Introduction

In the ever-evolving landscape of professional usability testing, ensuring data privacy and security is more than a compliance necessity—it’s a commitment to trust and transparency.

Navigating privacy and data laws in usability testing can be complex due to the constant updates and legal jargon. What essential knowledge do usability professionals need to stay compliant?

This comprehensive guide will help you navigate the complexities of data privacy regulations like GDPR, CCPA, CPRA, and beyond, ensuring your formative and summative usability testing practices according to IEC-62366-1 and FDA Applying Human Factors and Usability Engineering to Medical Devices are not only compliant but also respectful of participant privacy.

We created this guide to help answer those questions. We’ll cover everything from:

• The importance of data privacy and confidentiality in usability testing
• Information about privacy regulations like GDPR, CCPA, and CPRA
• Compliance tips for usability professionals
• Additional resources on privacy and data laws

Ensure you consult your legal team to confirm that your usability testing practices comply with current laws. Use this guide as a reminder to handle user privacy and data with greater intention and care during your evaluation activities.

Why data privacy matters in the Usability Engineering Process

Privacy and confidentiality in usability testing are critical not just for compliance but for maintaining the trust of your participants. When participants feel their data is secure, they are more likely to engage openly, providing richer and more valuable insights or being open about root cause of occurred use errors during the test sessions. Effective usability testing relies on this trust, making it essential to prioritize data privacy from the outset.

Importance of privacy in Usability Testing

Usability testing of medical technology often involve participants sharing personal data about themselves, and everyone has different expectations when it comes to privacy. For usability engineers, accommodating these varying privacy preferences while complying with privacy laws should always be a priority. Ensuring privacy in usability testing not only protects participants but also enhances the quality of the research and testing outcomes.

Privacy should be considered throughout the entire testing lifecycle—from recruitment to data storage post-evaluation. This proactive approach not only protects participant information but also upholds ethical standards. When participants trust that their data is handled with care and transparency, they are more likely to provide honest and comprehensive feedback, leading to more accurate and useful insights.

Here’s a graphic that outlines how GDPR affects usability testing during each phase of the project:

The role of privacy regulations

Several key privacy laws impact how usability experts handle participant data. Understanding these regulations is crucial for managing participant data responsibly and transparently. These regulations establish the legal framework for data protection, ensuring that personal data is collected, processed, and stored securely. By adhering to these regulations, usability engineers can protect participant privacy and avoid legal pitfalls.

Understanding key privacy regulations in the EU – General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a comprehensive data protection regulation that applies to organizations handling the data of EU residents. Implemented on May 25, 2018, GDPR mandates strict data handling practices and imposes significant penalties for non-compliance, including fines of up to 4% of annual global turnover or €20 million, whichever is higher.

Key GDPR Requirements for Usability Experts

• Manual Opt-ins: Participants must actively opt-in for their data to be processed. Pre-checked boxes are not permitted.
• Minimal data collection: Collect only the data that is essential for your evaluation scope.
• Informed consent: Ensure participants understand what data you collect and why, using clear and concise language.
• Data security: Implement robust security measures to protect participant data from unauthorized access and breaches.
• Participant rights: Participants can request access to their data, corrections, and deletion.

Looking overseas – US & Canadian regulations

In the United States, there is no single, comprehensive federal regulation equivalent to the European Union’s General Data Protection Regulation (GDPR). Instead, data privacy and protection are governed by a complex patchwork of federal, state, and sector-specific laws, each targeting specific aspects of data privacy and protection. Businesses operating in the U.S. must navigate this intricate regulatory landscape and comply with relevant federal laws and the specific state laws where they operate or have customers. For businesses working internationally or with a significant presence in both the U.S. and EU, it is crucial to establish robust data privacy practices that can adapt to various regulatory requirements. Here is an overview of major regulations to be considered:

Federal regulations

1. Health Insurance Portability and Accountability Act (HIPAA): Protects sensitive patient health information.
2. Gramm-Leach-Bliley Act (GLBA): Protects consumers’ personal financial information.
3. Children’s Online Privacy Protection Act (COPPA): Regulates the online collection of personal information from children under 13.
4. Federal Trade Commission (FTC) Act: Prohibits unfair or deceptive business practices, which includes certain privacy and data security practices.
5. Personal Information Protection and Electronic Documents Act (PIPEDA): Canadian law governing the collection, use, and disclosure of personal information in the course of commercial activities.

