5 Questions Every Survey Team Needs to Ask About Data Privacy - OrgVitality

You likely know how your data is collected and stored. But what happens to your employee data once your project is done?

Data privacy is critical with employee surveys, yet much of the focus is on the details of who sees what data, in what fashion, and whether there are controls to prevent violating confidentiality. But what happens to employee data once the survey is over? Survey teams need to make sure they know the following:

1. Once a third party collects employee data, who owns it? The client, or the vendor?
2. Where is the data stored?
3. How long will the vendor store it?
4. What happens to it afterwards?
5. Who can access it?

Chances are, your survey vendor will have responsible answers to each of these questions, but it’s still important to ask. Different vendors may have different policies, and you want to make sure the policies of your vendor are appropriate for your needs. Often, a vendor holds onto client data for very legitimate purposes, such as trend or additional analyses in the near future. Most vendors add unidentified, aggregated data to their norms database – something that clients both add to and benefit from. (That being said, if you don’t want to be part of the norms database, you should make sure your vendor has an opt-out policy.) Other purposes might go beyond the scope of work for your organization and include things like general research, algorithm development, or AI/machine learning work. Understanding how your vendor uses client data enables you to have control over how your vendor uses your data. There are many positive ways data gets used that will directly benefit your listening initiatives; you just want to make sure nothing violates employee privacy.

[Related Blog: How to Take Action on your Employee Survey Results]

The most important thing to understand is what level a vendor is storing the data. There are various options:

• Company level: This may be as simple as company level scores on particular items. This is low risk, as it is not individual level, and does not identify individual respondents
• Individual, De-identified: This may include individual, row level data to allow slicing of item responses by variables like tenure, function, or location. This is usually a low to medium risk, depending on the variables attached to the data, but generally in this case it is impossible to know the identity of any respondent.
• Individual, Identified: This includes individual, row level data with some variables/identifiers that make it possible to identify the respondent. While this allows broader, big data analysis, it is higher risk, and likely worth discussing with your legal team. Any dataset including individual comments would fall into this category.

It’s your responsibility to make sure employee data is protected beyond the life of the survey project.

Push your vendor for transparency on all aspects of data use, including storage, formatting, and access. Ideally, you’ll work with a vendor who ensures you own your own data. And if you’re not happy with what your vendor is doing, call us, because at OrgVitality, you will always own your data – and control what happens to it.