Personal Privacy Protection in an Austrian Online Survey


Anne Siegetsleitner and Martin Weichbold
University of Salzburg


Computer systems often change the framework of human subjects research. This is evident in the case of human subjects research on the Internet. Online surveys like the one we will critically examine in this paper involve new ethical challenges to the researcher. We will (1) consider the question which features of the survey are problematic from an ethical viewpoint regarding personal privacy protection and (2) make some recommendations how the design of the survey could be ethically improved without unreasonably impeding the new and desirable possibilities of online surveys. The results will not reveal great dangers because the data is not sensitive enough, nevertheless, they will show very well how ethical problems are currently handled in online research and how the situation can be improved.

The social research project we will examine was a common click-me survey on the World Wide Web carried out by a student of an Austrian university. In a questionnaire visitors of the official Web site provided by an Austrian tourist information were mainly asked for their evaluation of the Web site and their attitude towards an Austrian city. The communicated purpose was to improve the Web site, but the project was also carried out in order to get answers to methodological questions, e.g. how different versions of the questionnaire change the access and break off rate.

The examination will follow basic international privacy principles more or less implemented in national privacy laws. The basic question, however, is whether the data gained by the survey is personal data at all. Most answers asked for can be deemed ‘personal’ in the common sense of the term. The answer to the question whether it is personal data according to the European Union directive on data protection (95/46/EC) is more difficult. There, ‘personal data’ means any information relating to an identified or identifiable natural person. In our case, it depends mostly on the issue whether an IP-address in connection with the provided answers or some additional data is suitable to identify the respondent, and on the condition whether a respondent provided an e-mail address in order to participate in a lottery which was offered to the respondents. At least in the second case the data is also personal data in the strict sense.

The four core principles of personal privacy protection applied to the WWW and the respective problematic features of the survey are:

  1. Notice. Users of a Web site should be informed (a) what data is collected, (b) how it is collected, (c) for which purposes it is used, (d) whether the data will be disclosed to other entities, and (e) whether other entities are collecting data through the site. The questionnaire is accessible via a link at the tourist information’s Web site where participants were not informed that the data was directly provided to a server of a software company and that the project was carried out by a student as an academic survey. Nor were they informed about the fact that some data will be collected non-reactively and that resistant cookies were used. Moreover, they were only partly informed about the purpose of the survey.
  2. Choice. Users should be given the possibility to choose freely whether, by whom and for which purposes their personal data will be used. In the survey respondents could not deny the use of a cookie (if their browser did not provide this possibility) or the use of their data for the methodological purpose. Probably, they also got the misleading impression that the tourist information was carrying out the project. Therefore, the software company as well as the student got the data without the respondents consent.
  3. Access. Web sites should offer users reasonable access to data a Web site has collected about them. In this survey there were no such possibilities.
  4. Security. The provided data should be protected against unauthorized access, destruction or manipulation during transmission and storage and be stored in an anonymous form. In this case the data is not encrypted during transmission and storage, and not stored in an anonymous form. It is accessible to the software company.

Some of the improvements we recommend are:

First of all, it should be precisely determined who is responsible for carrying out the project, and who is authorized to get the data. The student? The tourist information? The software company which was consulted for practical reasons?

Notice: Potential respondents should be informed prior to the questionnaire about the responsible entity, who will get the data, and the general purpose of the survey. This can be done in a short form and a link to an extended version. Further information is problematic due to methodological reasons. But this information (e.g. the methodological purpose) should be disclosed at the end of the questionnaire and prior to final submission. This respects the respondents’ autonomy who should provide data freely.

Choice: Respondents should be asked for consent for the use of the cookie in a reasonable way.

Access: Respondents should have the possibility to ask for the deletion of all or part of the data (e.g. e-mail address), during or subsequently to the survey.

Security: As far as reasonable, data should be encrypted during transmission and storage, and decryption should be limited to the responsible entity. E-mail addresses should be separated from the rest of the data. Data that is not necessary or as soon as it is no longer necessary for the purpose of the survey should be deleted (e.g. deletion of IP-addresses after the control of multiple participation). The software company should be obliged to provide the security mechanisms.

With respect for the good will and the personal privacy of Internet users academic online research can preserve its high reputation. After all, these recommendations will not unreasonably impede the new and desirable possibilities of online research but increase its ethical score.