State regulations

California Consumer Privacy Act (CCPA): The California Consumer Privacy Act (CCPA) offers similar protections to GDPR but is specific to California residents. It was signed into law in 2018 and aims to enhance privacy rights and consumer protection. Key CCPA requirements for usability professionals are:

• Transparency: Clearly communicate data collection practices to participants, including what data is collected and how it will be used.
• Opt-out Options: Provide easy mechanisms for participants to opt-out of data sharing and collection.
• Data access and deletion: Allow participants to request access to their data and deletion upon request. Make this process straightforward and accessible.

California Privacy Rights Act (CPRA): The California Privacy Rights Act (CPRA), which took effect on January 1, 2023, expands upon CCPA, offering additional rights and protections. CPRA mandates more stringent data handling practices and greater transparency. Key CPRA Requirements for Usability Professionals:

• Expanded rights: Participants can restrict the use and disclosure of sensitive information.
• Opt-out consent: Ensure participants can easily opt-out of data collection, enhancing their control over personal information.

Virginia Consumer Data Protection Act (VCDPA): Provides similar rights to consumers as the CCPA.
Colorado Privacy Act: Another state-level regulation with consumer rights and business obligations akin to the CCPA.
New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act: Requires businesses to implement safeguards to protect the private information of New York residents.

We recommend consulting the guidance and resources provided by the European Commission and looking towards Great Britan the UK Information Commissioner’s Office for the most up-to-date and accurate best practices for GDPR/UK GDPR compliance.

Best practices for compliance – 6 Steps to ensuring GDPR compliance in usability tests

The GDPR is the most robust global privacy law in effect today, but it shouldn’t be scary! Designed to keep pace with how the world has changed, it helps people make sense of and control how their data is used. Understanding and sharing the experiences and perspectives of the people we learn from means processing a lot of personal data. So, understanding and complying with laws like GDPR is critical to ensuring safe, legal, and ethical research and usability testing. Here’s how to ensure your practices are GDPR compliant:

Step 1: Familiarize yourself with the basics

Get to know the GDPR requirements and principles to ensure you understand your obligations as a researcher or tester. The GDPR outlines specific rules around data protection, including consent, transparency, and data minimization. To help you get started, we’ve written a short guide to GDPR for User Research, introducing you to the principles, people’s rights, legal bases, and other general terms.

Step 2: Map your current data flows

Knowing what you are doing right now is an excellent place to start. Perform a data audit of your research and testing practices to understand what personal data you collect, how it is used, where it is stored, and who has access to it. A clear picture of your current practice will help you identify potential GDPR compliance issues and areas for improvement.

Because we often work in our own ways, doing this with your wider team can give you a clearer understanding of how data is handled across your team. We created a Data Mapping Workshop to help you run this remotely or in person. Once you’ve mapped out the types of data you collect, where they’re stored, and who has access to them, you can transfer this into one of the central documents to GDPR compliance – your Record of Processing Activities (ROPA).

The ROPA is a document that contains information about an organization’s processing of personal data. It provides:

• A detailed description of the type of personal data being processed.
• The purpose of the processing.
• The categories of data subjects.
• The recipients of the personal data.
• Any cross-border transfers of personal data.

The ROPA is an essential tool for GDPR compliance, as it helps organizations demonstrate their accountability and transparency concerning their processing activities. Organizations are required to maintain an up-to-date ROPA and make it available to supervisory authorities upon request.

Step 3: Make friends with your DPO

The GDPR requires an organization to appoint a Data Protection Officer (DPO) if:

• The organization is a public authority or body.
• The organization’s core activities require large-scale, regular, and systematic monitoring of individuals (for example, online behavior tracking).
• The core activities consist of large-scale processing of Special Category Data or data relating to criminal convictions and offenses.

The DPO’s job is to assist your organization to:

• Monitor internal compliance.
• Advise on your obligations under data protection laws.
• Advise and guide you on Data Protection Impact Assessments (DPIAs).
• Act as a point of contact for data subjects (in our context, your participants) and the data protection authorities.

