Obsessed with Anonymity™

Protecting Participant Anonymity in Diversity & Inclusion Surveys

Updated 29th May 2024 by Mark Holt

child covering his eyes

Our colleagues are (rightfully) extremely nervous about disclosing personal information; a relucatance that is amplified when the data relates to their individual demographic characteristics.

That's why Divrsity has been built from the ground-up with the goal of Obsessively Protecting the anonymity of individuals who participate in our Diversity & Inclusion Surveys.

When our colleagues have absolute confidence that their responses cannot be tied back to themselves we see higher participation (we usually see participation in the 70-80% range), and fewer "prefer not to say" responses; meaning Diversity and Inclusion Surveys that are run on the Divrsity platform generate high quality results.

Company Culture is fascinating!

Our best-practices for Communication Strategy around your Diversity and Inclusion survey is to talk consistently about how Divrsity preserves anonymity. Anonymity features prominently on the (configurable) survey invitation messages, and the front page of every survey contains a list of the steps we take to preserve anonmity.

... and yet we still regularly see verbatim survey responses that say "this survey is supposed to be anonymous but I don't believe it".

This article summarises some of the steps we take to preseve anonmity.


In the bad old days... (before Divrsity )

We see a lot of companies attempt to collect D&I information through their HR system, via general tools such as Microsoft Forms / SurveyMonkey, or via dedicated employee survey tools such as Peakon / CultureAmp.

While those are all excellent tools, they have one thing in-common: to be useful for Diversity & Inclusion surveys they, by definition, generate a vast amount of Personally Identifiable Information (PII), in a form that makes it easy to determine which specific responses pertain to a particular employee. e.g. Microsoft Forms actually associates responses with an Active Directory account and makes all the raw survey results available to the survey administrator. These are typically downloaded to that user's computer for analysis... and now we're in a world of data security pain.

It's worth noting that the ability to connect survey responses to an individual may be either direct (through email address or login details), or indirect through the combination of multiple data fields in the raw results (this employee is in New York, and in the Finance Team, and has joined in the past year - therefore it must be Humphrey).

To avoid compromising survey quality, we therefore need to reassure colleagues that the data we collect will be anonymous, and used only for the purposes of improving Diversity & Inclusion within our organisation.


Divrsity has been designed and built to obsessively protect participant anonymity

In practice, this means that we ensure that our PII footprint is sufficient for us to provide our service, and absolutely nothing more. Consequently, even in a worse-case situation such as our servers being compromised, there is effectively no PII available for hackers to exploit.

N.B. For employers, this has the positive side-effect that a GDPR Subject Access Request would reveal zero information about a given participant.

Some examples of the steps we take to ensure participant anonmyity include:

  • For survey participants, we avoid all trackers, we place no cookies, and we configure our servers to avoid collecting IP address information
  • Raw survey responses are identified only by a Globally Unique Identifier (a "GUID"): a 128-bit random number that is auto-generated by our systems. Once the survey is complete, this number cannot be tied back to an individual employee
  • Since we have no legitimate need to contact them again, we immediately purge a participants e-mail address from our database when they have completed their survey.
  • For the same reason (that we have no need to contact them again), we immediately purge e-mail addresses once the reminder e-mail has been sent.
  • As a consequence, when a survey completes we have no PII, and no way to tie raw survey responses back to a unique individual.
  • When the survey completes, we summarise and store the results. These results are provided to the survey administrator via the Divrsity website and can only be accessed in aggregated, completely anonymised form. N.B. We never share any company's results with other clients or prospects.
  • We typically store raw survey responses for 7-10 days after the survey has completed (although this can be configured). After this time, they are irrecoverably purged and only the summarised results remain.

Obviously we also do everything we can to protect the data that we do store. This includes using AWS for all our data, ensuring that data is encrypted at-rest and in-transit; and enforcing strict security policies on our technology and our team.




More Blog Articles

Footnotes:

  1. A Subject Access Request is the legal right for an employee to find out what personal information any organisation is holding about them; how it is being used; whether it is being shared; and how they obtained the data in the first place. Divrsity is registered with ICO as a Data Processor under GDPR legislation