Collection and protection
In this class we’re looking at data protection and what you need to know when you’re collecting personal data through surveys.
Class 3: Data Protection for Beginners
If you’re using your surveys to collect personal data, then you should make sure that you’re aware of your responsibilities around data protection.
Most people have by now heard of something called “GDPR” but may not know what it actually means or what the implications are. It stands for General Data Protection Regulations, and it’s an EU-wide set of rules that the UK has now introduced. For a lot of people, it just meant a lot of emails around spring 2018 asked them to re-subscribe to email newsletters or they were handed new consent forms to fill in by places that never felt the need to bother before. As such it’s often seen as an inconvenient bit of extra bureaucracy to deal with, but in reality, the requirements are quite simple to understand and comply with, if you make sure you bear them in mind from the start.
What is Affected
The first thing to note is that only personal data is affected. What this means is data about a particular person that can be identified as being about that person. Some of these things are obvious such as name, email address, physical address, and gender, and some may not be. The IP address someone uses to access the internet is probably the most important example of this.
What this all means is that if you’re running your survey anonymously, then you don’t need to worry too much about it. The data you collect can’t be associated with a person so by definition can’t be personal. However, this has pitfalls and making a survey anonymous isn’t just a question of activating “Anonymous Mode” in the software. While this mode will stop IP addresses being collected, you do also need to make sure that you’re not collecting other personal data via the questions.
You may think this is easy enough (just don’t ask those questions), but free-text questions can be tricky. There’s nothing really to stop a respondent entering personal details into one of those boxes, even if you haven’t asked for them.
What To Do
OK, so what do you as a researcher need to do?
The most important principle is to be open and transparent about who you are, and why you’re collecting the data that you are.
The easiest and simplest thing is not to collect personal data and do everything anonymously. As we said earlier, this isn’t perfect, if you need to ask for free text, but you can still gather a large amount of useful insight this way.
If you do decide that you’re going to need to collect personal data, then you need to make this totally clear to respondents, and this is usually done via a short statement at the start of the survey. This doesn’t have to be pages of legalese, but a simple, short sentence or paragraph explaining what you’re doing and why, such as:
“We’re running this survey to improve the service in our restaurant. We’re optionally asking for your contact details, so we can match them to the date of your bookings. We’re not going to add these details to a marketing list. If you don’t want to take part in the survey, then close this page and nothing will be stored.”
As you can see, this statement makes clear the purposes of the processing, our intentions for the data we collect and that we won’t use this data for marketing purposes.
Depending on the length and complexity of your survey, you can also include this information on specific questions, especially if you’re planning on doing different things with them. The most important thing is always clarity and honesty in what you plan to use the data for.
The Main Principles
- Only collect personal data if you need it
You should have a clear purpose in mind for the data before you collect it – not “just in case” - Make sure any personal data is kept secure and treated appropriately
Don’t leave exported data on unsecured drives, for instance - Don’t keep it for longer than you need to
Review what you’ve collected periodically and remove anything no longer appropriate - Make sure you have a legal basis for processing
There are multiple bases and consent may not be the best one available to you - Have a process to deal with consent being withdrawn if you’re relying on it
Be clear about who you are and how to contact your organisation - Be aware of how to deal with requests for access, correction, and deletion
See the guides below about the “right to be forgotten” and more
If you have further questions about dealing with “right to be forgotten” or methods of collecting respondent consent on online surveys please take a look at our help guides:
- Using SmartSurvey to Collect GDPR Consent
- Enabling Anonymous Responses
- Removing Personal Data from Surveys
The Legal Bases for Processing and Consent
The full detail on all the ways you can legally collect and process personal data is a little outside the scope of this article, but it’s worth a quick note on “consent”. Consent does not need to be a ticked box. It can be the act of completing the survey if you’re clear about the purposes and intentions of the data collection at the point of collection (i.e. on the survey page).
However- while consent can be the easiest to justify if challenged, it can also be withdrawn by the respondent, which can cause you issues later on. A lot of surveys can be caught by legitimate interests, or public function bases so if you don’t need to rely on consent, then don’t. It’s also important that you can’t move the goalposts. If you collect and process data under the basis of consent and then consent is withdrawn, you shouldn’t then choose another basis.
Moving forward
Now we’ve done this, we hope you’ll see that the requirements really aren’t all that bad, and basically come down to openness and honesty. In the next article in this series, we’ll move back to the main business of survey creation and talk about some more advanced features you can use to make your surveys personalised and responsive.
Disclaimer: This article does not constitute legal advice nor does it guarantee compliance with any legislation including GDPR. It is only intended as background information to supplement your knowledge and awareness. We recommend you obtain the advice of a suitably qualified individual for guidance and ensuring compliance.