If you have a DPO, this guide will help you start those conversations on the same page. Here are some questions you might want to ask:

• Could you see the existing ROPA?
• What is the current process for Data Protection Impact Assessments (DPIA)?
• How do we currently handle Data Subject Rights requests?
• How are incidents or breach management reported?
• How does the DPO review processors?
• How are cross-border transfer mechanisms handled?

If you don’t have a DPO at your organization, you’ll still need to complete the following steps. Not having a DPO doesn’t exempt you from GDPR compliance.

Step 4: Implement data protection by design and by default

The practice of Usability Ops is to develop systems and services that enable usability testing to happen within an organization. When designing those systems or services, we can use design principles to help us factor in these considerations.

The core ideas behind Data Protection by Design and Default are embodied in the seven fundamental principles of Privacy by Design:

• Be proactive: Prevent privacy issues before they happen. Develop a culture of privacy awareness across your team.
• Privacy by default: Protect participants‘ data without requiring them to do anything.
• Design with data protection in mind: Consider data protection from the start.
• Avoid trade-offs: Incorporate all legitimate objectives while complying with obligations.
• Implement robust security measures: Use access controls, encryption, and pseudonymization.
• Transparency: Be clear with participants about what data you collect and how you use it.
• Prioritize participants‘ interests: Give them control and appropriate notice if things change.

Data protection by design ensures that you comply with the fundamental principles and requirements of the GDPR and forms part of the focus on accountability.

One way to implement data protection by design and default into your usability testing practice is by using Data Protection Impact Assessments (DPIAs). You’ll need to do a DPIA whenever you plan to:

• Embark on a new project involving the collection of personal data.
• Introduce new IT systems for storing and accessing personal information.
• Participate in a new data-sharing initiative with other organizations.
• Initiate actions based on a policy of identifying particular demographics.
• Use existing data for a “new and unexpected or more intrusive purpose.”
• Review or audit an existing system or activity.

Article 35(1) states that you must do a DPIA where processing operations are likely to result in a high risk to the rights and freedoms of individuals.

Step 5: Obtain valid consent

Ensure that you have obtained valid and informed consent from research and testing participants, clearly and understandably. Participants should have the right to withdraw their consent at any time. During the process of obtaining consent, you’ll need to evidence:

• The information disclosed to your participant at the point of obtaining consent.
• Precisely how your participant was asked for consent.
• When your participant gave their consent.

Consider the participant’s experience during this phase. Ensure the format is accessible and in plain language. Make sure information is disclosed in the participant’s first language.

Step 6: Implement appropriate security measures

It’s essential to make sure that personal data is safe and secure throughout the evaluation process. This may include pseudonymization, encryption, and access controls to protect against unauthorized access, loss, or theft of personal data. Your data map from step 2 should highlight the security measures you have in place across your usability testing workflow. Some quick wins that can dramatically improve your security are:

• Use a password manager or Single Sign On (SSO) for account management.
• Enable 2 Factor Authentication (2FA) on all accounts holding your participant’s data.
• Use dedicated tools with encryption and access controls for larger data sets, such as your participant database or research repository.

Cross-border transfers

Cross-border transfers in GDPR involve moving personal information from the EU or EEA to a third country. The GDPR has strict rules to protect people’s personal information during these transfers. Although personal information can be transferred for valid reasons like business or legal purposes, it must comply with GDPR rules to protect people’s rights and ensure it’s protected.

The GDPR requires that the data controller or processor transferring personal data outside the EU/EEA must ensure an adequate level of protection for the data. This might mean:

• Obtaining explicit consent from the data subjects.
• Signing a data processing agreement with the recipient.
• Relying on specific legal mechanisms, such as standard contractual clauses or binding corporate rules.

