Privacy when using Mailchimp/Mandrill server for emails (REDCap feature)

[John S.]

Hello,

My question is about participant privacy when using a Mailchimp/Mandrill email server in REDCap.

Do any of you use this feature of REDCap? If so, what is your stance on privacy when using it?

In their privacy policy, Mailchimp clearly state to not use their service to send or display confidential information ("Please do not use Mailchimp to send or display confidential information.") and state that they sometimes review the content of emails sent through their services to ensure that everything is in compliance with their Terms of Use.

When sending survey invitations through REDCap, the emails obviously contain links to empty surveys. However, if a participant completes only a portion of the survey and clicks on "save and continue later" (or if the "Allow respondents to return and modify completed responses" survey setting is selected), the link in the email now leads to a completed survey (partially or fully), and thus, a survey that now contains research data/personal information. It is then possible to link the email address that the email was sent to, to the link to survey link in said email.

So if we use this Mailchimp/Mandrill feature in REDCap, we end up using a private transactional email service provider (Mailchimp) to send links to participants to questionnaires that, once completed, effectively become links to research data. And this provider (in its privacy policy) clearly states not to use its service to send or display confidential information, and that it sometimes review the content of emails sent through it.

I don't know if I am being clear and if you understand the delicate confidentiality and ethical issue/gray area we are facing, but if you do, we would like to have your opinion on the matter. Do you have any advices? Do you share our concerns? Your answers might help us navigate this with our ethics committees.

Thanks in advance,

John 

[Peter Macisaac (POP)]

Haven seen any other responses

I would think that for  your concern to occur

"

Someone would need to “hack”. Or access  the mail chimp server or the recipients mail service after they had partially completed a redcap survey 

Theoretically possible, but not something I. Have heard of.   Hopefully mail chimp and redcap encrypt their data at rest on their servers so that would be less of a problem

Your concern also applies to REDCaps own ability to send surveys (not using mail chimp)

Like all such issues it is a risk assessment and management issue (there is no absolute security)

Risk low  - likely impact low (unless you are collecting bank account details, passwords etc) - usual response do not be concerned or 

If you felt you needed to do something then advising g the participant to complete and send the form not save to return or of a theoretical risk if they do

Peter

--
You received this message because you are subscribed to the Google Groups "redcap open" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redcap_open...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/redcap_open/a5e5396a-cd84-4c7a-bc76-18568f416d4cn%40googlegroups.com.