With the following measures you protect the personal data of your participants. The exact measures required for each study are different from study to study. Some measures are mandatory.
1. Collect as little personal data as possible
Only necessary data
Only collect data that is necessary for your research. All additional personal data that you collect means a privacy risk for te participant. If possible use age ranges instead of age, or regions instead of town/city.
Likewise, collecting very precise data from rather small groups of respondents is tricky. For example: a respondent in a population of 10 people measures 2m13 is easily identified.
Where possible use ranges instead of precise data, such as age ranges instead of date or year of birth.
2. Pseudonymize (required!)
When you want to be able to contact your respondents, or distinguish them from each other, you need to keep their names and contact details. Keeping these identifying data in a separate dataset outside Qualtrics strongly reduces the privacy risk for the participants.
>> Pseudonymizing data (instructions)
Pseudonymize: also in contact list / panel!
Qualtrics has the inbuilt option of creating a contact list or panel for inviting your respondents. Contacts in this list must contain at least an e-mail address. Please limit yourself to entering only an e-mail address and, if necessary, the pseudonym. The pseudonym is needed whenever you need to link a respondent to their response, for example during follow-up or longitudional research.
Pseudonymization is reversible: when you have the key file you are able to trace data to an individual. As a result, pseudonymised personal data will always remain personal data. Legal protection still applies. Please take extra care!
3. Anonymize
With anonymized data there is no link between respondent and response.
Please distinguish collecting and processing data anonymously. When collecting your data, please follow the guidelines of your ethics committee. They may not allow you to collect data anonymously. In other words: you must be able to prove that you obtained the data from real, existing people. More about anonymizing data. Data should however be processed anonymously.
Qualtrics offers the following anonymization options:
- Anonymous link
When you collect your responses via a so called anonymous link, there is no link with personal data at all. Unless you collect any personal data in one of the survey questions. Your ethics committee however may not allow anonymous data collection. In that case you can’t use anonymous links. Please use Individual / Personal links in combination with Anonymize response. - Anonymize response
By anonymizing the responses of a survey in Qualtrics, you can no longer see who gave which response. The link between response and respondent is cut.
Please note: Anonymize response does NOT automatically mean that your respondents are anonymous!
There are still ways where data lead back to respondents:
- When you have enabled Anonymous response option after starting your survey the anonimization can be reverted.
- Combining data or small populations may point towards certain respondents.
For example: someone measuring 2m13 in a population of 10 persons can easily be identified. - When identifying data (like name, address) are collected directly in the survey itself. Please use a separate survey and keep datasets separated.
Be careful with repeated measurements!
Be careful with anonymizing when taking repeated measurements with the same participants, for example in studies that need follow ups. After anonymizing you can no longer link respondent and response. That will remain possible with pseudonymizing, however indirectly.
3. Separate consent from data
If you process personal data on the legal basis “Express consent of the participant”, you must obtain Informed consent. This is often requested at the start of the survey, for example as the first question. However, Qualtrics will then store these personal data in the same data set as the rest of the survey. And thus, all answers can be traced to a person. Therefore, request the consent separately from the actual survey.
4. Do not use email triggers
In Qualtrics you can have survey responses sent to yourself by email. In this way data end up in another system besides Qualtrics, which poses a privacy risk. Therefore, do not use email triggers.
Likewise: Do not send responses to respondents
In various surveys, respondents receive their responses by email after completing a survey. This is vulnerable for the same reason as the use of email triggers. Please do not have the responses automatically sent to the respondent.
5. After collecting your data: remove data from Qualtrics
Qualtrics is not intended to be a storage medium. As soon as the survey data are no longer needed, they must be removed from Qualtrics. Before deleting the data or survey you can export the data from Qualtrics for further processing or archiving purposes.
>> More about working securely online
>> Code of conduct for working securely with digital information (in dutch)