Wear-IT Privacy

Wear-IT is a flexible framework that is designed to collect only the data that are required by the scientific study or studies in which you are enrolled. That is, if the studies you are enrolled in do not require location data for a scientific purpose, Wear-IT does not collect that data. All scientific studies must be approved by the Independent Review Board (IRB) at a scientific or medical institution. The IRB is an independent body responsible for ensuring that all studies follow the latest best practices and guidelines for scientific research, including for the data collection, storage, and analysis of data, and for sharing of scientific results.

What kind of private or sensitive data does Wear-IT collect?

Data may be collected passively from smartphone sensors, or actively by asking the user to respond to a series of questions or other tasks. The data collected by the app depends on the Study in which the participant is enrolled. Before enrolling in a Study, participants must complete an Informed Consent document that explains what kinds of data are collected by the Study as well as any risks associated with data collection. Sensitive data collected passively by the app usually requires the user to grant permission. Examples include:

• Location - Studies may request access to collect additional information, including your location. If you let us, we will collect this information even when you are not using the app; it will be analyzed with your other data to address the study’s scientific goals. You may opt out of data collection, although if the study uses adaptive or responsive messaging or visualizations, these may be more limited without location data.
• Passive smartphone and wearables sensor data such as Location and Proximity data (Proximity data includes device UUID and radio signal strength indicator (RSSI))
• Video, Audio, and Photos
• SMS (Text messages), 3rd party app usage, and other social media data
• Biometric data provided by wearables or the smartphone
• Combinations of data points that may not be considered private by themselves (i.e. zip-code + age)

What kind of data does Wear-IT collect that is not considered private?

Not all of the data collected by Wear-IT is considered private or sensitive data, however all data is transported and stored securely regardless of its sensitivity. Examples of non-sensitive data include:

• General Survey data
• Psuedo-anonymous identifers generated in the app (i.e. a randomly generated participant id)
• Analytics and Usage data

What do we do with the participant data we collect?

Data is collected in the context of a Study that has been approved by an Institutional Review Board (IRB), which ensures that data collection and analysis is performed ethically. Any data made available outside of the research team is stripped of any information that can be used to identify individuals or groups of participants. The primary point of the data collection is scientific research; we work with scientists in various fields to help understand and improve people’s lives, but this may include using the data in a variety of ways. In the course of the Study we:

• Store the data on our servers (and sometimes on your phone)
• Adjust the collection of other data through Wear-IT, for example by sending additional surveys or changing survey questions
• Analyze the data to answer important scientific questions
• May create visualizations of the data to provide insights to you or in anonymized form to other interested people (e.g. scientists or policymakers)
• May publish findings in academic publications or professional/academic conference proceedings
• May present findings at professional and/or academic conferences
• We may also collect analytics data not connected to the research study, but related to app usage, in order to improve our systems

How do we store participant data?

Data is stored in a database located in our secure data facility, with access provided only to authorized individuals strictly based on need to access the data. All data is encrypted during transport using industry standard encryption. Participant data may be temporarily stored on the participant’s device, for example when a network connection is not available, however, most data that is not relevant to the participant is deleted from the device as soon as it is uploaded.

How do we identify participants in the data?

Participants are assigned a randomly generated participant id. We store this id and a device token in our database to ensure that a given participant is correctly associated with his or her data and the participant id is sufficiently unique to distinguish between users. By themselves, the participant id and device token are not enough to connect the participant id to an actual individual. However, researchers may keep a separate list of participants that links a generated id to an individual. When this is the case, this list is stored securely by the researcher in a manner that is completely separate from the Wear-IT app or server. For example, a researcher might keep a list of participant ids connected to email addresses on paper in a safe in her office, in order to facilitate future contact with the participant.

What protections are in place for participants?

In addition to the general human subjects research protections provided by applicable state and federal laws, the following protections are in place for users of Wear-IT:

• Each study undergoes IRB review
• Data collected is stored securely
• Data is anonymized and disconnected from personal identifiers before it is stored, published, or presented
• Any personal identifiers linking data to a particular individual are stored completely separately from the data and the Wear-IT system
• Participants may leave a Study at any time and may request data be deleted per individual studies
• Participants may be covered by additional Human Subjects Research protections not specifically mentioned here

Who has access to participant data collected in the course of a Study?

Access to collected data is strictly controlled. To access the data, primary researchers must be authorized for the particular study and approved by IRB. Additionally, researchers must undergo periodic training and maintain certification in ethics, conflicts of interest, proper data handling, and human subjects research. Data may also be accessed from time to time by technical support personell as needed in the course of providing and maintaining functional operation of our systems. Anonymized aggregate statistics (e.g. how successful an intervention was across all participants) may be shared publicly via scientific publications or presentations, or in reports to scientists, policymakers, or other stakeholders. No private data will be shared outside the research team.

How can a participant opt out of private or non-private data collection?

The following options are available to participants who wish to opt out of data collection:

• Participants may leave a study at any time, with no penalty or fear of retribution
• Participants may always skip individual items that they are uncomfortable with
• Participants may request their data be deleted
• In some cases, participants may refuse to grant permission or even revoke previously granted permission for the device to collect certain types of data (I.e. GPS data)

How can a participant obtain a copy of data collected in the course of a study?

In addition to pertinent visualizations that may be provided to a participant within the app, data may be provided by the research coordinator upon request. Please contact your study coordinator to find out if and how this is possible.

How can a participant request data be deleted?

Please contact your study coordinator

What if a participant has a question that is not answered here?

Please use our in-app contact form, in the Contact Us section of the side menu of the app.

Are there any more privacy resources available that apply to the use of Wear-IT?

Please see Penn State's Web Privacy Statement