Surveys are useful research tools. However, you will be hard-pressed to find willing survey subjects if you do not protect their privacy.
That is why you should include a Survey Disclaimer when you run surveys. A Survey Disclaimer offers an additional level of legal protection that enhances the promises you make in your Privacy Policy and Terms and Conditions agreements.
This article discusses the content of survey disclaimers and why you should attach them to your surveys.
What's a Survey Disclaimer
Surveys cover a diverse range of topics. Consumer preferences, daily habits, and medical research are just a few topics addressed by surveys.
No matter the content, each survey should begin with a Survey Disclaimer.
A Survey Disclaimer is also known as a Survey Consent or Survey Introduction. The Survey Disclaimer outlines what a survey participant can expect from volunteering their information for a survey.
It may also contain warnings such as when data is shared with a third party or if sensitive data may not be protected.
The Survey Disclaimer fulfills four purposes which are addressed in its provisions:
- Describe the information collected and how it is used,
- Indicate confidentiality measures,
- Encourage participation without making it mandatory, and
- Offer participants reassurance that their information will not be misused or made public
Privacy protection is the most important element of a Survey Disclaimer. Even if your Privacy Policy agreement covers your compliance requirements, the Survey Disclaimer enhances that compliance by making your terms obvious to participants.
Having this kind of disclaimer also encourages participation. No matter the topic, participants may feel uneasy, especially if the survey involves something deeply personal like psychological treatment.
Unless people understand their answers are protected, it's unlikely you will secure enough research to meet your purposes.
Laws on Survey Disclaimers
There are no laws or directives directly reflecting privacy practices in regard to surveys.
Survey disclaimers are frequently designed to comply with current laws mainly as a cautionary note but also because it reassures participants. That creates an intersection between Survey Disclaimers and the relevant privacy laws.
HIPAA Act (U.S.)
Even when surveys related to medical treatment and conditions are anonymous, U.S. research facilities, universities, and companies still handle the data under the responsibilities outline in the Health Information Portability and Accountability Act (HIPAA).
The U.S. does not have a general privacy law, but it takes the security of medical information seriously. The HIPAA Privacy Rule in particular can affect health surveys and require particular considerations for the Survey Disclaimer.
The Privacy Rule from the HIPAA Act seeks to assure health data is protected while allowing the information to be available for assessing treatment, securing public health concerns, and supporting research.
In any of these cases, the medical provider or researcher must provide notice and secure consent from the patient first.
Survey Disclaimers regarding physical or mental health frequently include a provision that data is not associated with the answers provided on the survey.
Normally, since surveys occur online and are automated, answers are not associated with an email address but given a random identifying number.
This protects privacy because there's data relevant to research but no personal identifying information linked to it.
CalOPPA Act (U.S.)
As mentioned, the U.S. has no general law protecting privacy. California enacted one in 2004 called the California Online Privacy Protection Act (CalOPPA). This act places specific notice requirements on entities which collect personal data from their users.
California is one of the most populous states in the U.S. so if you look to transact business or run surveys there, you need to comply with California law.
It's nearly impossible to restrict business or collect information from one state within an online survey, so following CalOPPA is a good precaution.
CalOPPA requires a conspicuous link to the Privacy Policy on every website. It also requires specific content for the Privacy Policy. The following requirements are relevant to surveys:
- Provisions describing type of personal information collected,
- Use of that information, and
- The identity of third parties who may see it
Many surveys do not link data to personally identifiable information. However, any information collected specifically about an individual is subject to these requirements.
Even if you have a complete Privacy Policy, your Survey Disclaimer can provide enhanced compliance with CalOPPA and reassure participants.
PIPEDA Act (Canada)
Canada maintains an Office of the Privacy Commissioner of Canada and passed two laws regarding privacy protection. One law, the "Privacy Act" contains provisions requiring federal government agencies to protect and disclose personal data responsibility.
The law that affects information collected in surveys sponsored by for-profit entities is the Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA requires companies to obtain consent before collecting, using or disclosing personal information. The data can only be used for the purpose it was collected.
PIPEDA is limited to commercial activity. However, businesses that fall directly under legislative authority of Parliament must also follow these regulations. Airports, airlines, banks, public transportation authorities, telecommunication companies, television and radio broadcasters, and offshore drilling operations must all adhere to this law.
For example, if you are conducting a survey on behalf of a radio station, you must obtain consent before collecting information. You can do this with a Survey Disclaimer at the beginning and use clickwrap design methods to assure acceptance.
Health information is primarily protected by provincial laws. Ontario, New Brunswick, and Newfoundland and Labrador all have acts modeled under PIPEDA but specific to health information.
Like in the U.S., it's impossible to direct a survey to Canada and only involve a few provinces. Therefore, you need a Survey Disclaimer and click-wrap methods as well in order to assure you secure consent to collect information.
Privacy directives (E.U.)
The E.U. started passing data protection rules in January of 2012. Its latest privacy directive passed on May 4, 2016, showing it continues to evolve its privacy laws.
Like other laws, the EU directives do not specifically address surveys.
The part of the directives most relevant to surveys is the requirement that data must be collected for specific, legitimate, and explicit purposes.
A Survey Disclaimer that explains the reason for collect and how it's used likely meets this standard - especially if you use clickwrap methods to assure the participant accepts the terms.
