Obsessively Protecting Participant Anonymity in Diversity & Inclusion Surveys
Employees are (rightfully) extremely nervous about disclosing personal information; a relucatance that is amplified when the data relates to individual Diversity.
Divrsity has been built from the ground-up with the goal of protecting participant anonymity. This means that our employees can have confidence that their responses cannot be individually attributed to them; leading to fewer "prefer not to say" responses, and therefore significantly better data quality.
This article summarises some of the steps we take.
In the bad old days... (before Divrsity )
We see a lot of companies attempt to collect D&I information through their HR system, via general tools such as Microsoft Forms / SurveyMonkey, or via dedicated employee survey tools such as Peakon / CultureAmp.
While those are all excellent tools, they have one thing in-common: to be useful for Diversity & Inclusion surveys, they generate a vast amount of Personally Identifiable Information (PII), making it easy to determine which specific responses pertain to a particular employee. This connection may be either direct (through email address or login details), or indirect through the combination of multiple data fields in the raw results (this employee is in New York, and in the Finance Team, and has joined in the past year - therefore it must be Humphrey).
To avoid compromising survey quality, we therefore need to reassure employees that the data we collect will be anonymous, and used only for the purposes of improving Diversity & Inclusion within our organisation.
Divrsity has been designed and built to obsessively protect employee anonymity
In practice, this means that we ensure that our PII footprint is sufficient for us to provide our service, and absolutely nothing more. Consequently, even in a worse-case situation such as our servers being compromised, there is effectively no PII available for hackers to exploit.
N.B. For employers, this has the positive side-effect that a GDPR Subject Access Request would reveal zero information about a given employee.
Some examples of the steps we take to ensure participant anonmyity include:
- For employees completing a survey, we avoid all trackers, we place no cookies, and we configure our servers to avoid collecting IP address information
- Raw survey responses are identified only by a Globally Unique Identifier (a "GUID"): a 128-bit random number that is auto-generated by our systems. Once the survey is complete, this number cannot be tied back to an individual employee
- Since we have no legitimate need to contact them again, we immediately purge an employees e-mail address from our database when they have completed their survey.
- For the same reason (that we have no need to contact them again), we immediately purge e-mail addresses once the reminder e-mail has been sent.
- As a consequence, when a survey completes we have no PII, and no way to tie raw survey responses back to a unique individual.
- When the survey completes, we summarise and store the results. These results are provided to the survey administrator via the website. We will never share any company's results with other clients or prospects.
- We typically store raw survey responses for 7-10 days after the survey has completed (although this can be configured). After this time, they are irrecoverably purged and only the summarised results remain.
Obviously we also do everything we can to protect the data that we do store. This includes using AWS for all our data, ensuring that data is encrypted at-rest and in-transit; and enforcing strict security policies on our technology and our team.
More Blog Articles