Implementing compliance in usability testing

Practical tips for GDPR, CCPA and CPRA compliance

• Informed Consent: Develop detailed consent forms that are easy to understand and separate from other agreements. These forms should clearly explain what data will be collected, how it will be used, and participants‘ rights.
• Data processing awareness: Understand your organization’s role in data processing, whether as a controller or a processor. Ensure that all third-party tools and services used comply with GDPR requirements.
• Participant control: Implement systems that allow participants to access, correct, and delete their data easily. This includes setting up processes for responding to data requests promptly.
• Sensitive data caution: Justify the need for collecting sensitive data and ensure additional safeguards are in place to protect this information. Regularly review and update data protection measures.
• Documentation and record keeping: Maintain thorough records of all data processing activities, including consent forms, data audits, DPIAs, and any data breaches. This documentation demonstrates compliance and provides a clear trail for auditing purposes.
• Minimal data processing: Process only the most necessary personal information for your research and testing purposes. Avoid collecting excessive data that does not serve a clear purpose.
• Updated privacy policies: Regularly update your privacy policies and notices to reflect any changes in data collection practices or regulatory requirements. Ensure that these documents are easily accessible to participants.
• Data retention policies: Establish clear policies for data retention, outlining the types of data collected, their purposes, and the duration for which they will be stored. Regularly review and delete data that is no longer needed.
• Breach prevention: Implement robust security measures to prevent data breaches, such as single sign-on (SSO), two-factor authentication (2FA), and complex password requirements. Regularly conduct security audits and updates.
• Opt-out Options: Make it easy for participants to opt-out of data collection or limit the sharing of their information. Provide clear instructions and options in your consent forms and privacy policies.

Practical application of GDPR in Usability Testing: Key Takeaways

Collecting and processing information on users and their behavior is essential for making informed decisions in user research and usability testing. Here are five key takeaways for applying GDPR in your practices:

• Understanding personal data: GDPR defines personal data as any information that can identify a person, directly or indirectly. This includes names, contact numbers, addresses, social media handles, and combinations of data points like cultural or social identity, economic background, job title, and location.
• Ownership and collection of data: The ‚owner‘ of personal data is always the individual (the participant). GDPR ensures individuals have control and ownership of their data, allowing them to retract or edit it as needed. Data ‚controllers‘ are responsible for determining what data to collect and how it will be processed.
• Recording consent: Consent must be recorded accurately, capturing who consented, when they consented, what information was given, and how they consented. This ensures transparency and protection for all parties involved.
• Data storage duration: While there is no maximum time limit for storing personal data, it is advised to store it only as long as necessary for the project. Anonymized data, which cannot be traced back to an individual, can be stored longer and used for creating research tools like user archetypes and personas.
• User control over data: Under GDPR, data ‚owners‘ have the right to erasure (the ‚right to be forgotten‘), allowing them to request deletion or editing of their data. Anonymized data, however, falls outside this jurisdiction.

Conclusion

Navigating data privacy regulations can seem daunting, but with the right approach and understanding, it becomes a manageable part of the usability testing process. By prioritizing transparency, consent, and data security, researchers and testers can ensure compliance while building trust with participants.

Call to Action

Ready to take your usability testing to the next level? Start implementing these best practices today and ensure your research and testing is compliant, ethical, and trustworthy. Join us on this journey to better usability testing practices that respect and protect participant privacy.

By following this guide usability testers can navigate the complex world of data privacy regulations with confidence, ensuring that their research and testing practices are both compliant and respectful of participant privacy.

STANDARDS & REFERENCES

• Human Factors & Usability Engineering for Medical Products | USE-Ing. GmbH
• Learning from the User – Contextual Interview | USE-Ing. GmbH
• Professionally developing medical technology | USE-Ing. GmbH
• European Commission: Data Protection
• General Data Protection Regulation (GDPR) Compliance Guidelines
• UK Information Commissioner’s Office
• California Consumer Privacy Act (CCPA)
• California Privacy Rights Act (CPRA)
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act

By following this guide, UX researchers and usability testers can navigate the complex world of data privacy regulations with confidence, ensuring that their research and testing practices are both compliant and respectful of participant privacy.

Introduction – Navigating the Technical Terrain of User Research Field Studies

User research field studies are essential for understanding how users interact with their products in real-world environments. In our daily work with high-tech and complex products and critical HMI-systems, we continually face the challenge of providing deep insights that surpass the traditional boundaries of conventional user research. This is achieved by focusing on meticulous technical preparation and execution to ensure the integration of proven methods with the specific setups of the existing use environments in which we observe and interview users. This blog post explores the crucial technical considerations that ensure every observation and data point collected during our user research field study is accurate, secure, and valuable.

