SULINGITUK GOVERNMENT: Protecting the privacy of survey respondents

Fictional Case Study

Sulingituk Government is in the process of conducting a social well-being survey. The survey covers sensitive subject matter and protecting the privacy of respondents is critical. Do they have adequate privacy protections in place?

Ron, the policy analyst, is responsible for overseeing the survey. Two staff members, George and Linda (Public Health Outreach Workers) are contacting citizens to either conduct the survey by phone or set up appointments to interview citizens who live on lands in person. They are also mailing out paper copies of the survey, with a return envelope included. When survey responses are completed, George and Linda are entering the data into an Excel spreadsheet. The information gathered includes personal details such as name, address, birthdate, gender, and email address, as well as the participants’ responses to questions about their medical history, living arrangements, family history with addiction, and participation in cultural activities. Ron is taking a course on how to use Tableau, so that he will be able to analyze the data from the spreadsheet and produce reports.

In order to protect the privacy of citizens who participate in the survey, the following privacy protocols have been implemented for this project:

  • Participants who come in to complete the survey in person are taken to a separate room for the interview. Phone interviews are done by George or Linda in their shared office, with the door closed. In both cases, the interview begins with a verbal disclaimer that the participant’s responses will be kept confidential and only be used for the purposes of the social well-being project.
  • Only Ron, George, and Linda have access to the spreadsheet containing the survey results. Ron is concerned about keeping the information on the internal network because he is not convinced that other staff won’t be able to access it, so he stores the files on a USB stick, which he keeps locked in his desk drawer. George and Linda also have a copy of the spreadsheet on a second USB stick, which they share between them.
  • The return envelopes for the mailed survey forms are marked “Confidential”, and the receptionist has been instructed not to open any completed survey forms that are returned. These forms are given directly to Ron.
  • When updating the Chief and elected councilors, Ron is careful not to include any names in his reports.

Situation #1: One day Ron, George, and Linda are in the staff lunchroom, discussing the difficulties they are having getting complete responses to their survey from certain households in the community. They name a few citizens that they have contacted multiple times. Several other staff members can hear their conversation, including Mary, the Membership Coordinator, who is a relative of one of the citizens named in the conversation. That night, Mary contacts her relative to tell them that HSS staff are frustrated by their lack of response to the survey. The following day, Mary’s relative contacts the Executive Officer to complain that Ron, George, and Linda have violated her privacy.

Did Ron, George, and Linda violate the citizen’s privacy? The answer is yes. Whether or not someone has responded to a survey is considered personal information, because it is information about an identifiable person. Furthermore, discussing someone’s personal information within earshot of other staff has the same effect as not protecting confidential documents. Verbal privacy violations can result in time consuming and costly legal action. Sulingituk Government needs to implement privacy training to address this with all staff.

Situation #2: George decides to take his laptop home so he can get some data entry work done over the weekend for the survey project. That evening, his car is broken into and his laptop is stolen. The USB stick containing all of the survey results, which was in the laptop bag, is gone. Whoever stole the laptop will be able to access all of the survey information on the USB. What could Ron, George, and Linda have done to make their data more secure?

The first issue is that the data on the USB stick itself was not secure. Because the data is stored on a mobile device, there is an increased risk that it could be lost or stolen, since it can easily be physically removed from the office. This is a situation where layered data protection measures are required – password protection and user authentication measures for the laptop, combined with encryption of the data on the USB stick itself, would ensure that the personal information on the USB is protected if the device falls into the wrong hands.

The second issue is that all of the data is stored in one place. It is a better practice to store personal identifiers, such as name, birthdate, and gender, separately from other sensitive information such as medical history or cultural knowledge. Participants can be assigned a unique personal identifier, such as a number, that can be used to link the data sets together. That way, if the sensitive information is accessed inappropriately or stolen, it is unlikely the person accessing the information will be able to connect the sensitive information back to the individual.

This situation shows how the level of protection should be proportionate to the level of sensitivity of the information.

Situation #3: A Sulingituk citizen requests a copy of the raw survey results, including all personal information other than name and email address. Sulingituk’s privacy policy doesn’t include any specific provisions related to survey data. Ron, George, and Linda don’t believe the raw survey data should be released, even with the names removed, but they cannot find any provisions in Sulingituk laws or policies to support that conclusion. They decide to consult with Sulingituk’s legal counsel and the Records and Information Officer.

What options does the Sulingituk Government have in this situation? One would be to release raw survey data without any personal identifiers for those citizens that responded. This would mean scrubbing the data of anything that identifies an individual, including name, image, birthdate/age, gender, address, email address, ID number, etc. But this approach still carries some risk. A better option could be releasing the survey’s data points in aggregate (i.e., individual data points combined together, for example through a sum or average), but only if there are at least 4 respondents for each aggregated data point. This would ensure that respondents’ personal information is more fully protected.

Ideally, Sulingituk Government should develop a policy incorporating recommendations related specifically to survey data, so that they have a process in place when this kind of information is requested in the future.