Guide to creating a survey


Several kinds of surveys can be used to collect feedback from members of the personnel.

Starting from the highest confidentiality level, the first kind of survey is the anonymous survey, where no personal data is collected and survey respondents cannot be identified and cannot subsequently identify their own responses.

Next, we have the identifying survey, which involves collecting personal data directly and/or includes responses that enable individuals to be identified.

Lastly, we have the long-term survey, which requires participants to be identified, managed and followed up over a certain period of time.

Given that long-term surveys are rarely used at CERN, they are not covered by the recommendations in this guide.

The advices below are intended to guide you through the process of creating your survey, sending out the invitation to complete the survey and creating a Record of Processing Operations (RoPO).



 1. Selecting tools/services


→ Protect personal data
→ Use tools compliant with personal data management principles
  • What tool will you use to create your survey?

CERN provides internal tools that its personnel can use to create surveys (for details, consult the list of IT tools for surveys).

If you are planning to use a tool that is not yet available at CERN, please contact the Cloud Licence Office (CLO) before using or buying the tool (even if it is freely available), and remember to allow enough time (two to three months) for the services in question to process your request.

A note of caution: The use of a freemium tools (i.e. a tool made available by an external provider - commercial or not - with certain features which are free to use) still requires CERN to establish an agreement with the provider. In general CERN members of the personnel do not have the right to sign Terms of Service or Contracts with providers and start using these tools to process personal data for work related matters. To use an external provider, CERN services must establish an enterprise agreement with adequate data protection measures, which is typically done during the procurement process.

  • Do you need help to select a survey tool?

If you need help to select a tool, please contact CERN’s IT Consulting Service.

  • Are you planning to outsource your survey?

If you would like to outsource your survey to an external supplier, please allow two to three months for a contract to be drawn up and the company’s personal data management practices to be checked. It is recommended that you request an anonymised report of the survey responses and do not ask to see the personal data collected. You can find more information about outsourcing on this website under “Processing by External Entities”.



 2. Preparing the survey


→ Identify your target group
→ Prepare the invitation
  • Did you know that preparing your survey often involves processing personal data?

You are probably targeting a specific audience with your survey and want to invite them to take part in the survey. Don’t forget that this stage already involves processing personal data. For instance, when you:

  • generate a mailing list of the target audience based on information collected from a database, like the the names and e-mail addresses of people who meet your criteria and then;
  • send an e-mail to the mailing list with the invitation to take part in the survey.
  • Do you need to complete a Record of Processing Operations (RoPO)?

You need to document the processing of the data used to identify the target group through a RoPO and you should refer people to the RoPO in the survey invitation. If you regularly contact the target group as part of your service’s everyday work, this data processing will already be covered by an existing RoPO.

Else, you should check whether the generic Survey privacy notice, published by the “Online Survey Solutions” service meets your needs. It targets CERN internal surveys carried out with standard tools provided by CERN. Included are the identification of the target audience using standard filter criteria, the contact via e-mail and the collection of the replies to the survey incl. the login to the tool.

In case the generic privacy notice is not suitable and you don’t have RoPO, you must create a new one covering the invitation and the survey.

When sending the invitation (e.g. by e-mail) to your target audience:

  • Add a link to the privacy notice
  • Explain which tool will be used for the survey
  • Make clear in your message that your service is the Controlling Service, which should be contacted in case of questions or if a person concerned would like to exercise their data subject rights.
  • What should you include in the RoPO in case you have to create a new one?

Don’t forget to include the selection criteria, as they also count as personal data that you are processing in order to invite people to participate.

For example, if your survey targets staff members in the HR department who will be retiring soon, you would document the following selection criteria: status, department and age.

  • What legal basis should you indicate in the RoPO?

This kind of processing is usually conducted as part of the legitimate interests of the service concerned if the target group may expect to be contacted for this survey. For instance:

  • when your service is in charge of managing the activities of the population concerned and the survey is focused on this aspect (e.g. a customer satisfaction survey);
  • when the individuals supply their contact details in order to be contacted.

If you have any doubts, ask yourself the following question: Would I be surprised to receive the survey invitation? If you answer “no”, it is safe to assume that you have a legitimate interest.

  • How long should the data be retained?

All the data processed in preparing the invitation should be deleted without delay after the invitation and possible reminders have been sent, by the latest after the end of the survey.

  • How do you inform the target group?

In the invitation e-mail, it is important to include a link to the privacy notice (i.e. the RoPO, once it has been published on the Service Portal) and to stress the voluntary nature of the survey.



 3. Context of the survey


Think carefully about your use of personal data
  • Do you process personal data with your survey?

If you are using a tool for your survey that requires the login of the respondents to control the access to the questionnaire, you will necessarily process personal data, such as account name, login name, IP address, cookies.

Also if you have questions in your survey whose replies allow either the direct or indirect identification of the respondent, you will process personal data.

  • Does your survey form contain personal data?

This is the case if you are collecting data such as e-mail address, telephone number, CERN ID or Person ID.

This is also the case if your survey includes demographic questions where the response will make it possible to identify individuals by a process of deduction, especially if the group targeted by the survey is relatively small.

Wherever possible, it is best to avoid collecting personal data. And if you do have to collect it, only collect what is strictly necessary.

In particular, collecting sensitive personal data, such as data related to health, political views or philosophical positions, is authorised only under very specific conditions. If it is absolutely necessary to collect sensitive data, consider using an external company to generate and analyse the survey results and present them in the form of anonymised reports, without divulging the content of the responses.

