Division of General Counsel, Governance and Compliance

Surveys and mailing lists

Selecting a survey or mailing list provider in line with data protection requirements

Many of us use surveys and mailing lists regularly. They are a valuable tool and can aid us in many different ways, particularly when delivering teaching, scheduling events, and gathering group data.

Using these tools will often require us to collect the personal data of our colleagues, our students, or third parties. Accordingly, whenever you are running a survey or using a mailing list you need to think about the University’s data protection requirements and how to stay compliant with them.

The following guidance sets out the things you need to consider when selecting and using a survey or mailing list provider so that you stay compliant with data protection legislation and keep the personal data you collect safe.

1. When do data protection requirements apply and what is personal data?

Data protection requirements apply whenever we are processing personal data. ‘Processing’ includes things like collecting, storing, analysing and deleting personal data, and the management of any survey, poll or mailing list will likely involve the processing of personal data.  

Personal data is any information that can be used to identify a living person. This will not just include the more obvious identifiers such as names and contact details but will include numbers or references that are assigned to individuals, such as a research participant number, and other unique characteristics that could be used to identify specific people. Personal data includes information that can either directly or indirectly identify a person, so it is important to be mindful that although a single piece of information about a person may not be enough to identify them, their identity could become known when it is combined with other data.

You might also be working with the special categories of personal data. This type of data is particularly sensitive and would have a significant impact on both the data subjects and the University if a breach were to arise as a result of its incorrect handling so appropriate security measures should be in place. You can learn more about these special categories of personal data by taking a look at our Appropriate Policy Document.

2. Security and recommended platforms

In addition to the principles detailed below in section 3, security needs to be at the forefront of our processing.

One of the easiest ways to achieve a good level of data security is to use platforms that the University has a license for. This way, you will be using platforms that are already known to be secure and compliant with data protection legislation and that are supported by the University’s IT Services team. The two platforms which are fully supported for surveys are Qualtrics and Canvas 

Information from IT Services about using mailing lists can be found here.

You may choose to use an externally sourced third party platform or provider. If you do, then it is important to remember that the responsibility for staying compliant is on the creator of the survey or mailing list. Please make sure that you understand how your chosen platform works and what functionality it has. If it is not clear whether the platform you have chosen is secure and compliant with data protection legislation then please do not use it.

The best place to start is a review of the privacy policy or terms of use on the provider’s website, and review the information below regarding the data protection principles and data subject rights so you can assess whether your chosen platform is suitable. Please be aware of platforms which store or transfer user data outside of the European Economic Area, in particular the United States of America, and those which share user data with third parties.  There are additional data protection requirements in these cases so please seek advice from the Information Management team at GDPR@sussex.ac.uk.

There may be proactive steps you will need to take to stay compliant when using your chosen platform. For example, Survey Monkey does not delete user or respondent information after your survey has closed, so you will need to delete this yourself. If you choose Mailman for your mailing list, then you should use a group email address rather than individual email addresses, to limit the amount of personal data you share with the service. Such steps may be necessary to remain compliant, so always be proactive in understanding what you can do to protect the personal data you are using.

Be aware that some platforms enable users to view and share the responses and content uploaded by others. This may not be appropriate so check the privacy settings for your account to ensure that your respondents’ data is secure.

If you have any questions or concerns about using a particular platform or service having made your own assessment, you should direct those to the Information Management team at GDPR@sussex.ac.uk.

3. Data protection principles

Whatever provider you use you need to ensure that you comply with the data protection principles. The underlying principles of data protection are necessity and proportionality and so you need to ensure that it is necessary to process the personal data that you plan to collect and that you are not doing so in a way that is disproportionate.

The data protection legislation also sets out a number of specific data protection principles that will apply whenever you are processing personal data for the purpose of surveys, polls or mailing lists:

  • Lawful basis: You need a lawful basis to process personal data. For most staff running their own survey or setting up a mailing list, you will usually be relying on consent as your lawful basis. Put simply, consent means “any freely given, specific, informed and unambiguous indication” of an individual’s wishes / agreement to the processing of their personal data. If your processing requires consent then, when designing your survey or poll, or seeking agreement to add someone to a mailing list, remember that consent must be given by a clear affirmative action – the option to ‘opt in’ is required, rather than simply to ‘opt out’.
  • Transparency: We need to be clear and honest about the way we handle personal data and what we do with it so you will need to give individuals information about this.
  • Purpose of processing: We also need to make sure that we only use the personal data we hold for the purpose we originally collected the data for, or for purposes that are not incompatible with that original purpose. In some circumstances, there are fewer limitations on how you can use personal data for research purposes (like does not include market research). If you are collecting personal data for research purposes our website has some helpful resources which will assist you in staying compliant.
  • Data minimisation: We need to make sure that we only collect the least amount of personal data that we need, regardless of the reason we are collecting it or whether it could be useful in future. We also need to make sure that the personal data we hold is adequate for our needs and relevant. This should be easy to achieve by making survey questions clear, succinct and precise. If any of your respondents provide more personal data than you require then you should not retain this information.
  • Retention and storage of personal data: It is also important to remember that personal data should not be kept for longer than it is needed. Once it is no longer needed it should be deleted, including any copies or details held elsewhere, or it should be anonymised so that individuals are no longer identifiable from it.

4. Data subject rights

Throughout all of our processing, it is important to remember that all data subjects have certain rights. They have the right to access the data we hold about them, to correct it when it is inaccurate or out of date, to know how and why it is being used and to know what it is being used for. In some situations we will be obliged to delete their data at their request, but there are exemptions to this.

All requests for personal data should be referred to the University’s Data Protection Officer at dpo@sussex.ac.uk.

You can find more information about how to stay compliant in the University’s Data Protection Policy.