How can the anonymity of survey respondents be assured?
In order to answer this question there are three main issues to consider, the first is the technical architecture of BOS, the second is the design of surveys themselves and the third is the behaviour of survey respondents. Each issue is dealt with separately:
BOS technical architecture
In general, all Web servers log a certain amount of information. Generally the most important information that is logged is the Internet Protocol (IP) address of the computer used to view the Web site. An IP address is a numeric address that is given to every computer attached to the Internet. A typical IP address might look like: 123.123.213.231
However, the situation is a bit more complex based on the local network setup and a single IP address does not necessarily apply to just one computer in some cases.
Our Web server logs these IP addresses but this is a common practice and virtually every Web site will log similar information. Although an IP address is known it would be impossible to tie this information back to an individual without the help of a network administrator responsible for that machine. So, for example, to attempt to identify an individual at your institution we would need to get an IP address from our server logs and then supply it to someone responsible for maintaining your computer network. Depending on the network setup, your network administrator may then be able to identify an individual. The important fact being that both bits of information are required and no one individual has both bits of information.
However, we would not give out this information from our server logs unless required by law. Other Internet Service Providers are also required to do the same. So a similar situation would exist should a survey respondent complete the survey from home.
The BOS service does use cookies but only in the Admin section and so this only impacts users creating/managing surveys and not those who simply complete a survey.
No information is stored on a survey respondent's PC unless they have local caching of form entries set up but this is out of our control and an issue for your local technical support people.
If you are using the “Survey access control” cost option then, by its very nature, this system will store the username of the respondent while they complete the survey. However, the survey author can choose whether this information is accessible within the survey results. If they opt not to store the username with the results then the results are anonymous. If a user logs in and starts a survey but does not complete it then their username is not retained.
Survey design
The design of your surveys is critical to ensuring users remain anonymous. It is possible to ask questions that, due to circumstances outside your control, could identify an individual. For example, a survey may be issued to postgraduate students. If one department has only a single PhD student then the answers supplied by that student could allow them to be identified if one of the questions asked them to name their department.
One further complication arises if several surveys are analysed together (which can be done within BOS). In these circumstances it could be that although an individual could not be identified from any individual survey the comparison of answers across multiple surveys could allow the individual to be identified.
Although we can advise on survey design identifying these potential problems is something that's often best dealt with at an institutional level since the issues are usually particular to that institution.
Respondent behaviour
It is entirely possible for survey respondents to provide information that will allow them to be personally identified. For example, if there is a free text question there's nothing to stop users from providing answers that could identify themselves (names, addresses, staff IDs etc).
This information would then be available to the administrators of the survey.
Also, some institutions ask users to provide an email address if they are willing to be contacted again in the future. This, by its nature, allows those users to be identified.
In addition, should a respondent save an incomplete survey and plan to return to it later then an email will be sent to them. This email will go through the email servers at the University of Bristol and then out to the wider Internet on its way to the email servers at your institution. There is therefore a risk that administrators of the email systems could see the details for respondents wishing to return to the survey (although the email does not contain details of the questions answered - just information on how to return and complete the survey). However, at most institutions, email administrators are covered by the same legal framework as those at the University of Bristol so that this information is protected. However, should users use 'home' email addresses then there may be an issues since this is out of your control.
If anonymity, privacy and security are important you should, in addition to reviewing the information above, consider purchasing our encryption option. This encrypts the data sent to and from the survey respondent's computer whilst they are completing the survey (in the same way as online shops encrypt credit card details) and ensures that the data cannot be intercepted en-route.