Qualtrics Acceptable Use and Data Security
The Qualtrics license grants the University of Minnesota permission to use the software solely for University purposes, and expressly prohibits use by third parties. If users do not adhere to the Qualtrics Acceptable Use terms they may be subject to liability.
Qualtrics Unacceptable Use
Users must not send a survey project to University faculty, staff, and/or students if the survey project is unrelated to a University academic or employment need.
Users must follow the University’s Internal Mass Email requirements. Additionally, users must avoid excessive use of the Qualtrics Mailer. Excessive use is defined as use that is disproportionate to that of other users, is unrelated to academic or employment-related needs, or that interferes with other authorized uses.
Surveys at the University of Minnesota are governed by the University Survey Advisory Team (U-SAT). For questions about whether or not your survey project meets acceptable use of Qualtrics, please contact U-SAT at [email protected].
Branding
When using Qualtrics, templates should be chosen based on your relationship to the University. All Qualtrics surveys conducted by faculty and staff should use an official University of Minnesota template. Registered student organizations may use the Block M template but no other official University of Minnesota templates. Students should not use any of the official University of Minnesota branded templates and should instead use the Qualtrics branded templates. Templates can be found in the “Look & Feel” Section of the Qualtrics survey builder. See more information about survey branding guidelines.
Qualtrics Security
Qualtrics has acknowledged that its offerings are HIPAA compliant by entering into a Business Associate Agreement (BAA) with the University of Minnesota. This means that if your survey involves Protected Health Information (PHI), Qualtrics will handle the PHI in a manner that is in compliance with the law. PHI generally consists of individually identifiable medical and health information.
Qualtrics offers Transport Layer Security (TLS) encryption (HTTPS) and survey security options like password protection and HTTP referer checking. Their servers are stored in a tier one data storage facility that includes security measures such as biometric entry and double card swipe.
Read more about Qualtrics data security here:
- General Qualtrics Security and Compliance
- Qualtrics Security Statement
- Human Research Protection about HIPAA Data Resources
- Qualtrics GDPR Compliance
- Qualtrics Data Protection & Privacy
- Qualtrics Transport Layer Security (TLS) Upgrades
Access to Data
In the best interest of protecting data privacy, there will be a limited number of UMN Qualtrics Brand Administrators who have access to UMN Qualtrics data. If you are a researcher and need to include the number of people who have access to the data in your documentation to IRB or granting agencies, contact [email protected].
Third-Party Survey Software
The current survey software available systemwide is Qualtrics. Qualtrics is the preferred online survey tool of the University of Minnesota because it meets stringent information security requirements not found in most free online survey tools. The text below has been approved by the Office of General Counsel (OGC) regarding reasons University faculty, staff, and students should not purchase or use other third-party survey software (such as Survey Monkey or Zoomerang).
A click-through agreement is a contract, and the University can be liable under the contract. The “click-through” license agreements that users must “accept” before using a software program are subject to the same principles as contracts that are formed in any other way, meaning these click-through agreements are legally binding contracts. When a University employee enters into such an agreement, they are doing so on behalf of the University. Therefore, the University as a whole (not just the employee) may be bound by this employee’s agreement, and may also be liable under it. These click-through agreements can also violate University policy and practices regarding contract review, and uncapped liability, and jurisdiction over what state’s laws govern. Under University policy, the OGC must review any contract not in the University’s standard Contracts Library.
Click-through agreements can also grant ownership of your (and therefore, the University’s) data to the software company. Most third-party hosted sites claim to own the content on their site. Not only would this mean loss of valuable intellectual property for individuals and the University, it could also violate the Minnesota Government Data Practices Act or the federal Family Educational Rights and Privacy Act.
Use of third-party survey software could violate privacy laws. State and federal laws prohibit disclosure of certain information about students, and require specific security measures to prevent unauthorized access to this information. Without official contracts verified by OGC to ensure the safety of this data, the third-party survey software vendor may have no legal responsibility to uphold these standards.