By adjusting the survey questions and/or the multiple-choice response options, you may be able to avoid processing personal data. For example, you can use an aggregated approach: instead of asking people’s exact age, opt for age bands like “30-39 years old”.

At the end of the day, you have two possible scenarios:

Scenario 1Anonymous survey:
Individuals cannot be identified in your survey, so you are not processing personal data. This means that you do not need to create a RoPO for the survey, but you may need to do so for the invitation.

Scenario 2Identifying survey:
You are collecting personal data in your survey, therefore you need a RoPO: Either you can refer to the generic Survey privacy notice, if applicable, or you need to complete a RoPO.

You could include the information in the RoPO that you created for the invitation, if relevant, although that risks making the document complicated.

Alternatively, you can create a separate RoPO.

Either way, the collection and processing of data from the survey must be done with the individuals’ consent. You must not keep the data any longer than is required to analyse it. According to CERN's Data Retention Guidelines, the data must be deleted no later than six months after the end of the data analysis. Instead you may consider to anonymise the data.

Don’t forget to include a link to the privacy notice (either the generic one or your own one) in your survey form.



 4. Creating the survey


→ Inform people
→ Get consent
  • Do you need help to create the survey?

If you need help to create your survey, you can contact your departmental data privacy coordinator (DDPC).

A few recommendations

Recommendation 1: Think carefully about whether you need to collect personal data and why. Don’t include demographic data (e.g. age or nationality) that could ultimately allow an individual to be identified. Only collect the data you really need. If you follow these tips, the RoPO will be easier to complete.

Recommendation 2: Decide on a reasonable data retention period, in accordance with the Data Retention Guidelines, which should be indicated in the RoPO. Once that period has elapsed, the data can be anonymised and preserved in the form of statistics.

Recommendation 3: Refer to the RoPO in your invitation e-mail or message introducing the survey, and mention that participation in the survey is voluntary. People must give their consent for their personal data to be collected. By responding to the survey, they are giving their consent.

Recommendation 4: If you are using the generic Survey privacy notice, explain in your message which tool will be used for the survey and that your service is the Controlling Service, which should be contacted in case of questions or if a person concerned would like to exercise their data subject rights.

Recommendation 5: People retain ownership of their personal data. They need to be able to ask for it to be deleted or corrected.



 5. Creating a Records of Processing Operations (RoPO)


Use an RoPO where necessary
  • Do you need help to create the RoPO?

If you need help to create a RoPO, you can contact your departmental data privacy coordinator (DDPC).

The “Records of Processing Operations” procedure is available in the Admin e-guide.

  • Where can one find some examples?

If you are lacking inspiration, you can have a look into the Layered Privacy Notice and perform a search on the web page (with your browser specific "find on page" functionality) to locate those notices that have the word “survey” in the title. You can also consult the generic Survey privacy notice published by the Online Survey Solutions service.

  • Shall you establish every time a new RoPO for a survey that is carried out recurrently, for instance once per year?

For recurrent surveys, you can either foresee your own generic RoPO covering all surveys if the surveys involve the same data processing, or to clone an existing RoPO displayed in the Layered Privacy Notice and adapt it to your needs.

  • Are you obliged to document both invitation and survey into one single RoPO?

If necessary, you can document the preparation of the invitation in a separate RoPO. This step is important if you have preselected your participants based on criteria such as nationality or age in order to target your audience (through use of e-groups or other contact lists). You should set a retention period after which you will delete this list.

  • In the context of an event you are organising, you will present the participants with a survey to measure their satisfaction. Do you need two separate RoPOs, one for the event, another for the survey?

It is possible to group in a same RoPO the organisation of an event and the survey provided that it is clear for the concerned persons what each part relates to and that the different activities are well documented.

Mind that the generic Survey privacy notice published by the Online Survey Solutions service does not cover the processing of personal data for the event!

  • How can you get a Privacy Notice?

Once published, the RoPO will be converted into a Privacy Notice and will be available on the Service Portal.

It is to be mentioned that, before its publication, a RoPO must be reviewed by the Office of Data Privacy. Should the publication be urgent, you may get in touch with your Departmental Privacy Coordinator who will be in charge to contact them.


A few recommendations

Recommendation 1: Start by mentioning the invitation and the service in charge of the survey.

Recommendation 2: For each demographic question, provide details of the personal data that will be used, stored and shared, and explain the purpose of the question. Group more general questions together. Also provide details of special questions.

Recommendation 3: Indicate what technical information is automatically detected and recorded (e.g. IP address) when the member of the personnel goes to the survey website.

Recommendation 4: If you are using for your survey an IT platform provided by CERN, for instance if the survey is running on SharePoint or hosted on a web site under DRUPAL, don't forget to mention the corresponding service (such as the IT DRUPAL service) in the RoPO under "Who at CERN has access".

Recommendation 5: If you use a non-CERN external supplier, check their personal data management practices (e.g. marketing, analysis, sharing with other suppliers).

Recommendation 6: Set a short retention period for the survey responses, then anonymise the personal data.




 6. Processing the collected data


A few recommendations

Recommendation 1: You should anonymise the data at the earliest possible opportunity.

Recommendation 2: The results that you publish should be anonymous unless you have explicit permission to publish people’s responses with their names.



 7. Walking you through the RoPO process


Decision tree