An informed consent checklist for people who do Research Ops

Phil Hesketh
5 min readJun 23, 2020

TLDR; Informed consent is complex and requires knowledge of ethics, data management, how you recruit participants (including any tools you use) and the regulations which affect your work. We’ve been working hard at Consent Kit to make a checklist to help you get your team up and running.

Firstly, you’re not alone! The global Research Ops community now has over 5000 members 💪❤️, with hundreds more being added regularly.

The community is doing amazing things: sharing knowledge and answering questions of not only what we need to do to enable researchers, but also, as demand for insight grows within organisations: how we scale that.

From the 8 pillars of User Research, by Emma Boulton.

There is a lot to go at! 😅

For me, frameworks like this are invaluable; when I’m trying to wrap my head around what Research Ops is and where and how I start to create a strategy for action.

Our focus at Consent Kit is split between the governance pillar, recruitment and admin and data knowledge and management. Specifically: informed consent and how people who do research ops can establish a robust and scalable informed consent process using software as a service.

Informed consent goes way beyond a single consent form. It overlaps a broad range of the functions and processes outlined in the pillars above, all the way from recruitment to actually deleting or anonymising research data.

The “maybe-not-so-obvious” risks involved

Thinking about informed consent as a system is complex. What is required varies depending on the circumstances in which the research is being carried out. It’s not just what we need to disclose in the consent form, but also the implications of the promises we make. Despite being a legally binding document, it is so often treated as an afterthought.

As an individual researcher, you might have your own system for managing these things. You know where the data is, and where your consent forms are. The challenges start to appear when you try to scale that. What if you have 10, 20 or 100 researchers? What if everyone is working remotely, or across multiple locations? What happens when someone leaves or moves teams? We’re moving so fast these days, that it’s too easy to drop the ball — and all of this administration takes time away from doing the actual research.

So, how do we actually respect our participants rights and support the things we promise to do?

In an informed consent document, you’d typically see the following covered in one form or another:

  1. The purpose of the research and what the participant can expect from taking part
  2. What will be recorded, how it will be managed and who will have access
  3. The participants rights and how they can exercise them

To communicate these points honestly requires a knowledge of: how data is managed by your researchers, any regulations applicable to you, the rights your participants have and how you will support the fulfilment of those rights, should participants choose to exercise them.

Who is asking?

Beyond the implications of living up to these promises, there are also potential pitfalls in how you recruit participants. In my experience as a researcher, recruitment is one of the most time consuming aspects of the job. Using a service to find the right people can be a massive help.

Obtaining consent through a third party can become problematic when viewed from a perspective of compliance. For instance, GDPR has the concepts of Data Controllers and Data Processors. If someone else is obtaining consent on your behalf (and they are acting as your data processor), but you’re collecting and managing the research data (and acting as a data controller) you have no evidence that you have permission to use any of the data you’re holding — but you shoulder all of the responsibility.

Furthermore, how are you able to support participants’ rights, such as their right to access that information or their right to withdraw?

It gets messy pretty quickly. Without prior knowledge of research ethics, how you recruit, data governance and the applicable compliance in your field and country of study, (and assuming you actually have the headspace to sit down and think about things like this in the first place) it’s extremely challenging to understand all of these things and arrive at a practical, scalable solution.

This reminds me of a quote from Autul Gawande’s brilliant Checklist Manifesto:

“The complexity of our collective knowledge has exceeded the capacity of any individual to get everything right.”

Throughout the book, Gawande cites examples of the humble checklist minimising risk when carrying out complex procedures. Used by airline pilots to surgeons — no matter how experienced they are.

Could this approach also work for people who are trying to standardise and scale informed consent in their organisation?

The Informed Consent Checklist, version 1.0

Here at Consent Kit we’ve been beavering away on what this could look like and how it might work. I’m excited to share our first iteration of the Informed Consent Checklist for Research Ops.

Because the content and processes needed to support informed consent are so particular to individual situations, we’ve made the checklist configurable to your needs. You can currently define your checklist based on:

  • If you are working with “special category” data, and
  • If your research involves children.

Initially we are supporting researchers working under the GDPR. We’re already working on adding CCPA and PIPEDA support in there too for our North American friends — although a fairly consistent global strategy is to implement GDPR first and adjust for local regulations, so what we have right now will already be useful. Our ultimate ambition is to make this into a global thing. Let us know if you’re working in a region not covered by any of these regulations and we will do our best to include them.

We’re also linking into the wider Research Ops community to solicit feedback and additional use cases we’ve not included yet. If you’re a member of the community, please reach out to me directly on there (@Phil).

The Roadmap

We’ve got a few things planned already around how we could improve this, but we’d love to hear your thoughts and ideas too. Next up, we’ll be adding:

  • Support for CCPA (California privacy law)
  • Support for PIPEDA (Canadian privacy law)
  • Handling incentives
  • Information security

Let us know what we’re missing. Thanks for reading, and I’m looking forward to hearing from you!



Phil Hesketh

I understand complex problems and make things to try and fix them. Lateral thinker. Dot connector. Father of cats. Founder of and