Is Your Survey Tool Compliant with Data Privacy/Storage (Sovereignty) Laws?
Did you know?
Once you send out your online survey, depending on where your respondents reside, you could be responsible for how and where you store that personal information.
A plethora of online survey tools is now available to help you with your market research needs. Search online and you'll quickly find many reviews for major players such as: Qualtrics, SurveyMonkey, Explorance, SurveyGizmo, Typeform, and LimeSurvey. When deciding which one to utilize, the focus is often on pricing and the available features (e.g. question types, user interface, and API services). However, one very important aspect that is overlooked is where the survey responses data is stored - or where the survey tool's data center is located.
In this article, we'll:
Review the major data privacy laws governing Canada, the US, and the EU.
Present a list of how and where major survey platforms host their data.
Provide alternative solutions if switching to a different survey platform is difficult
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the laws around data privacy and storage. However, it is important to do your research as each province/territory may have their own regulations and set even stricter conditions. This is especially so for specific sectors like education and healthcare. In British Columbia and Nova Scotia, data stored by the public sector (including public education) is prohibited from transferring personal data outside of Canada without individual consent –even then there are very limited conditions. Alberta, Ontario and Quebec have very specific legislation as well.
The US currently doesn't have a comprehensive data privacy and storage law. However, there is the Data Privacy Shield Framework which allows approved members to share data between the EU and the US. In addition, it's important to note that many sectors may have their own regulations, particularly in the areas of education and healthcare. Education is governed by the Family Educational Rights and Privacy Act FERPA and Healthcare is governed by the U.S. Federal Health Insurance Portability and Accountability Act (HIPAA).
Europe’s General Data Protection Regulation (GDPR) restricts companies from transferring personal data that originated in the EU to countries with inadequate data protection laws. These rules are found under Chapter 5 of the GDPR, “Transfers of personal data to third countries or international organizations”.
If you are currently using one or more of the major survey platforms below, we recommend you review your data centers settings to ensure you're compliant for your next project.
If it's difficult to transition to another platform (e.g. you already have an established survey automated), there are a couple of options. First, avoid collecting any personal information on your survey. This can be accomplished by using a general survey link for all your respondents. Of course this will make it hard to validate the response rates. Alternatively, you can include a consent question or privacy statement at the beginning of your survey like,
The information we presented at publication date are based on our knowledge and experience with the current state of data privacy regulations and with the different survey platforms. One takeaway from this is it to always ask the vendor when and how they will manage your data. You are all partners in this so make sure due diligence is being followed.
Thank you for reading! If you have any data concerns with your next survey feel free to comment below or to reach out to us directly. Our team at Kai Analytics and Survey Research Inc. are experts in survey design, implementation, and analysis. We help businesses understand their customers through the analysis of numeric (quantitative) and open-ended (qualitative) feedback responses.