Online surveys and GDPR

In preparation for the General Data Protection Regulation (GDPR), which came into effect 25 May, 2018, the Online Surveys team worked with Jisc’s GDPR project team to ensure that our services and policies would meet the new regulations. Our blog post here details some of the changes we made as part of that review:

Your responsibilities

The Online Surveys licensee acts as the Data Controller. Jisc acts as the Data Processor, only processing the licensee’s survey data in accordance with their instructions.

Compliance with the principles of GDPR, as far as respondent data goes, is the responsibility of the Data Controller. Users under each licence determine what data they collect from respondents, including whether they need to collect personal data at all, and if so, what they will do with it and how long they will keep it.

We have several tools and features to help users comply with GDPR:

Adding a Privacy Notice to your survey

When creating your survey, we recommend the use of a privacy notice. This should explain to survey respondents how you plan to use any personal information you collect, and for how long you intend to keep it. Your organisation’s data protection officer may be able to provide advice and guidance on creating a suitable privacy notice for your survey.

Obtaining consent from your respondents

The screening function in Online Surveys can be used – along with a consent statement – as a means of obtaining consent from respondents to process their personal data.

Deleting respondent information or responses

Users can delete individual respondent information or survey responses. This supports a respondent’s rights to erasure and rectification.

A data subject’s rights apply only to personal data. Where the data is anonymous, the rights do not apply. Jisc will not respond directly to any request made by a data respondent about their rights under GDPR. Jisc will instead refer the request to the relevant user (usually the Survey Contact).

Supporting a respondent’s right to access their personal data

Users can export individual or all responses as they wish. This will allow you to provide a respondent with their response should they request it.

A data subject’s rights apply only to personal data. Where the data is anonymous, the rights do not apply. Jisc will not respond directly to any request made by a data respondent with regard to their rights under GDPR. Jisc will instead refer the request to the relevant user (usually the Survey Contact).

Anonymising your response data

You can anonymise your response data after you have collected it by:

  1. Filtering out personal data before exporting it for further processing.
  2. Permanently deleting pre-population data (including respondent list credentials) you’re your response data.

Online Surveys security

Online Surveys is certified to ISO 27001– the recognised information security standard.

All Online Surveys user and respondent data is stored in the EU.