IRB Policy on Electronic Surveys



Currently, the principal media for electronic surveys are e-mail and the Web, but additional possibilities may emerge through the proliferation of ubiquitous handheld devices that combine phones with text messaging, Internet access, GPS and other capabilities. 


E-mail surveys


Although e-mail is often a convenient and effective way to contact and communicate with potential research subjects, the IRB prohibits the use of e-mail as a data collection medium for any true research surveys of human subjects.  E-mail is a fundamentally insecure medium.  E-mail messages are typically transmitted to a number of different computers, with multiple possibilities for interception, before reaching their final destination.  At each intermediary computer, backups can create additional copies of the original message.  Messages may thus reside on one or more servers for extended periods, during which time they may be read, subpoenaed, etc.


Theoretically, it is possible for subjects to return surveys through anonymous re-mailers, but interception and duplication remain possible during the initial transmission, and information on re-mailer servers is still subject to subpoena.  It is also possible to conduct secure e-mail surveys with encryption technology, but this is rarely used in actual practice.


In short, subjects cannot be assured of the confidentiality of their data in e-mail surveys. E-mail may be safely used as a vehicle only to contact potential subjects, who may then be given the option to (a) print and return an anonymous survey via campus or surface mail, or (b) go to a Web link to complete an online survey (see below).


Web Surveys


  • Training Certification:  For Web-based surveys that are considered true research under the federal definition, investigators must first complete the online module in the CITI ethics training program:  “Internet Research” (SBR—Social Behavioral Research Track). Completion of this module is in addition to the standard modules that all human-subjects researchers at Bucknell must complete.

  • Responsibilities of Web Surveyors:  In designing protocols for Web-based research, investigators must consider factors at the “front end” (factors related to survey administration that the researchers can control directly) as well as those at the “back end” (the collection, processing and storage of data behind the Web Survey interface).  It is the investigator’s responsibility to assure that the survey is implemented in ways that protect the anonymity of the subjects or the confidentiality of their responses.

Front End Considerations:  In reviewing the factors under the direct control of the investigator, the IRB will consider the following questions:

  • Will the survey be hosted by Bucknell or by another Web site?  If hosted using Bucknell’s survey software (WebSurveyor, now marketed as Vovici), the investigator can expect some standardization of human subject protections (see back-end considerations below).  If hosted by another site, it is the responsibility of the investigator to document policies and procedures that provide a level of back-end protection for human subjects that is at least equivalent to that which WebSurveyor (Vovici) provides.
  • Does the survey require anonymity or confidentiality?
  • How will subjects be recruited?  (Examples:  e-mail, campus mail, surface mail, departmental subject pool, person-to-person, etc.).
  • How will subjects access the survey? Will a login be required? If so, will all subjects receive a single login, or will every subject receive a unique login? This decision relates to requirements for anonymity or confidentiality. If the survey promises anonymity, and unique logins (e.g., BUIDs) are required, the researcher must ensure that login information will not be collected and stored in such a way that it can be connected to survey results
  • How will informed consent be secured?  Examples: signed consent via mail or in person; consent form e-mailed and signed and returned via campus mail; implied consent (detailed informed consent page on the Web; proceeding further implies consent).
  • Incentives – The use of prizes or other incentives to encourage participation typically requires identifiable personal information about participants.  Incentive programs must be designed with care to ensure that subjects’ confidentiality of responses is not compromised.

Back End Considerations:  Data collected on a Web site is transmitted directly to a server, and Web surveys are thus not subject to the same interception risks as e-mail.  There are, however, a series of steps in the Web data collection process that require informed consideration by the investigator in light of the protections promised to human subjects.

  • Logging in – If subjects are promised anonymity, how will the researcher ensure that no identifying information (e.g. unique logins) will be collected and stored with the survey data?
  • Informed consent screen (if necessary) – As noted above, a separate screen, which respondents must view before proceeding to the rest of the survey, will be required unless the protocol makes other provisions for securing consent.
  • Scripts – These are programs that collect the data entered into forms and transmit the data to a file or a database.  Scripts typically have the ability to collect other information when the data is entered:  date, time, and IP address of the computer on which the survey was completed.  If a study requires anonymity, the highest level of protection is provided if the scripts do not collect IP address data. Because script data can be useful to system administrators, the IRB requires a secondary level of security is to ensure that the investigators/survey-administrators do not have access to script data (see further information, see discussion of Web log, below).
  • Server – Files and databases will reside on a server. An important responsibility of the investigator is to ensure that the server is secure, employing various forms of protection including firewalls and encryption (e.g., Secure Sockets Layer [SSL]).  Often, servers used for research purposes are also dedicated (used only to collect survey data).  It is possible, however, to develop a secure survey on a server that is used for multiple Web applications (e.g., www.facstaff.bucknell.edu).
    Servers also have Web-logs that record key information (including IP address) of every visitor or survey participant.  For anonymous data collection, turning off the Web log provides the highest level of protection.  Web log data, however, is valuable to system administrators in tracking problems. An alternative is to document that Web logs are accessible only to system administrators and will never be shared with the experimenter.  In such a case, the survey is not strictly anonymous, but it is anonymous to the investigator.
    When data is received by the server, it should also separate immediately any identifiable personal information from the actual survey data. 
  • Backups – All servers must be backed up to another location to protect the data.  The backup server should have the same protections (described above) as the server that stores the original survey data.

If you are using Bucknell’s WebSurveyor (Vovici) software to conduct online surveys, you can assume that your data is secure.  If you use another on-campus Web server, you should treat it like a survey hosted off-campus and document that the data is secure according to the standards described above.


 10/9/2007