Qualtrics Acceptable Use and Data Security
The Qualtrics license grants the University of Minnesota permission to use the software solely for University purposes, and expressly prohibits use by third parties. If users do not adhere to the Qualtrics Acceptable Use terms they may be subject to liability.
Qualtrics Unacceptable Use
Users must not send a survey project to University faculty, staff, and/or students if the survey project is unrelated to a University academic or employment need.
Users must follow the University’s Internal Mass Email requirements. Additionally, users must avoid excessive use of the Qualtrics Mailer. Excessive use is defined as use that is disproportionate to that of other users, is unrelated to academic or employment-related needs, or that interferes with other authorized uses.
The University Survey Advisory Team (U-SAT) may require users to limit or refrain from certain survey projects in accordance with this provision. Please complete the Online Survey Assistance Request Form to determine if your survey project meets these acceptable use terms. For questions, please contact U-SAT at email@example.com.
When using Qualtrics, templates should be chosen based on your relationship to the University. All Qualtrics surveys conducted by faculty and staff should use an official University of Minnesota template. Registered student organizations may use the Block M template but no other official University of Minnesota templates. Student’s should not use any of the official University of Minnesota branded templates and should instead use the Qualtrics branded templates. Templates can be found in the “Look & Feel” Section of the Qualtrics survey builder. See more information about survey branding guidelines.
Qualtrics has acknowledged that its offerings are HIPAA compliant by entering into a Business Associate Agreement (BAA) with the University of Minnesota. This means that if your survey will involve Protected Health Information (PHI), Qualtrics will handle the PHI in a manner that is in compliance with the law. PHI generally consists of individually identifiable medical and health information.
Qualtrics offers Transport Layer Security (TLS) encryption (HTTPS) and survey security options like password protection and HTTP referer checking. Their servers are stored in a tier one data storage facility that includes security measures such as biometric entry and double card swipe.
Read more about Qualtrics data security here:
- Qualtrics Data Security Documentation
- Qualtrics Security Statement
- Human Research Protection about HIPAA Data Resources
Access to Data
In the best interest of protecting data privacy, there will be a limited number of administrators who have access to Qualtrics. If you are a researcher and need to include the number of people who have access to the data in your documentation to IRB or granting agencies, be sure to list five brand administrators in Information Technology.
Third-Party Survey Software
The current survey software available system-wide is Qualtrics. Qualtrics is the preferred online survey tool of the University of Minnesota because it meets stringent information security requirements not found in most free online survey tools. The text below has been approved by the Office of General Counsel (OGC) regarding reasons University faculty, staff, and students should not purchase or use other third-party survey software (such as Survey Monkey or Zoomerang).
A click-through agreement is a contract, and the University can be liable under the contract. The “click-through” license agreements that users must “accept” before using a software program are subject to the same principles as contracts that are formed in any other way, meaning these click-through agreements are legally binding contracts. When a University employee enters into such an agreement, they are doing so on behalf of the University. Therefore, the University as a whole (not just the employee) may be bound by this employee’s agreement, and may also be liable under it. These click-through agreements can also violate University policy and practices regarding contract review, and uncapped liability, and jurisdiction over what state’s laws govern. Under University policy, the OGC must review any contract not in the University’s standard Contracts Library.
Click-through agreements can also grant ownership of your (and therefore, the University’s) data to the software company. Most third-party hosted sites claim to own the content on their site. Not only would this mean loss of valuable intellectual property for individuals and the University, it could also violate the Minnesota Government Data Practices Act or the federal Family Educational Rights and Privacy Act.
Use of third-party survey software could violate privacy laws. State and federal laws prohibit disclosure of certain information about students, and require specific security measures to prevent unauthorized access to this information. Without official contracts verified by OGC to ensure the safety of this data, the third-party survey software vendor may have no legal responsibility to uphold these standards.