RESEARCH PLEDGE

These best practices are to help ensure that your research study involving Fitbit user data is consistent with Fitbit’s dedication to protecting user privacy and furthering meaningful health and wellness research. Your study must also comply with all applicable laws and regulations and any agreements that you have with Fitbit.

Please review carefully the requirement below that if you publish research findings, you must mitigate the risk that research subjects may be re-identified given that some Fitbit user data may be publicly available on Fitbit or social media.

* * *

You must obtain informed consent from research subjects or, in the case of minors, from their parent or guardian. This means providing enough information about the research to enable an informed and voluntary decision to participate, including:

  • What data will be collected, how it will be used and shared, and with whom;
  • The privacy and security measures in place to protect the data;
  • The nature, purpose, and duration of the research, and the benefits and risks of participation;
  • Whom to contact with questions; and
  • How to withdraw from the study.

Your research study must be reviewed or approved by an independent ethics review board charged with protecting the rights and well-being of research subjects. For example, an Institutional Review Board pursuant to 45 C.F.R. §§ 46.107-115, or other body with the authority to approve, modify, or disapprove research, could provide this review.

Your research study must abide by data use limitations that respect the privacy and autonomy of research subjects, for example:

  • Minimize your collection and use of personal data, meaning data that directly identifies an individual, or that could reasonably be linked to an individual by an anticipated data recipient. Do not collect, analyze, retain, or disclose more personal data than needed for the purposes specified in the informed consent. Other data protection best practices include:
    • Limit access to personal data to members of your team who have a genuine need to know.
    • Whenever feasible, conduct data analyses using coded, de-identified datasets, with all fields that directly identify an individual removed. When data is no longer needed in an identifiable form, be sure to permanently de-identify it.
    • Where appropriate, use tiered access within your research team, for example, confining access to data that directly identifies an individual, while allowing more team members to access de-identified data for analysis.
    • Do not use or share with third parties any personal data for new research studies, or for any purpose different from the original study purposes, without obtaining a separate informed consent from research subjects, unless an exemption applies under applicable law. For example, see 45 C.F.R. § 46.104, or the EU’s GDPR Article 6(4), Recital 50.
    • Put in place appropriate data governance structures, including training for researchers on applicable privacy standards, and data protection impact assessments as appropriate or required by law.
    • If you or your research subjects are located in the US, and you do not have one already, apply for a Certificate of Confidentiality from the National Institutes of Health. In some circumstances, such a certificate protects the data from compelled disclosure to third parties.
  • If you create Fitbit accounts for research subjects, do so in a way that does not reveal their identity. For example, do not use their real name or email address, and default their account settings to the most privacy-protective option available.
  • Never use personal data in a way that is likely to cause damage or distress to research subjects. Never sell the personal data of research subjects. Never use it for advertising, marketing, re-identification, adverse decisions about employment or insurance, or any data mining or analysis for purposes other than health or wellness research.

If you share information about the research data set outside of your organization, for instance, by publishing your research findings, you must mitigate the risk of re-identification of research subjects. In particular, certain Fitbit user information, like users’ daily step counts, may be publicly visible on Fitbit in accordance with users’ privacy settings, or on social media if users choose to post their information there. When selecting your de-identification technique or assessing the re-identification risks, you must consider whether your research datasets could be linked to this publicly visible information. Other best practices for de-identification include:

  • Wherever possible, provide summary-level aggregate data rather than individual-level de-identified data.
  • If you must share individual-level de-identified data, instead of publishing the data publicly, provide it selectively to others only for purposes of peer review, subject to contractual commitments by the recipient not to disclose or attempt to re-identify the data.
  • If you must publish individual-level de-identified data, you must do so in compliance with all applicable laws and at a minimum, use an accepted de-identification technique, like differential privacy, to preserve confidentiality, or obtain an expert determination that the risk of re-identification is very small, consistent with the HIPAA standard provided in 45 C.F.R. § 164.514(b)(1).

You must give research subjects control over their personal data. Research subjects must have the ability to withdraw at any time from the research study, which should include an option to delete their personal data or, at a minimum, remove it from future research studies.

You must maintain data security by using technical, administrative, and physical controls that are appropriate to the sensitivity of the data, meet or exceed industry standards, and are reasonably designed to protect against unauthorized access, use, or disclosure of the data. At a minimum, the following should be deployed: data encryption, access controls, logging, auditing, confidentiality requirements, data use policies (including incident response and breach notification plans, as applicable), and training.