Project Ethics and the Application Process

Dr Ian Cornelius

Hello

Ethics

Ethics (1)

What are ethics?

Provides researchers with ethical guidelines and principles for the conduct of their research
Ethics, broadly defined, is the morality of human action
- the rightness or wrongness
Concerned with what is good for the people and society as a whole
In research, we are concerned with not causing harm to participants

Before we delve into the purpose and need for ethics in a research project, it is often best to understand what is meant by the term ethics. In this case, it will provide research with guidelines and principles to conduct their research. Broadly defined, the term ethics is about the morality of a human action, in regard to the rightness or wrongness of a human act. Practically speaking, we are often concerned with what is good for the people and society as a whole. Therefore, ethics is important as it requires us to do good to others and take responsibility for our actions and what we do.

The nature of ethics allows researchers and academics to further educate themselves and monitor their activities in the conduct of research to ensure they reach a high ethical standard. This will often be the case to ensure that any participants in research are not harmed.

Ethics (2)

The Need for Ethical Approval

Approval is needed when undertaking the following:
- research, design studies, product development
- survey work, questionnaires, interviews, focus groups or case studies
Most important if doing the following:
- active participation from humans (fellow students, friends, parents etc.)
- actual or potential disclosure and storage of personal (or confidential) information

When it comes to undertaking research and participating in the methods of data collection, you will need to obtain ethics approval from your supervisor. Approval will be required for every piece of research you undertake at this university, and there is even a website to streamline the process of getting approval.

You will need to seek approval, especially if your method of data collection involves survey work, questionnaires, interviews or focus groups. These generally have some form of active interaction from fellow students, friends or parents. However, I would hope that you would be broadening your horizons a little further when it comes to collecting data.

If you aim to store any personal information, even confidential, from the aforementioned data collection types, then an ethics application is most certainly warranted. Do not think, just because you’re sitting at a desk and doing “desk-based research”, that you do not need an ethics approval - you do! Therefore, it is expected that all students will be submitting an ethics application to their supervisor, and you will be introduced to the website later on in this video.

Data Collection

Data Collection and Management (1)

Primary Research

Primary research is collected by a researcher from first-hand sources
- i.e. methods such as interviews, questionnaires, surveys, experiments or observations
This type of research often needs information regarding:
- how consent would be obtained
- what are the potential physical and emotional risks to the researcher(s) and/or participant(s)?
- how will the data be gathered, stored, used and destroyed

As I have mentioned before, ethics normally revolves around the collection of data. The way in which you collect the data and also the appropriate storing of the data. A researcher often collects primary research in the form of
first-hand sources, such as interviews, questionnaires, surveys, experiments or observations.

When it comes to performing these types of data collection methods, you will often need to provide information on the following:

how will you get informed consent of a participant — they will need to permit you to collect and obtain their data; this will include the challenges involved in the consent process and how they will be minimised
you will need to describe whether there are any potential physical or emotional risks to the researcher or participants; for example, could you bring up any emotional trauma based upon some interview questions you may be asking
finally, you will need to describe how the data will be collected, stored, used and also destroyed; you will need to be concerned with the anonymity and confidentiality of the data collected; other prying eyes should not see any sensitive data

If you are struggling to comprehend how you may go about to ensure you meet each of these points, then speak with your supervisor. They will be able to provide you guidance or point you towards relevant literature or people.

Over the next few slides, we shall look at how you can obtain consent from an individual participating in your research. We shall also look at their rights to withdraw their self or data from the research project. I will also signpost you to relevant material/documents needed.

Data Collection and Management (2)

Explain your project clearly to participants
Informed consent must be sought before any data is collected
Participants must be fully informed, this includes:
- the purpose, methods and data that will be collected and why
- what participation entails and what risks it may involve
- how the participant can withdraw from the study
Consent must be provided freely, they must decide without coercion
Consent is a process
- it is not just a signature on a form
- it is an iterative process where information is shared, and concerns are addressed
Important documents you need:
- Participant Information Sheet - Template
- Participant Information Sheet - Guidance

When it comes to collecting data from people, it is most important that you get their consent. It is not just as easy as asking them the question: are you willing to participate in my questionnaire or survey? You need to provide a little more detail and get them to fill out the participant information sheet, which is linked on the screen.

On this sheet, you will need to clearly explain the purpose of your project. You will want to try and be concise and clear to the participant on your intentions and the data you are looking to collect. Try and use language that is neutral and understandable to the participant as they may not be a cyber-security enthusiast and understand ambiguous terms such as “penetration testing”… they may think it is something entirely inappropriate.

