Privacy and Confidentiality in On-line Surveys: How can you be sure?
A major concern of student service deans and directors who may want to survey their students is ensuring students’ privacy and the confidentiality of student responses. Such concerns are understandable, especially given the well-publicized instances of breaches of even highly classified information, and the possible, if rare, legal ramifications. Students too, have such concerns and, if they are not fully convinced that their identifying information is secure and that their responses will be kept confidential, they may hedge responses or even refuse to participate in the survey.
The surveyor, in this case UDS, will also be very concerned, not only that privacy, confidentiality, and security are achieved, but also in convincing students, deans, and directors that it will be achieved, because a failure to do either will threaten the validity of the survey results. In short, it is in the best interest of all parties to ensure privacy of the respondents and the confidentiality and security of their responses. There is little that is ambiguous about this issue: confidentiality and privacy of survey responses are respondents’ right and UDS’s responsibility. One we take very seriously.
It is important, therefore, that we not only achieve respondents’ privacy and the confidentiality and security of their responses, but also that we effectively convince the students, deans, and directors that our claims of privacy, confidentiality, and security are credible. This can be difficult because, while much of the credibility rests with the competence and diligence of the surveyors, characteristics that students, deans, and directors all understand very well, some of the credibility rests with the design and deployment of the technology which many of them may not understand. So how can you be sure? Here, we try to lay out the basic issues surrounding privacy, confidentiality, and security in on-line surveying; how they are dealt with generally; and how we deal with them specifically at UDS. The intent is to allay these concerns. thereby allowing deans and directors, as well as students, to focus on the benefits that competent surveying can generate.
The protection of respondents’ confidentiality and privacy rights can not be achieved with technology alone, no more than it can be achieved with competent IT personnel guided by clear policy alone. It requires both. There are ten industry principles that guide our approach to privacy and confidentiality in on-line surveys. Here we provide a summary of these ten principles, a detailed explanation of which can be viewed in our privacy statement.
Principle 1: Accountability – There is no “passing-the-buck” on compliance. UDS is solely responsible for personal information under its control designates an individual or individuals who are accountable for the organization’s compliance with confidentiality and security principles and policies. Accountability for compliance rests with the designated individual(s) and the identity of these individual(s) shall be made known to any client organization or survey respondent upon request.
Principle 2: Identifying Purposes – Respondents have a right to know why survey data are being collected. Four precepts serve as the foundation for this principle: (i) openness as to purpose, (ii) individual access to one’s personal data, (iii) limited collection of data, (iv) limited use, disclosure, and retention of data. The purposes for which personal information is being collected is identified before its collection and persons collecting personal information must be able to explain to individuals those purposes. Further, only those data necessary to serve the stated purposes are collected, and the data may not be used for ad hoc purposes unrelated to the original stated purposes.
Principle 3: Consent: The knowledge and consent of individuals are required for the collection, use, or disclosure of personal information. UDS shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used and to communicate the purpose in a manner that will make an individual’s consent informed and meaningful. Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Sometimes, simply for practical reasons, all necessary consents may be sought just prior to data collection, and if so individuals are always given the opportunity of opting out without prejudice. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before its use (for example, when a UDS client realizes after the fact that it would like to service a previously unanticipated information research objective)
Principle 4: Limiting Collection – Collect only what you say you are going to collect. The collection of personal information shall be limited to that which is necessary for the purposes identified by UDS and disclosed to the respondents, and all information shall be collected by fair and lawful means. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the disclosed purposes of the data collection. UDS shall specify the type of information collected as part of its information-handling policies and practices, in accordance with the “openness principle,” which is closely linked to the “identifying purposes principle” as well as the “consent principle.”
Principle 5: Limiting Use, Disclosure, and Retention - Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual (or, in extremely rare instances, as required by law). Personal information shall be retained only as long as necessary for the fulfillment of those purposes. UDS has developed guidelines and implemented procedures with respect to the retention of personal information. These guidelines include minimum and maximum retention periods to protect the confidentiality rights of survey participants. Personal information that has been collected from an individual shall be retained long enough to allow the individual an opportunity to access the information and verify its authenticity.
Principle 6: Accuracy - Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it was originally or subsequently intended. The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make decisions or recommendations that might not reflect the individual’s attitudes at the time of the decision or recommendation.
Principle 7: Safeguards – It is not what you say; it is what you do! Personal information is protected by security safeguards appropriate to the sensitivity of the information. The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. UDS protects personal information regardless of the format in which it is held. The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. UDS makes its employees aware of the importance of maintaining the confidentiality of personal information, and care is always taken in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.
Principle 8: Openness – Let the sunshine in! Transparency is the best guardian. UDS is open about its policies and practices with respect to the management of personal information. Individuals are able to acquire information about UDS’s policies and practices without unreasonable effort, and the information shall be made available in a form that is generally understandable.
Principle 9: Individual Access – If it is about you, then you have a right to access. Upon request, UDS shall inform any individual of the existence, use, or disclosure of his or her personal information and the individual shall be given access to that information. An individual is able to challenge the accuracy and completeness of the information and have it amended as appropriate. When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, UDS shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information.
Principle 10: Challenging Compliance – Respondents have a voice, and it will be heard. Individuals are able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the UDS’s compliance, and there will be no “passing the buck.” The person responsible for confidentiality and security will address the challenge. UDS investigates all complaints, and, if a complaint is found to be justified, UDS will take appropriate measures including, if necessary, amending its policies and practices.
These ten principles, which you can view in more detail in our privacy statement, serve as our guide for respecting and protecting survey participants’ rights of privacy and confidentiality. State-of-the-art security technology is necessary but not sufficient to protect these rights. It also requires a thoughtful and enforceable set of policy guidelines and a designated competent data custodian and policy policeman to do the enforcing. Any provider of survey services that does not put confidentiality and privacy as a top priority will be cutting off their own legs, because client institutions will understandably balk at using their services if they feel confidentiality and privacy may be compromised. Client institutions should be equally demanding in privacy and confidentiality assurances for a more basic reason: survey responses cannot be assumed to be valid when rendered by respondents who harbor doubts about the privacy and confidentiality of their responses.
The concept is simple: confidentially and privacy are the rights of respondents and essential to good survey results. There must be no compromises, period, and the earned trust of the surveyor is the best way to be sure there will be none.