Do you need to Name the Sponsor in Human Factors Studies?
Despite GDPR being law since 2018 in EU and subsequently the UK, we are commonly asked by client legal teams “Do we need to name the Sponsor in participant-facing study materials, even if they do not receive personal data? To help align understanding we’ve prepared this short article and a free downloadable checklist to ensure HF studies are run in a compliant manner.
Back to the question, do you need to name the Sponsor? Under the UK and EU General Data Protection Regulation (GDPR) the answer is clear: Yes. Naming the sponsor is a legal requirement rooted in GDPR principles for transparency, accountability, and informed consent.
Q1. Why Naming the Sponsor Matters under GDPR?
GDPR defines a data controller as the entity that determines the purpose and means of processing personal data. Personal data is information that allows the identification of an individual. Examples for HF studies include participants’ names and images/videos identifying features such as the participants’ face. In HF studies, the data controller is often the Sponsor, the company commissioning the research. Even if they never access the raw data (for example study videos or transcripts), they set the scope, objectives, and methodology. Fundamentally, an HF consultancy would have no requirement to collect personal data unless instructed to by an Sponsor who is commissioning the research. That makes the Sponsor the controller.
Under GDPR, study participants must be made aware of the data controller during the consent process. An example would be via informed consent forms; documentation required to introduce the study and gain consent from the participant to take part. Using vague terms like ‘our client’ or ‘the sponsor’ fails the transparency test. Participants have a right to know exactly who is behind the research.
In some instances, naming the Sponsor could have an undesired influence on the study participants. In rare cases, Sponsors may be named later in the data collection process but participants should be presented with assurances and an opportunity to withdraw their consent to participate at this point. Our approach is to name the study sponsor in the recruitment screeners and informed consent forms, but not in the study script for the study session itself. This keeps the participant informed, whilst limiting potential pressures or influence on the participants’ responses.
Q2. What if the Sponsor doesn’t know the participant’s name and only watches remotely?
Streaming HF sessions to Sponsor introduces new risks:
- Real-time transmission of identifiable data
- Cross-border data flows
- Unclear access controls
If clients are watching live sessions, they are actively involved in processing. Even if they don’t record or store the footage, their role must be disclosed. Best practices include:
- Informing participants that sessions are streamed
- Naming all parties with access
- Using secure platforms with encryption
- Limiting access to authorised personnel only
Q3. The data will be anonymised before the client receives it. Do we still need to name them?
Yes. GDPR applies at the point of collection, regardless of later anonymisation. Participants have a legal right to be told how their data is being used and informed of the company that has commissioned the research.
Q4. What if I am collecting data on U.S. citizens?
GDPR does not directly apply to U.S. Citizens. To make matters more complex, the U.S. does not have a single, comprehensive federal data protection law. Instead, privacy is covered by a mix of stat-level laws (e.g. California Consumer Privacy Act (CCPA), sector specific regulations (e.g. HIPAA for health data, COPPA for child data). A common theme across various US laws and regulations is the principle of transparency, promoting ethical research practices where naming the Sponsor is considered best practice.
In summary, it is widely recognised within the global research community that transparency is a foundational principle of ethical research. Unless there is a legal requirement not to disclose the identity of the Sponsor, our recommendation is to adopt this practice as default during the recruitment and consent process. If you’re interested to learn more and ensure your HF study is GDPR compliant, download our free checklist by completing the form below:
To download a copy of the GDPR checklist please fill in the form below:
By submitting this form I accept Rebus Medical’s Privacy Policy.