Online Survey Tools: Privacy & Security Considerations
Online survey tools can be used for a wide range of purposes, including online forms, satisfaction surveys, event registration, and more. Programs must use these tools with caution and careful planning if survivors are going to fill out the forms, surveys, or registration data.
Confidentiality. As with databases and other technology that might collect or store personally identifying information (PII) about users (in this case survivors), the technology company should not be able to read any sensitive or identifying information about survivors, in line with programs’ confidentiality obligations under VAWA, VOCA, and FVPSA.
1. Choose the tool carefully.
There are many companies offering online forms and survey tools. However, most companies do not offer strong enough protection to be acceptable for use with survivors’ personal information. Any form or survey used with survivors must be designed so that only your program can see survivors’ information, not the company.
As of this writing, only one general form-creation company, JotForm offers this kind of protection, which is sometimes called “Zero-Knowledge” or “Client-Side” encryption. JotForm offers encrypted forms where the program holds the encryption key – not the company. EmpowerDB, a database service designed for victim services providers, is another option with this level of encryption that has a feature that allows its client programs to create secure surveys.
*Note that JotForm also offers a “HIPAA” option which does not meet the stricter criteria that programs need to adhere to. Read more about HIPAA vs. VAWA, VOCA, and FVPSA.
If you use a tool without this level of encryption, it will not be possible to keep those companies (or their employees) from potentially reading the content of the survey responses. However, if you are not requesting identifying information, it is possible to set-up the survey to not collect the IP addresses associated with the respondents’ devices when you create it. IP addresses could be considered PII, and so it is important to check survey settings during set-up to make sure that the form will not collect this information.
Consider, as well, what tool you are using to store the data collected by the form. Jotform has built-in data storage, but also offers numerous integrations with other popular data-storage and customer relationship management tools. Be cautious about using these integrations. It might seem convenient to be able to automatically export data to a spreadsheet or database tool that you already use, but that could have privacy and confidentiality implications if those other tools provide weaker data protection.
Read more about Digital Written Consent if you are considering using an online survey or form for survivors to give you Releases of Information.
2. Design the survey or form to request the least amount of information necessary.
The ideal is to design questions, options for answers, and plans for how data will be stored and how long it will be retained, based on the principle that the less you collect, the less you have to protect. Some examples of this:
Don’t ask for obvious PII such as name, contact information, identification numbers, etc.
Avoid open-ended text fields where survivors could share PII. If there is a legitimate need for open-ended text fields, provide question-specific privacy disclaimers explaining why you are asking and what the risks and benefits of answering the question could be, similar to what the next section describes for ensuring informed consent for the survey as a whole.
Don’t ask demographic questions in such a way that the combination of demographic information could uniquely identify a survivor. Examples of this:
Ask for an age range rather than a date of birth.
Depending on the population density of the places potential respondents might live in, ask about location in a broad way so that you don’t have only one or two responses from a given place.
Don’t ask other demographic questions – this is a challenge, since we often want to ensure that we’re meeting the needs of marginalized communities, but if respondents are in a county with almost no people from a certain community, that information in combination with other information could be uniquely identifying. One option here is to approach this through other methods like building partnerships with organizations or groups in that community. Another is doing that evaluation or research in a more formalized way that builds greater ethical and privacy-risk review into the process, such as working with an academic partner or getting approval from an independent Institutional Review Board (IRB).
Make all questions optional, not required.
If available on the survey platform you are using, make sure to disable any option that allows respondents to return later to a survey to finish it or change their answers. When this option is on, the platform sets a cookie on the respondent’s device that allows anyone with access to the device to see the respondent’s answers.
Consider during the design process how long the data needs to be retained, and plan a deletion policy from the beginning.
3. Facilitate informed consent.
Be sure to tell survivors:
the reasons you are asking for their participation,
what the risks and benefits of completing the form might be,
that participation in your survey is not required to receive services,
how long the information will be retained before deletion,
what will be done with the information (how it will be stored, who will see it, what formats it will be shared in),
if they will have the ability to remove any responses they provide if they later change their mind, and
information about whether or not any of their responses are or could be identifying and how any identifying information would be protected.
All of this should be shared in plain language, and in languages other than English that are used in your communities.
4. Be sure to prioritize survivor safety and privacy when sharing links.
Finally, it is crucial to consider how the survey is shared with survivors. Social media, email, or text might be a risk if someone else has access to their device or accounts (not just an abusive person, but anyone else who the survivor hasn’t disclosed to). Discuss safe communication methods with survivors when you can. If you’re sending it out publicly, provide up-front information on ways to safely access the survey from a safe device. Read more about safe methods of communication, and see a sample form.