Privacy Act 1993 (New Zealand)
There's a clear example in New Zealand where the University of Canterbury in Christchurch takes privacy and consent very seriously with its research efforts.
It devotes an entire page to the endeavor and wastes no time explaining the importance of these considerations in that page's introduction:
The approach makes sense considering New Zealand's Privacy Act 1993. The act does not provide a general right to privacy but it protects information, including electronic data. This applies to surveys since most of them are conducted online.
If an individual feels their rights under the New Zealand Privacy Act were violated, they can file a complaint with the Privacy Commissioner.
Therefore, it's understandable why the University of Canterbury and other entities wish to be cautious by having a Survey Disclaimer.
How to Draft a Survey Disclaimer
Below are some examples that show how you can draft a Survey Disclaimer.
If you're collecting opinions on less personal issues, like consumer products, perceptions in the news or anything else that an individual would share willingly with a stranger over coffee, a General Survey Disclaimer is likely all you require.
This includes some reassurance because participants may not want spam, junk mail or unwanted promotions. If the survey involves more personal products, they may also want the results not associated with their name or made public.
Survey Monkey, a leader in providing a platform for conducting surveys, can include a Survey Disclaimer, also called a "Consent Form" that emphasizes anonymity:
GE uses a similar structure that shows how this is put into practice. Its survey portal appears to be limited to employees and independent contractors in its organization.
GE's Survey Disclaimer is a catch-all for data although it discourages sharing sensitive data:
Both examples are general yet comprehensive:
- The GE example offers general rules of conduct for its surveys and discourages submitting sensitive information.If a participant does so, it does not guarantee protection which suggests these surveys are not used for sensitive data.
- If you are handling sensitive data, the SurveyMonkey example may work better for you.It clearly indicates commitment, confidentiality protection, and provides space to provide the purpose of the survey.
The Survey Disclaimer/Consent Form from SurveyMonkey ends with the "I agree" checkbox so the participant can decide whether they still want to participate after reading the listed conditions.
Survey Disclaimers also work by integrating other agreements with them, like the Privacy Policy agreement. This may be done by having each document contain overlapping provisions.
Wikipedia offers a provision regarding surveys in its Privacy Policy:
Wikipedia's section on Surveys in its Privacy policy states generally that feedback and personal information gathered from a survey is used by Wikipedia.
Even though the Privacy Policy covers this topic, Wikipedia still offers a separate Survey Disclaimer too. This specific provision expands on the clause in the Privacy Policy and explains that information remains with Wikipedia and there is no public association with the participant's account:
The Wikipedia integration of Privacy Policy and Survey Disclaimer is subtle as it only involves similar terms. Other organizations take a more direct approach.
The Birth Survey is headquartered in North Carolina and collects data on women's birth experiences. Before anyone participates in the survey, it starts with a dialog requiring the acceptance of Terms and Conditions, the Privacy Policy, and the Survey Disclaimer through the clickwrap method:
If you scroll down the dialog box and review all three agreements, you find this provision in the Survey Disclaimer regarding personal information. It mentions that the participant shares the data within the provisions of all three agreements:
It seems like a Survey Disclaimer can get away with merely being a reference to the Privacy Policy or Terms and Conditions.
However, it's not recommended. Linking to long legal agreements as a way to reassure their data is safe is not a good way to encourage participation.
Even if your Survey Disclaimer shares provisions in the Privacy Policy, repeat those provisions in plain language when you draft the disclaimer. That assures participants understand the use of their data and feel safe in knowing that their answers are not personally linked to them.
Surveys conducted to gauge the quality of medical care or conduct research fall under strict privacy guidelines in laws like the U.S.'s HIPAA.
The Cleveland Clinic conducts surveys to measure service quality. It sends out a Patient Satisfaction Survey and maintains a FAQ-style disclaimer and introduction page for this survey.
Its disclaimer starts with a statement of purpose:
Then the disclaimer describes the information collected and who has access to it. In this case, the data is kept internally:
However, the feedback will also contribute to a star rating for physicians and patient reviews may also be posted. While this posting is anonymous, patients have the option to ask that their comments are removed:
Canada has the National Physician Survey. Its disclaimer indicates that answers are not linked to data that can identify a patient.
It also contains provisions that data is handled under physician confidentiality requirements and personal information protection:
It's a good idea to detach survey results from the identity of the participant. That means no links to email addresses, user names or even the IP address. While this is a good practice overall, it is critical if you wish to conduct a health or medical related survey.
Surveys conducted for a closed group may seem reassuring on their own. However, it's a good practice to never assume participants know this.
Survey Disclaimers exist more for reassurance. Even if the data is not personal, clearly indicating that the data is limited to one particular institution or group only helps your survey. It also shows that you comply with privacy laws even if you already have a solid Privacy Policy.
Consider this a step in enhancing those practices. This Survey Disclaimer used by the University of Michigan works with both health-related and general surveys because it indicates clear limitations for data access and keeps results anonymous:
Any time you immediately delete personal data or limit it to anonymous release to a closed group of researchers, describe these practices in your Survey Disclaimer. As seen the University of Michigan example, this does not have to be long or complex.
A Survey Disclaimer reinforces compliance with privacy laws but also contains extra material to encourage participation and assure confidentiality.
Rather than merely link to other agreements as a replacement for your disclaimer, draft a plain language summary of the purpose of the summary and how you will protect data. That will draw in more participants and make your survey much more helpful.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.