I also cannot reiterate enough that this consent must be sought before any form of data is being collected. You must clearly state the following:

the purpose and method in which data will be collected; you must be transparent and provide reasons as to why you are collecting their data and how it is going to be used
what does their participation entail in the project; are there any risks involved with them participating;
you will also need to fully disclose their rights to withdrawing from the study; this may include just withdrawing,
and no more data will be collected; but it could also include them withdrawing any data collected up and until their withdrawal

Now, I know there are some social engineering enthusiasts amongst the students. However, do not use these skills to coerce your participants into signing the consent form. The participants’ consent must be provided freely, and that means without influence or some sort of gratuity in return. No form of payment or reward must be exchanged for data. It is best to see that consent is a process between you and the participant. It will not just be a signature on the form, it is an open dialogue between two people, where information will be shared and any concerns will be addressed.

Data Collection and Management (3)

Withdrawal of Participation

You must clearly state to participants that they have the right to withdraw
- they can do so without providing a reason and without any repercussion
Withdrawal is often split into two methods:
- withdrawal of self
- withdrawal of data
When data is archived or stored, it can potentially affect the withdrawal of the data
Specific consent must be obtained if data is going to be kept longer than necessary

Withdrawal of Self

Participants refuse to answer particular questions
They refuse to participate in a particular aspect of the study
Or, end all forms of participation midway through the study

Withdrawal of Data

Participants should be able to withdraw their data
- this can be done to the point where you cannot reasonably exclude it
This moment of withdrawal can be different for each project

As I have said, the participant of your research has the right to withdraw from the study. Therefore, you must clearly state this in your information sheet. Remember, they will have the right to withdraw without providing a reason and repercussions being placed upon them. It is generally wise to keep in mind that they are providing their own time and thoughts for free, why would you want to burn bridges or make harm to any respect you may have between one another.

The participant have two methods of withdrawal:

Show the Next Fragment

Withdrawal of self, this is where the participant retains rights to refuse to answer particular questions or refuse to participate in a particular aspect of the study; they also retain the right to be able to remove their participation midway through the study

Show the Next Fragment

Withdrawal of dat, and this is where the participant retains the right to withdraw any information collected that is based upon their participation; this may be done at any stage in the project whereby you cannot reasonably refute their request. The moment in which this withdrawal can happen is different for each project, and you will need to consider this in the design of your research

Finally, you will want to consider the long-term use of the data that you collect. If you are going to be archiving or storing the data you have collected, then it may affect the withdrawal of the data. You may be required to obtain special consent from the participant if you are going to keep the data for longer than necessary. If you need further information on how long data can be kept for, check with your supervisor.

Data Collection and Management (4)

Online Surveys

There is a single approved site for survey data collection, Online Surveys
If you require an account, contact IT Services:
- telephone: 02477 657 777
- or visit them at the library on the ground-floor
You cannot use Survey Monkey, Google Forms, Microsoft Forms, etc.
- if you want to use alternative survey software, you need to get approval via the Information Governance Unit

It is common to see students distribute surveys amongst each other when it comes to collecting results. When it comes to creating a survey, there is a single approved site for data collection and that is Online Surveys previously known as Bristol Online Surveys, or BOS for short.

You will not have an account created automatically, as such, if you need to create an online survey then contact IT Services with the details shown on the slide. I cannot emphasise enough, there is no other survey website that is approved by our ethics board for result collection. Therefore, you must use this website to collect your results. You cannot use Survey Monkey, Google Forms, or Microsoft Forms for collecting your data.

If you have identified in your project proposal and research design that you are using a questionnaire of some-kind, then get the ball rolling now and ask IT Services to begin creating your account. I do not know what their response time turn-around is, and therefore, you may want to begin thinking about doing this now.

Data Collection and Management (5)

Participants of Surveying

The ethics application should include information about participant sample and recruitment
You should consider the following when writing the consent document:
- potential conflicts of interest
- whether the participant has the capacity to provide consent
- how is the information presented in the participant information sheet?
- how is consent being obtained? consider the language — is it clear to the reader?
If you cannot get written consent, alternative forms of consent must be evidenced

When it comes to collecting the data and seeking consent, you will want to think about the participant. When you create your ethics application, it should contain information about participant sample and recruitment. Is there a particular kind of participant you are looking for? If so, how will you go about recruiting them? You will also want to think about the number of people you are sampling. We are not interested in you sampling family and friends, we need a broader demographic and people who will not be biased to replying favourably.

Therefore, think about the audience you need to survey. What is the population size of this audience? Are there any tools or calculators online that can help you work out the number of participants you require for your study?

You will also want to consider the potential conflicts of interest. For example, asking your best friend to fill in an online survey for your implementation of something is going to gather results that are bias. They may be more positive about your application as they are your friend and may not want to hurt your feelings. The same can be said for any close relative or family member.

