Is Your Survey Tool Compliant with Data Privacy/Storage (Sovereignty) Laws?
Updated: Apr 29
This article was last updated on March 2, 2021
Policies change frequently, every effort will be made to keep this guide up to date with the latest changes.
Did you know?
Once you send out your online survey, depending on where your respondents reside, you could be responsible for how and where you store that personal information.
There are now a plethora of online survey and questionnaire tools available to help you with your market research needs. Search online and you'll quickly find many reviews for major players such as Qualtrics, SurveyMonkey, Explorance, SurveyGizmo, Typeform, and LimeSurvey. When deciding which one to utilize, the focus is often on pricing and the available features (e.g. question types, user interface, and API services). However, one very important aspect that is often overlooked is where the qualitative, personal data from these survey responses is stored - or where the survey tool's data center is located. This small detail could have big consequences depending on where your respondents reside.
In this article, we will:
Review the major data privacy laws governing Canada, the US, and the EU.
Present a list of how and where major survey platforms host their data.
Provide alternative solutions if switching to a different survey platform is difficult
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the laws around data privacy and storage. The act outlines how organizations that collect personal data must behave with that data. For example, PIPEDA states that
"Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again. Personal information must be protected by appropriate safeguards."
-Office of the Privacy Commissioner of Canada, 2019
However, it is still important to do your research as each province/territory may have its own regulations and set even stricter conditions. This is especially so for specific sectors like education and healthcare. In British Columbia and Nova Scotia, the public sector (including public education) is prohibited from transferring personal data outside of Canada without individual consent –even then there are very limited conditions. Alberta, Ontario and Quebec have very specific legislation as well.
The US currently doesn't have a comprehensive data privacy and storage law. However, there is the Data Privacy Shield Framework which allows approved members to share data between the EU and the US.
Update! On July 16, 2020, the Data Protection Shield was struck down by the Court of Justice of the European Union, citing the Survalliance practices of the US state. Here's an article from the BBC breaking down this fundamental shift.
In addition, it's important to note that many sectors may have their own regulations, particularly in the areas of education and healthcare. Education is governed by the Family Educational Rights and Privacy Act (FERPA), and Healthcare is governed by the U.S. Federal Health Insurance Portability and Accountability Act (HIPAA).
Europe’s General Data Protection Regulation (GDPR) restricts companies from transferring personal data that originated in the EU to countries with inadequate data protection laws. These rules are found under Chapter 5 of the GDPR, “Transfers of personal data to third countries or international organizations”.
If you are currently using one or more of the major survey platforms below, we recommend you review your data center settings to ensure you're compliant before your next project.
In some cases transitioning to another platform is too expensive, time-consuming, or both. If it's difficult to transition to another platform, there are a couple of options:
Avoid collecting any personal information on your survey. This can be accomplished by using a general survey link for all your respondents. Of course, this will make it hard to validate the response rates.
Alternatively, you can include a consent question or privacy statement at the beginning of your survey like the one below:
As our world moves farther into the digital realm it is easy to get excited about new technologies and the possibilities they create, for both business and in our personal lives. But it is important to remember that the data we collect and manage online belongs to real people, protected by real laws, and with real consequences for breaking those laws.
It can feel tedious to keep up on this ever-changing legal landscape but asking the vendor when and how they will manage your data is a great place to start. We are all partners in this so make sure due diligence is being followed. And remember, we're always here to answer your questions! Kai Analytics can help you understand and manage your qualitative data, from collection to storage.
The information we presented at the publication date is based on our knowledge and experience with the current state of data privacy regulations and with the different survey platforms.
Thank you for reading! If you have any data concerns with your next survey, feel free to contact us by filling out the form below. Our team at Kai Analytics and Survey Research Inc. are experts in survey design, implementation, and analysis. We help businesses understand their customers through the analysis of numeric (quantitative) and open-ended (qualitative) feedback responses.