delft data management policies and processes by consulting your Faculty Data Steward or consulting the information here.