I have touched upon this previously, ensure the language being used in the participant information sheet is clear. Try and not use terms that are ambiguous and without a thorough explanation. The person participating in the research must fully understand the project, and any ambiguity in language will not make it clear for them and could result in withdrawal.

Finally, if you are unable to get written consent from the person, you may want to seek an alternative method. This may be in the form of an audio and visual recording of the person giving consent. I say audio and visual as in this day and age, an audio recording is not enough evidence. Especially if said person has prior audio recordings readily available on the internet and these can be used to train a language model to impersonate them.

Data Collection and Management (6)

Risk and Harm

Highlight any risk or harm to the researcher(s) and participant(s)
Provide details on how you will minimise and manage it
Harm could be something relatively low in impact, but likely to happen
- it could also be less likely to happen, but have a major impact
Harm is considered to be:
- personal and physical safety
- psychological and emotional
It can come from several areas
- i.e. handling and storage of materials, travel and remote working, personal data collection, etc.

Do not forget to include information on any potential risk or harm that you or the participant may be subject to. You will want to provide details on the potential issue and how you may go about minimising and managing it.

The term harm may be something that is relatively low in impact, but is most likely to happen. It could also be something that is less likely to happen but have a major impact. It may be something such as personal and physical safety, but it may also be something psychological and emotional, and we have a duty of care and well-being when it comes to collecting data.

As we are talking about cyber security and you all being some form of enthusiast in this area, you will also want to consider the legal aspects of your project. There is also risk and harm that may sit within the realms of this area. As such, you will want to consider watching Terry’s lecture on the social, professional, legal and ethical considerations of a research project.

Data Collection and Management (7)

Anonymity and Confidentiality

Anonymity is concerned with making the data anonymous
- achieved by removing the contributor name and any other identifiers
Confidentiality is concerned with:
- the protection of the data collected, this is during the research project and after
- ensuring that those who have access to the data maintain confidentiality
  - i.e. not discussing issues which may identify an individual, or disclosing any information an individual may have said
There may be a likelihood that confidentially is broken
- must be for a good reason and explained prior to any data collection
- prior explanation can be given in the Participant Information Sheet

You will want to ensure that the data you collect is anonymous (where applicable). This may involve removing certain identifiers or characteristics of the data collected that may be used to identify the contributor. Confidentiality, on the other hand, is concerned with the protection of the data that you have collected. This factor should be taken into consideration during the research project itself and after.

With your confidentiality hat on, you will want to ensure that those who are accessing the data also maintain the confidentiality. For example, you will want to ensure that any issues being discussed are not detailed enough whereby the participant may be identifiable.

However, we are all human after all and there may be the likelihood that confidentiality is broken, either by accident or on purpose. If it is the latter, then there must be a good reason and explained prior to any data being collected. This prior explanation can be provided in the participant information sheet, and I cannot emphasise how important this document is.

Data Collection and Management and Management (8)

Why is data management required?

Before applying for ethical approval, consider the data management during and after the collection period
Be mindful of the data policies for retention
Describe your data management and storage protocol in your application
Consider where you shall be storing the data:
- electronic data: Coventry University Microsoft OneDrive account
- paper data: consider somewhere that is secure and cannot be accessed by other people
If you plan to share the data with other people, you need to make this clear in your ethics application
- also make it clear in any participant documentation, i.e. the Participant Information Sheet
Consent forms from participants must be kept secure and separate from the research data
- View the policy document for more information

The last thing I want to touch upon about data collection is the aspect of data management. There will need to be some form of discussion in the ethics application about how you will manage data collecting during and after the period of collection. You will want to be mindful of any data policies that may exist for retention.

You will be expected to describe your data management and storage protocol in your application. Will you be storing this data on an unencrypted USB stick — I would hope not! Instead, you will possibly want to encrypt the data (or at least ensure it is password protected) or store it on the OneDrive cloud storage.

If there is actual paper documentation, then you may want to consider storing it somewhere secure that cannot be accessed by other people. A safe deposit box or a suitcase with a padlock would suffice. Ideally, something that would hinder or make it more difficult for an individual to gain access to the paper documents.

If you are going to be sharing this data with other people, including your project supervisor, then you should make this clear in the ethics application and the participant documentation.

Finally, the consent forms you receive from participants, which will be signed, should be kept secure and separate from the research data. This is due to identifying details that may be found on the consent form. View the linked policy document for more information about this.

