RESPECT  |  TRUST   |  INCLUSION  |  DISCOVERY  |  EXCELLENCE

A Well-Intended Survey:

Protecting Student Data Privacy

A department plans to survey a group of Duke students to improve student engagement. The department found a vendor (third-party) which allowed the department to participate in a consortium of other colleges and universities with similar survey goals. The department planned to email a survey link to the students. Students wishing to participate would click the survey link directing them to the third-party Qualtrics survey. At the end of the survey collection period, the Duke department would have access to Duke students’ de-identified results plus peer comparisons against participating consortium members in a Tableau dashboard. The department engaged the third-party vendor through Duke’s procurement process and an agreement was signed.

Duke’s Values in Action

Duke faculty, staff, students, patients, collaborators and research subjects entrust us with their personal and confidential information.  We balance the free exchange of information with the need to protect sensitive or regulated information and to ensure information is available for authorized use.  We keep information confidential and use it only with permission and for its intended purposes.

Relevant Policies:
Policy and Procedure under FERPA
Duke University Privacy Statement
Data Classification Standard

Resources:
Duke University Privacy Incident Assessments
Procurement and Supply Chain Management – Vendor Resources

Fact finding and intervention:

A few days before the survey was scheduled to be sent to Duke students, the Campus Institutional Review Board (IRB) learned about this pending project and alerted the Office of Audit, Research and Compliance (OARC) Privacy program and Duke’s Information Technology Security Office (ITSO).

The third-party survey was collecting and processing data directly from students on behalf of Duke as opposed to having Duke collect and de-identify the data before it was shared, increasing the risk of data privacy concerns under Family Educational Rights and Privacy Act (FERPA) if consent was not sought. Both OARC and ITSO immediately requested the Duke department hold off until a Privacy and Security review was performed, thereby delaying the survey launch by a few days.

Resolution and action plan:

Duke Privacy reviewed the third-party vendor to evaluate their processes for collecting, processing, storing, and deleting data to ensure alignment with applicable regulatory requirements, including the FERPA, Duke policies and procedures, and the vendor agreement. Duke Privacy recommended that:

  • Duke or the vendor solicit student consent which includes notification that the respondent’s data is being collected, processed and stored by a third party.
  • The department work with Procurement and Supply Chain Management to modify the Agreement to address privacy expectations.
  • The department use a Duke-approved, enterprise-wide secure data storage location to store and process survey data provided back to Duke by the third-party vendor.

Once student information privacy and consent recommendations were addressed, the department moved forward with the survey as planned.

*This vignette is loosely based on real cases received through Duke’s Speak Up program and/or other investigatory offices.  Creative license was taken to protect the identities of those involved.*