Sensitive Data Policies

Johns Hopkins’ Qualtrics is authorized for sensitive data, however, the survey/project administrator(s) are responsible for the security of the data collected and used within Qualtrics.  This document looks to provide best practices of how survey administrators can protect their survey data.

Sensitive data includes: FERPA & HIPAA protected data, PII, etc.

Please familiarize yourself with the current Johns Hopkins Sensitive Data Policies.

  • JHU PII policy 
    • “All members of the University community are responsible for ensuring that the number and scope of physical and electronic copies and repositories of PII are kept the minimum necessary and only for the time period where a valid business need for the information exists.
  • JHU FERPA information
    • Eligible students “have the right to consent to disclosures of personally identifiable information contained in the student’s education records.”
  • JHM HIPAA policies
    • “In accordance with HIPAA, the Plan shall make reasonable efforts to limit the Use and Disclosure of, and requests for, PHI to the Minimum Necessary required to accomplish the intended purpose of the Use, Disclosure or request.
  • MyLearning FERPA & HIPAA Courses:

Best practices within Qualtrics

  • Consider the design of your survey and only collect data that’s absolutely necessary.
  • If you choose to use the Demographics Library in Qualtrics when building your survey, phone number and US Social Security Numbers, Driver’s License numbers and Credit Card numbers are sensitive data.
  • Do not include sensitive data in automated emails from Qualtrics.  Automated emails include distribution emails from Qualtrics to other users on submission of a Survey.
  • Do not include sensitive data within shared group libraries.
  • Minimize permissions given to collaborators. Do your survey collaborators need to see all the data collected?
  • Do not share public reports of data outside intended users.
  • Create reports/dashboards that do not include sensitive data when not necessary.  Consider using Conditional Filtering.
  • Use Johns Hopkins SSO for account access.  A Username and Password are not secure methods.
  • Avoid collecting photos for identification.  You are allotted only a small storage space (100MB per survey response) in Qualtrics.  Consider a using a short video chat to confirm identities outside of Hopkins.