Ensuring Pristine Audio Quality: Hear Every Detail

Audio clarity is crucial for obtaining accurate user insights. Clear audio recording ensures that nuanced user interactions, comments and feedback is ceptured effectively. Poor audio quality can obscure user responses and lead to misinterpretations that skew the study’s results in worst case scenario. To counteract this, we use high-quality clip-on microphones adept at minimizing background noise and enhancing speech clarity. Depending on the workflow and the cooperative tasks, it is necessary to track more than one user in parallel. Having enough microphones on site, as well as a backup, saves essential time by avoiding the need to reconduct and repeat observations due to the inability to track every user’s voice simultaneously. Techniques such as placing lapel mics on participants, along with strategically positioning ambient microphones, ensure that every spoken word is captured with precision, as well as the noise levels surrounding the observed human-machine interaction. To ensure everything runs smoothly as soon as the observation starts, a technical check of charging levels and audio channel activations via laptops and tablets, dedicated to technical monitoring and settings, guarantees reliability and quality.

Comprehensive Video Coverage: See the Full Picture

The optimal use of camera configurations ensures comprehensive visual insights. Video documentation in user research field studies offers a visual account invaluable for later analysis. It allows researchers to observe non-verbal cues and interactions that might go unnoticed in audio-only recordings. We recommend employing multiple camera angles to capture a full spectrum of interactions, ensuring that nothing is missed. Our practice involves using both fixed and mobile camera setups to provide comprehensive coverage that brings every user interaction into focus. This can be achieved with tall camera stands that provide a bird’s eye view, combined with eye-tracking and POV (point of view) glasses with cameras, as well as mobile cameras on gimbals. If interactions on specific static user interfaces are of interest, cameras that allow a detailed view of these interfaces might be closely attached to these interfaces via holders. 

Synchronization of Data Streams: A Unified View

Streamlining data is essential for cohesive analysis. Synchronizing audio, video, and other data streams is crucial for creating a cohesive understanding of user interactions. Time-stamped data enables researchers to align insights from various sources accurately, enhancing the analysis process. At USE-Ing., we utilize advanced synchronization software that integrates all data streams in real-time, ensuring that every piece of information is contextualized within the broader scope of the study. This approach is particularly useful when multiple data streams are recorded and captured in parallel, potentially saving significant time during the analysis phase later on.

Procedure Documentation: The Blueprint of Success

Detailed checklists and procedure descriptions guarantee flawless execution and reproducibility. Accurate documentation of the research procedure ensures consistency and reproducibility, which are crucial for validating the study’s findings. Our method includes comprehensive checklists and step-by-step guides that cover every phase of the research—from preparation to execution and post-study analysis. This meticulous approach ensures that every team member understands their role and responsibilities, reducing the likelihood of errors and oversights. Like a precisely ticking clockwork, the entire research team can work together effectively and efficiently during the research study trip thanks to a well-structured check-up conducted just before. This allows each member the mental space to focus on the substantive and methodological aspects of the observation.

Data Security and Privacy: Safeguarding Sensitive Information

Ensuring robust protocols for protecting user data is a state-of-the-art responsibility for today’s user research professionals. In today’s digital age, securing personal and sensitive data is more critical than ever, especially in user research, which often handles large volumes of personal information. We adhere to stringent data security protocols, including encrypted data storage, secure data transfer processes, and compliance with global privacy regulations such as GDPR. The process begins well before the actual site work—starting from when the consent for data captures is planned and requested, documents are prepared, and participants are briefed. This proactive approach helps both the research team and the participants feel comfortable in their roles onsite, enabling them to adhere to the research plan without the need for onsite improvisation. Our commitment to data security not only protects our research but also builds trust with participants, ensuring they feel safe and respected throughout the study..

Conclusion – Mastering technical aspects for Insightful Outcomes

By focusing on these five key areas, we ensure that every study is built on a foundation of technical excellence that leads to reliable and actionable insights. These insights did not come overnight, nor did the optimization of the processes and procedures associated with them. Rather, it has been a journey of constant learning and improvement through many years of experience and practice. We understand that the success of a user research field study hinges not only on methodological expertise but also on how well the technical aspects are managed, which are subject to constant change. Therefore, we are committed to continuously reflecting on and adjusting our approach as opportunities for improvement are recognized. Our team looks forward to these future experiences.

