Surveys can be created and distributed to gather data in support of the University’s educational and research mission and organizational goals. Users should follow the Minimum Necessary Principle, which is to only collect the minimum data required for the stated business, academic, or research purpose, avoiding unnecessary personally identifiable information (PII).

Approved Data Only – Qualtrics is approved for up to DCL3 Data. No data classified as DCL 4 (Highly Restricted) should be included in any survey. This service is not approved for collecting and storing Social Security numbers, Identifiable health or medical information (HIPAA, Protected Health Information/PHI), E-commerce, Export controlled data, or Controlled unclassified Information (CUI).

For more information on what is included in the data classification levels, visit this site (https://www.umsystem.edu/ums/is/infosec/classification-definitions)

Access Control and Sharing – Access to all survey projects and results should be limited to authorized individuals only, using role-based permissions and approved sharing methods (collaboration and user groups).

Secure Handling and Storage – Qualtrics data should not be downloaded, exported, or stored on unapproved devices, personal accounts, or nonsecure locations, and UM System data handling standards should be strictly followed.

Retention and Disposal – Qualtrics data should be retained only as long as necessary and should be securely deleted or archived in accordance with UM System retention policies and/or project requirements.

Compliance and Consent – All surveys and data collection should comply with UM System policies, IRB requirements (if applicable), and privacy notices, including informing respondents how their data will be used.

Incident Reporting – Any suspected data exposure, misconfiguration, or unauthorized access involving Qualtrics should be reported to Information Security.