With increasing scrutiny on privacy and data security, and changes and strengthening of privacy regulations on the rise across the world, organisations are becoming increasingly concerned about the cost and burden of compliance.
A new study by Gartner revealed that accelerating privacy regulations is the top emerging risk for organisations in Quarter One 2019. This is largely because Europe’s General Data Protection Regulations (GDPR) is now in effect, however, this is exacerbated by other new global privacy regulations that are modelled around GDPR, such as changes to laws in Australia and Japan, and the new California Consumers Privacy Act (CCPA).
You may be thinking “So what?”. The majority of associations and for-purpose organisations are not required to comply with the Australian Privacy Act (1988), because most businesses with an annual turnover of less than $3 million are exempt. However, regardless of whether you have to comply, you should also be considering the reputational damage and the associated risks should your organisation breach individuals’ privacy.
So to help you in starting to think about data and privacy, and based on our own experiences, we offer some questions to ask yourselves about data and your compliance with privacy regulations. I will preface however, that Survey Matters are not lawyers (we’re researchers!), so your organisation needs to seek your own legal advice about collection, use and storage of information or data you collect from members and stakeholders.
Do you know where the data you collect is stored? By this we mean which country the data is housed and/or backed up. For example, many free survey instruments that are in popular use store the information in the survey in the USA.
What do the privacy policies of the third party organisations you use to collect information say about the use and storage of personal information? This extends to third party survey software, database and CRM vendors.
Personal information includes all of the usual things like name, address, phone number, email address etc., but also extends to IP addresses. Having researched many survey software applications, we know that IP addresses are automatically and routinely collected in all survey instruments unless you specifically turn that function off.
Disclosure and de-identification
When collecting data, particularly through survey instruments, do you provide sufficient information to participants about how you intend to use and store the information they provide?
How long will you keep the data you collect from your survey?
How do you de-identify any personal information provided? At what point do you de-identify the data?
Do you have processes in place for participants to access or correct any personal information you hold?
Aside from these important privacy considerations, there are other implications when gathering information from your stakeholders. Often in large or dispersed organisations, people will decide to ‘run a survey’ to find out something they want to know, without understanding the consequences. The ability for individuals to easily download and use survey software can mean that there is no organisation-wide understanding of the number of surveys being conducted or knowledge of the information being gathered. It also means that the checks and balances relating to collection and use of the data in accordance with your policies and compliance with regulation are often overlooked.
For more information or any questions you have, please feel free to contact Survey Matters on +61 3 9452 0101, or email me at firstname.lastname@example.org.
About Survey Matters
Survey Matters specialise in providing services to associations and for purpose organisations, their customers and members.
We have helped a wide range of associations understand their value proposition - what is important to members, how the association can help them and how satisfied they are with their associations' performance.
We also work with organisations to generate and build industry data and knowledge to support advocacy, promotion, industry development and marketing activities.