Walking you through the nitty-gritty of collecting data and keeping it secure
Obviously, what data you collect and how you do so will vary hugely from study to study. But there are a few important things to note about the data collection process.
Firstly, you must record the Prolific IDs of your participants. Currently, Prolific cannot link to your data-collection software, so you need to record Prolific IDs on your end in order to know who has contributed to your study. Whether you do this via a QueryString (recommended) or by using a direct question in your survey is up to you. If you don’t record Prolific IDs, you won’t be able to reject participants for submitting poor quality data, as you won’t know what data belongs to whom. Relatedly: ensure that your completion URL is working correctly, and that it submits a matching completion code back to Prolific. If you don’t do this, it becomes even harder to know who has completed your study and who hasn’t!
Secondly, You must store these Prolific IDs carefully. If you are considering releasing your data on an open data sharing platform such as OSF or a university data repository, then you should remove the Prolific IDs.
Thirdly, it’s important that you only collect data sufficient to perform your stated purpose. Don’t log IP addresses or deliver cookies to your respondents just because you can. Consider carefully what data you need, be transparent that you're collecting it, and don’t collect more than that.
Fourthly, keep your data secure. Your level of security should be appropriate to the risk, “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”. In other words, if your study is a short questionnaire on personality, it’s pretty low risk and your security system doesn’t need to be Fort Knox. But, if you’re collecting data on mental health or drug usage (for example), then you need to put considerable security in place: think encryption, pseudo-anonymization, two-factor authentication, strong passwords, user access control and access logging.
Regardless of whether your study is low or high risk, you need to document your security processes and have procedures in place for monitoring the success of those processes. If you have further questions, then your institution should have a Data Protection Officer who can provide more detailed advice.