Use of Third-Party Vendors for Recruitment and Screening
Third-party vendors can help recruit and screen potential research participants, but they also introduce privacy, security, and oversight considerations. Before using these tools, investigators must ensure that participant information is protected and that NIH requirements are met.
Third-party vendors can help recruit and screen potential research participants, but they also introduce privacy, security, and oversight considerations. Before using these tools, investigators must ensure that participant information is protected and that NIH requirements are met.
Overview
Study teams may choose to use third-party vendors, such as Buildclinical, Qualtrics or other companies, to support recruitment or screening activities. These tools can facilitate recruitment, but they often involve collecting personally identifiable information (PII) outside of NIH systems.
In many cases, the vendor collects personally identifiable information (PII) directly from individuals and then shares it with the NIH study team. Some vendors may also store or use that information for their own purposes. Because NIH does not control how vendors manage data once it is collected, investigators must carefully evaluate these services before using them.
This is especially important when sensitive information is collected. Depending on the type of data involved, participants could face privacy, legal, or social risks. In addition, if a vendor’s website appears to be affiliated with NIH—for example, by using NIH branding—participants may not realize they are providing information to a third party.
What Investigators Must Do
If you plan to use a third-party vendor, complete the following steps before using the service:
Describe the Vendor in Your Protocol
Clearly explain how the vendor will be used, including:
- What information will be collected
- How information will be shared with the study team
- What privacy and security protections are in place
- How participants will be informed about the vendor’s role
Contact Your IC Information Security Office
Confirm that the vendor meets NIH information security requirements.
Review the Vendor’s Terms and Privacy Policy
Carefully review the vendor’s terms of service and privacy policy to ensure they:
- Do not allow inappropriate sharing or use of participant data
- Do not create additional risk to participants
Consult Your IC Privacy Officer
Determine whether a Privacy Impact Analysis (PIA) is required.
- You may need to include a Privacy Act notification on the vendor’s website
- This notice must explain how participant information will be collected, used, and protected
Ensure Appropriate Use of NIH Branding
If the vendor’s platform uses the NIH name or logo:
- Confirm that this use is allowed
- Ensure it complies with NIH branding policies
If You Are Already Using a Vendor
- Stop using the vendor immediately
- Complete all required reviews and approvals before resuming use
If a data breach or suspected breach occurs:
- Notify your IC Information Security Officer immediately
- Follow NIH breach reporting procedures. Further information is available in the NIH Policy 1745-2
Key Takeaway
Third-party vendors can be helpful, but they require careful oversight. Investigators are responsible for ensuring that participant information is protected and that all NIH requirements are met before using these tools.
Related Resources
- NIH Policy on the Use of NIH names and logos
- Guidance for Agency Use of 3rd party websites and applications
- NIH Social Media Policy
- Privacy Act FAQs including information about the Privacy Impact Assessment process
- Your IC privacy coordinator point of contact
- Your IC Information Security Office point of contact