In embracing these principles, we invite you to join us on a journey toward a deeper understanding and enhanced user experience, where every technical detail is a step towards perfection in practice.

Stay tuned for more insights and behind-the-scenes looks at how we are pioneering the future of user research and usability engineering.

STANDARDS & REFERENCES

• Learning from the User – Contextual Interview | USE-Ing. GmbH
• Workflow Evaluation and Interface Design IMRI Solutions – Research Project | USE-Ing. GmbH

The world of medical technology never stands still, and at the heart of this relentless development is the indispensable need to continuously improve the safety and effectiveness of medical devices. A shining example of this progress is the usability lab designed by USE-Ing. at the STIMULATE research campus. This initiative is not only a testament to technological innovation but also to the fruitful collaboration between renowned institutions and companies.

Innovative collaboration for forward-looking solutions

The creation of the usability laboratory with a focus on iMRI (interventional magnetic resonance imaging) is the result of the joint efforts of Otto von Guericke University, USE-Ing. GmbH and Hannover Medical School. This specialized environment was developed with the aim of addressing the unique challenges and requirements of interventional radiology. Equipped with a simulated interventional room, an interactive MRI model, a control room and an observation room, the lab provides a comprehensive platform for studying clinical workflows, identifying challenges and improving the usability of medical equipment.

Success through partnership & technology

A recent interim evaluation as part of the BMBF-funded STIMULATE research project has proven the efficiency of the laboratory by demonstrating its ability to simulate MRI-assisted liver biopsy procedures as an exemplary use case. This success was made possible by the collaboration with renowned partners such as the University Medical Center Magdeburg, BEC GmbH and IGEA S.p.A.. Their expertise and dedication not only made this development possible, but also made it extraordinarily fruitful.

Our role as USE-Ing. & the importance of usability tests

We at USE-Ing. see ourselves as a key player in this project, as we were able to demonstrate our expertise in the field of human factors and usability engineering. The combination of quantitative measurement methods such as eye-tracking and motion-tracking, paired with classic usability test methods, significantly shaped the evaluation objective. The innovative character was additionally reinforced by the collaborative evaluation concept, whose true added value lies in the mapping of real workflows. Several test subjects, a radiologist and a radiology assistant, went through the usability test and their respective collaborative tasks in parallel. This orientation has a massive influence on the test design and the work of moderators and note-takers.

By providing comprehensive services ranging from context of use analysis, usage risk analysis, user interface design and user interface evaluations, we are compliant with relevant standards such as IEC 62366 and ISO 14971. These services are critical to ensuring the safety and effectiveness of medical devices, minimizing risks and ultimately improving patient care.

Future prospects & the potential for further innovations

The usability laboratory at the STIMULATE research campus and the involvement of USE-Ing. impressively demonstrate how research, development and practical application can go hand in hand. This project serves as a model for future research and development projects and offers a glimpse of what can be achieved through collaborative usability tests in the future.

The successful implementation of this milestone at the STIMULATE research campus underlines the importance of collaboration between science, industry and medical institutions. It is living proof that by combining expertise, commitment and innovative technologies, the boundaries of what is possible in medical technology can be constantly expanded. We would like to thank all our partners, especially VDI Technologiezentrum GmbH for their exemplary management, for their contribution to this success and look forward to continuing to work together to set new standards and drive innovation and report on this in the near future.

STANDARDS & REFERENCES

• Show Case Video: Collaborative Usability Testing
• IEC62366-1: Teil 1: Anwendung der Gebrauchstauglichkeit auf Medizinprodukte (IEC 62366-1:2015 + COR1:2016 + A1:2020); Deutsche Fassung EN 62366-1:2015 + AC:2015 + A1:2020
• DIN EN ISO14971: Medizinprodukte – Anwendung des Risikomanagements auf Medizinprodukte (ISO 14971:2019); Deutsche Fassung EN ISO 14971:2019 + A11:2021