Ethics Application

Ethics Application (1)

Level of Risk

Low Risk

Often purely secondary research
- i.e. analysis of published data
Literature-based reviews, systematic reviews, critical and service evaluations
Desk-based research where critical analysis is the principal method of research
Projects that use publicly available statistics

Medium Risk

Often primary research
- i.e. collecting data from human participants via surveys, questionnaires, observations etc

High Risk

Often primary research
Research with a high impact of risk
Sensitive research, whether primary or secondary
Submitting for ethical approval outside the university
Work with vulnerable samples with additional risks involved

When you have submitted your ethics application, you will be presented with a level of risk for your project. This can be either low, medium or high. Anything flagged as high risk will automatically be rejected by the supervisor, and you will need to re-think about your project and how you go about conducting your research.

For a low-risk research project, it is often associated with purely secondary research. Remember, this is where you are analysing data that has already been published in journal articles or data-sets obtained from online resources. This is often known as “desk-based” research, whereby a critical analysis is the principal method of research.

A medium-risk project often falls within the realms of primary research. This would generally arise if you are collecting information from human participants in the form of surveys, questionnaires or observations. It is often common to see most projects being of a medium-risk with third-year students due to their reliance on capturing feedback from participants. Remember, if you are using any form of observation, questionnaire or survey, you must:

provide a participant information sheet
obtain their consent
and use the OnlineSurveys tool for your questionnaire/survey

Finally, high-risk is also often associated with primary research, but there is a level of high impact risk. Your project may be flagged as high-risk if there is an element of sensitive research, whether this be primary or secondary research. Typically, anything concerned with performing some aspect of social engineering on a participant will be flagged as high-risk and will not be allowed to continue. This also goes for performing penetration-testing attacks on live services offered by third-party companies. There have been incidents in the past, and we do not want to have a repeat.

Ethics Application (2)

Common Issues and Mistakes

Lack of detailed explanation on how ethical issues will be addressed in the research
Lack of information regarding any risk assessments and health and safety
Missing documentation
- i.e. questionnaire, interview guides, participant information sheet and consent forms etc.
Incomplete applications or missing relevant sections
Inconsistent information in the application and supporting documents

There are often common issues that arise when it comes to students submitting their application. Often it is associated with a lack of information. When you fill out the ethics form, you will be asked a series of questionnaires, and you will need to answer these honestly and to the best of your ability.

Do not worry if you get something wrong, your project supervisor will have first refusal on accepting the document, and if something is flagged as “medium” or “high” risk, it will be returned to you to rectify. However, some tips to ensure that this process is completed as smoothly as possible:

provide as much information as possible, this does not mean just copy and paste from your project proposal
- identify risks and ethical issues and discuss how they will be addressed
provide all the relevant documentation
- are you doing a survey or questionnaire? provide a copy of the questions as these need to be vetted before you can use them; provide all necessary documentation for the participant, i.e. participant information sheet, consent forms, etc.
fill out all the areas on the application form and ensure you are providing content for those sections that are also relevant
finally, make sure all your information is consistent and align to the research project and supporting documents

Mistakes can and do happen, so as I say, do not worry if you make a mistake; the supervisor will return the application to you to make the necessary changes; sometimes providing commentary on what needs to be done. But! Make sure you follow their comments and not just re-submit the same application with no changes. I have seen this happen a few times, and it’s infuriating to have to continuously reject the application and changes not be made.

Ethics Application (3)

Post-Ethics Approval

Follow the procedures outlined in your ethics application
Use only the documents you have approval for and that were included in your application
- i.e. participant information sheet, questionnaires, consent forms etc.
Follow your data management plan
Failure to comply with the above will be subject to ethical misconduct

Amendments to your Ethics

Amendments must be submitted if the research project develops beyond the scope of the original application
An amendment must be in place and approved before any of the changes can be implemented
Contact the EEC Ethics team for the local amendment process:
- E-Mail: ethics.eec@coventry.ac.uk

Once your ethics application has been accepted, you can finally begin the journey of your research project. However, this does not mean you can discount this as an exercise to pass the module. You must adhere to the procedures that you outlined in the ethics application, and this means sticking to the research questions that you have provided in this application.

If you want to add another question to the survey, then you will need to seek guidance from your supervisor. Depending upon the nature of the question, it may mean amending the ethics application in which you will need to contact the EEC ethics teams.

You will also need to ensure that you follow the data management plan outlined in the application. If you have mentioned that your data will be stored on Microsoft OneDrive, or the Coventry University GitHub service, then you need to ensure this is where the data is stored; and can be accessed by your supervisor. I would recommend giving your supervisor “managing/editing” access to any folders or GitHub repositories. This will enable them to share the folder to second markers etc.

Goodbye

Goodbye (1)

Questions and Support

Questions? Post them in the Community Page on Aula
Additional Support? Visit the Module Support Page
Contact Details:
- Dr Ian Cornelius, ab6459@coventry.ac.uk
- Mr Terry Richards, ac6860@coventry.ac.uk