Don’t be scared about all the text.
I would be really happy if you share your experiences in the context of the employee engagement invitation process. We are currently facing some challenge in a customer project in regards to data privacy compliance. The project is about a pulse check (engagement) survey. Originally, the idea was to just take all employee contacts, add them as participant to the project and send the anonymous link via the Qualtrics invite message. The authentication must be ensured with SSO.
What’s the challenge?
The corporate privacy team complained about the fact that the employee contacts are added as participant to the project without having their consent about this as adding them as participant already means that their contact data is processed. So contacts should only be added as participant if they have actually agreed before to receive an invitation email. In our case it is of course voluntary to actually take the survey. However, this does not matter. It is about processing their data by adding them as participant. At this point, Qualtrics also already tracks their status (complete / not complete) which is even more critical as the employees did not agree on that beforehand.
Let me summarize the requirements:
- Employee contacts should only be added as participant to the project if they provided their consent beforehand
- The same employee should only be able to take the survey once (check should be secure and not be based on cookies)
- Taking the survey should not be possible for all contacts within the organization but only for contacts of one specific legal entity
- The responses should be anonymized or at least “pseudoanonymized”
- We would like to populate the department for each of the responses which is part of the contact’s metadata
Now let me explain which approaches we are taking into consideration. I would be interested in which approach you would prefer or if you even have other ideas to achieve the requirement.
Option 1: Invitation of all employees from Qualtrics with participant list
This is actually the first project where we are facing the concerns about having the contacts added as participants without any specific consent. For others, this was no issue so far as long as responses are anonymous and taking the survey is voluntary.
Therefore, we would still have the option in mind to just take all contacts, add them as participant to the project and send out the invitation.
✅ Easy sendout via Qualtrics
✅ SSO authenticator setting „Associate respondent with person by field” could be used to ensure that each contact can only take the survey once
✅ By adding just the contacts of the specific legal entity to the participant list and having „Associate respondent with person by field” enabled, employees of other legal entities within the organization would not be able to take the survey even if SSO as such would work
✅ As the response would be linked to a contact with setting „Associate respondent with person by field”, we would enable the “pseudoanonymization” feature of Qualtrics
✅ As the response gets linked to a contact due to „Associate respondent with person by field”, we would have the department available (excluded from “pseudoanonymization”
❌ The employees did not give explicit consent to be added to the project as participant even though they might not even want to take the survey
Option 2: Invitation of all employees outside of Qualtrics without participant list
We could take the anonymous survey link and populate it via the organization’s mailing system to the employees. We would not add the contacts to the participant list. Hence, setting „Associate respondent with person by field” needs to be disabled.
✅ Contacts are not added to the participant list which means that their data is not being processed if they do not take the survey
✅ Responses are completely anonymous
❌ Sendout via organization’s mailing system is not as easy to schedule as from Qualtrics
❌ The survey could be taken by the same person multiple times as the setting “Prevent multiple responses” is only cookie-based and not secure
❌ All employees of the organization (even from other legal entities) could take the survey as SSO would work for them and there is no check against the participant list
❌ The SSO authenticator is just for authentication and due to missing „Associate respondent with person by field” not connected to a contact which means that we are not able to fetch the department
Option 3: Invitation of all employees outside of Qualtrics without participant list but with manual selection of the department
Compared to option 2, we would enhance the survey by an org hierarch question so that the employees can select the department on their own.
✅ Contacts are not added to the participant list which means that their data is not being processed if they do not take the survey
✅ Responses are completely anonymous
❔ The manual department selection is error-prone and is in worst case used to (positively or negatively) affect the results of a specific department
❌ Sendout via organization’s mailing system is not as easy to schedule as from Qualtrics
❌ The survey could be taken by the same person multiple times as the setting “Prevent multiple responses” is only cookie-based and not secure
❌ All employees of the organization (even from other legal entities) could take the survey as SSO would work for them and there is no check against the participant list
Option 4: Invitation of all employees outside of Qualtrics without participant list with unique identifier as SSO attribute and API-based response update
As you know, there is the setting “Capture respondent identifying info” for SSO authenticator elements which allows to pass an additional attribute from the identity provider to the survey while SSO. We would use that and pass for each user the Qualtrics contact’s unique identifier when a survey is taken. We would then trigger a workflow for each new response, read the contact’s metadata via the get participants API, extract the department from the result and then use the update response API to add the department information to the new response and clear the unique identifier value which was passed as SSO attribute. The response would be completely anonymous and just have the department.
✅ Contacts are not added to the participant list which means that their data is not being processed if they do not take the survey
✅ Responses are completely anonymous
❔ The API-based approach to fetch the department and set it for each response might be error-prone and would require some monitoring
❌ Sendout via organization’s mailing system is not as easy to schedule as from Qualtrics
❌ The survey could be taken by the same person multiple times as the setting “Prevent multiple responses” is only cookie-based and not secure
❌ All employees of the organization (even from other legal entities) could take the survey as SSO would work for them and there is no check against the participant list
Option 5: Invitation of only those employees who gave their consent via Qualtrics
Of course, last but not least, the organization could ask all employees about their consent to receive a pulse check invitation and their contact data to be processed as part of the project. This would be the most secure way, however, it would also require additional ressources, time and organization. Ideally, a long-term solution would be to have the consent information (maybe also separated for each project type) directly integrated from SuccessFactors so we could easily filter the contacts when importing them from the directory.
✅ Easy sendout via Qualtrics
✅ SSO authenticator setting „Associate respondent with person by field” could be used to ensure that each contact can only take the survey once
✅ By adding just the contacts who gave consent and having „Associate respondent with person by field” enabled, other employees (who did not give consent) could not take the survey even if SSO as such would work
✅ As the response would be linked to a contact with setting „Associate respondent with person by field”, we would enable the “pseudoanonymization” feature of Qualtrics
✅ As the response gets linked to a contact due to „Associate respondent with person by field”, we would have the department available (excluded from “pseudoanonymization”)
✅ Only data of those employees processes who gave their consent before survey invitation