Obsessed with Anonymity™
Protecting Participant Anonymity in Diversity & Inclusion Surveys
Updated 30th April 2026 by Mark Holt, originally May 2024
How do you ensure anonymity in a DEI survey?
To guarantee anonymity in a diversity and inclusion survey, run it through a dedicated third-party platform — not an HR system or generic form builder — identify each response by a random ID rather than a name or email, log no cookies or IP addresses, report results only in aggregate, automatically hide any demographic group smaller than five people, and purge the raw data once the survey closes. Just as importantly, tell participants you have done all of this: perceived anonymity drives honest answers as much as the technical measures do.
Our colleagues are (rightfully) extremely nervous about disclosing personal information; a relucatance that is amplified when the data relates to their individual demographic characteristics.
That's why Divrsity has been built from the ground-up with the goal of Obsessively Protecting the anonymity of individuals who participate in our Diversity & Inclusion Surveys.
When our colleagues have absolute confidence that their responses cannot be tied back to themselves we see higher participation (we usually see participation in the 70-80% range), and fewer "prefer not to say" responses; meaning Diversity and Inclusion Surveys that are run on the Divrsity platform generate high quality results.
Company Culture is fascinating!
Our best-practices for Communication Strategy around your Diversity and Inclusion survey is to talk consistently about how Divrsity preserves anonymity. Anonymity features prominently on the (configurable) survey invitation messages, and the front page of every survey contains a list of the steps we take to preserve anonmity.
... and yet we still regularly see verbatim survey responses that say "this survey is supposed to be anonymous but I don't believe it".
This article summarises some of the steps we take to preseve anonmity.
How to ensure DEI survey anonymity: five essential steps
Anonymity in a diversity survey is not a single feature — it is the cumulative effect of several deliberate design choices. Whatever platform you use, these are the five safeguards that decide whether a participant can ever be re-identified:
- Use a dedicated third-party platform, not an HR system or generic form. Tools such as Microsoft Forms or SurveyMonkey tie responses to a login or email address and hand the raw data to an administrator. A purpose-built DEI platform sits outside your own systems, so no one internally can match an answer to a person in the first place.
- Identify responses by a random ID, never a name or email. Each submission should carry only an auto-generated identifier — Divrsity uses a 128-bit GUID — that cannot be reversed back to an individual once the survey closes. No login, no email and no name is ever stored against the answers themselves.
- Collect no cookies, trackers or IP addresses. Indirect identifiers are as dangerous as direct ones. Disabling cookies and IP logging removes the technical breadcrumbs that could otherwise be combined with demographic answers to single someone out.
- Report results only in aggregate, and suppress small groups. Findings should appear as group-level summaries, never individual records, and any segment below a minimum size should be hidden automatically — Divrsity suppresses groups smaller than five by default, a threshold administrators can configure — so a small team can never be narrowed down to one identifiable person.
- Purge the raw data — and the email list — as early as possible. Email addresses should be deleted as soon as invitations and reminders have been sent, and raw responses irrecoverably purged shortly after the survey closes (Divrsity holds them 7–10 days). Once purged, even a GDPR Subject Access Request returns nothing.
Crucially, anonymity only lifts participation if people believe in it. Communicate each of these safeguards plainly — in the invitation, in your communication strategy, and on the survey itself — because perceived anonymity drives honest answers as much as the technical measures do.
In the bad old days... (before Divrsity )
We see a lot of companies attempt to collect D&I information through their HR system, via general tools such as Microsoft Forms / SurveyMonkey, or via dedicated employee survey tools such as Peakon / CultureAmp.
While those are all excellent tools, they have one thing in-common: to be useful for Diversity & Inclusion surveys they, by definition, generate a vast amount of Personally Identifiable Information (PII), in a form that makes it easy to determine which specific responses pertain to a particular employee. e.g. Microsoft Forms actually associates responses with an Active Directory account and makes all the raw survey results available to the survey administrator. These are typically downloaded to that user's computer for analysis... and now we're in a world of data security pain.
It's worth noting that the ability to connect survey responses to an individual may be either direct (through email address or login details), or indirect through the combination of multiple data fields in the raw results (this employee is in New York, and in the Finance Team, and has joined in the past year - therefore it must be Humphrey).
To avoid compromising survey quality, we therefore need to reassure colleagues that the data we collect will be anonymous, and used only for the purposes of improving Diversity & Inclusion within our organisation.
Divrsity has been designed and built to obsessively protect participant anonymity
In practice, this means that we ensure that our PII footprint is sufficient for us to provide our service, and absolutely nothing more. Consequently, even in a worse-case situation such as our servers being compromised, there is effectively no PII available for hackers to exploit.
N.B. For employers, this has the positive side-effect that a GDPR Subject Access Request would reveal zero information about a given participant.
Some examples of the steps we take to ensure participant anonmyity include:
- For survey participants, we avoid all trackers, we place no cookies, and we configure our servers to avoid collecting IP address information
- Raw survey responses are identified only by a Globally Unique Identifier (a "GUID"): a 128-bit random number that is auto-generated by our systems. Once the survey is complete, this number cannot be tied back to an individual employee
- Since we have no legitimate need to contact them again, we immediately purge a participants e-mail address from our database when they have completed their survey.
- For the same reason (that we have no need to contact them again), we immediately purge e-mail addresses once the reminder e-mail has been sent.
- As a consequence, when a survey completes we have no PII, and no way to tie raw survey responses back to a unique individual.
- When the survey completes, we summarise and store the results. These results are provided to the survey administrator via the Divrsity website and can only be accessed in aggregated, completely anonymised form. N.B. We never share any company's results with other clients or prospects.
- We typically store raw survey responses for 7-10 days after the survey has completed (although this can be configured). After this time, they are irrecoverably purged and only the summarised results remain.
Obviously we also do everything we can to protect the data that we do store. This includes using AWS for all our data, ensuring that data is encrypted at-rest and in-transit; and enforcing strict security policies on our technology and our team.
More Blog Articles
- Alongside anonmity we recommend checking out Legal and Ethical considerations of EDI Surveys
- And, for company director's, you can learn more about considerations when running EDI Surveys.
- See how we use AI to generate D&I insights
- Or Learn Why we created Divrsity
Footnotes: