Ensuring Compliance: A Necessary Step

Ensuring Compliance with UC, State, and Federal Rules and Regulations

It is essential that all surveys meet federal, state, and university policies and regulations, including those that govern Human Subjects Research, and it is the responsibility of those conducting the survey to ensure policies and regulations are met.

Use the resources below to ensure that your data collection project adheres to

  1. Human Subjects Research requirements
  2. Family Educational Rights and Privacy Acts (FERPA)
  3. UC Merced Data Use Policy
  4. HIPAA

Human Subjects Research

It is the responsibility of the Institutional Review Board (IRB)/IRB Office to determine if your survey project is considered Human Subjects Research and, if it is Human Subjects Research, if Institutional Review Board (IRB) approval is required. Information regarding this process can be found here: http://rci.ucmerced.edu/irb/researchers/decision-charts

The key question is whether your survey is considered human subjects research as defined under the requirements of the U.S. Department of Health and Human Services (HHS) regulations at 45 CFR part 46 (http://www.hhs.gov/ohrp/humansubjects/guidance/45cfr46.html#46.101). Generally, surveys conducted exclusively to evaluate or compare programs, practices, curricula, methods, or outcomes for use solely by the University do not require IRB approval.  If the survey is  determined not research as defined by the HHS, then IRB review and approval or exemption is not required.

Please contact the Office of Research Compliance and Integrity at 209-228-4805 or irboffice@ucmerced.edu with the details of survey to make a determination before implementation (and before submission to the Survey Coordination Committee).


Determine if your survey project involves the use of protected educational records, and if so, ensure compliance with the Family Educational Rights and Privacy Acts (FERPA). Information about adherence to FERPA can be found on the UC Merced Registrar FERPA webpage: http://registrar.ucmerced.edu/policies/ferpa

The key question is whether you are using student data that originated in Banner or another Student Information System (SIS; e.g., CROPS, CatCourses/Canvas).  This can include, but is not limited to, basic demographic or background information (e.g., gender, race/ethnicity, etc.) or educational data (e.g., GPA, courses completed, etc.).

If no, your data is not subject to FERPA regulations. For example, if you ask in your survey that a student report his/her gender, GPA, etc., this data is not regulated by FERPA because it was provided by the student and was not derived from official educational records.

If yes,

  1. Determine whether the data you are using is Directory Information by visiting: http://registrar.ucmerced.edu/policies/ferpa#Directory .  Directory information can be released unless the student has completed a “nondisclosure form” with the Registrar.
  2. Any other student record information extracted from official educational records is protected and cannot be used unless the individual(s) seeking to use it is performing a task (i) specified by his/her job description; (ii) specifically related to his/her participation in the student’s education; (iii) specifically related to the discipline of a student; or (iv) specifically related to providing a service or benefit associated with a student or student’s family.

If in doubt, contact the Office of the Registrar at 209-228-7178 or registrar@ucmerced.edu.

UC Merced Data Use Policy

Determine if your survey project involves the collection and storage of protected or confidential data. For information on types of data and storage information follow the guidance found on the UC Merced Data Classification and Usage Guide .

In general, we advise the following:

  1. Use Qualtrics, if conducting a web-based survey.  For information about obtaining a Qualtrics account, please visit: http://it.ucmerced.edu/services/qualtrics-surveys/.
  2. Ensure survey data are stored in a secure location, particularly if using a web or cloud based storage location.
  3. Determine if your survey will data will be confidential or anonymous and act accordingly.
  4. Report only the results for questions with 5 or more responses per response category.
  5. Do not share raw survey data with people outside of UC Merced.

Using web-hosted survey tools: If you plan to administer your survey via the web, use of the University’s survey administration system, Qualtrics, is recommended.  Institutional Research and Decision Support (IRDS) and IT selected Qualtrics to be the official UC Merced web-based survey tool and jointly support and manage Qualtrics accounts.  Qualtrics is FERPA compliant. For information about obtaining a Qualtrics account, please visit: http://it.ucmerced.edu/services/qualtrics-surveys/

If an off-campus site hosts the survey (e.g. Survey Monkey, Google Forms, etc.), the investigator is responsible for the security and privacy of the data. Thus, the investigator should ensure that the external host system provides security in both data transfer and storage (e.g., disassociation of responses from the Internet (IP) address, SSL encryption, full encryption of data-at-rest, and firewall and intrusion prevention technology). Also, special attention must be given to users with shared access accounts to off-campus sites.  If multiple users have access to the same account, it is up to the account holder to ensure that respondent privacy is protected.

Data access and storage: The person conducting a survey (the investigator) is responsible for managing, storing, and releasing the data collected in compliance with [policies]. In the information that follows, the term identifying information refers to information that can easily be used to identify an individual and includes, but is not limited to: student/employee id, name, address, email address, and phone number.

Generally, with respect to the data collected via a survey:

1. Data should be stored in a secure location (e.g., on a password protected computer, in a locked office, in a locked file cabinet). See UC Merced Data Classification and Usage Guide  for information about secure web or cloud-based storage locations.

2. Confidentiality must be maintained if confidentiality was offered to survey respondents at any point in the surveying process. Confidentiality means only the investigator(s) can connect survey responses to the individual that provided the response.  Others with access to survey data will only see versions from which all identifying information has been removed.  The investigator(s) must make every effort to prevent anyone else from connecting individual respondents with their responses on the survey.

3. Anonymity must be ensured if it was offered to survey respondents at any point in the surveying process. This means email addresses and other identifying information should not be used to administer the survey.  Providing anonymity of information collected from survey respondents means that the project does not use or collect identifying information of individual respondents

4. Raw data from surveys are typically not shared with people outside UC Merced except under special circumstances (e.g., a data sharing consortium). If survey data are shared:

Reporting:  Generally, results should not be reported if there are fewer than “five members per entry” (e.g., responses). Aggregated data with fewer than five members per entry should only be reported if a “reasonable person” could not identify an individual and obtain protected information. (link to policy http://irds.ucmerced.edu/docs/other/IPA%20student%20reporting%20guidelines.pdf)


Determine if your survey project is subject to the Health Insurance Portability and Accountability  Act of 1996 (HIPAA). 

The key question is whether you are using information from health records, which is unlikely.

HIPAA regulations apply to employees, health care providers, trainees and volunteers at UC medical centers and affiliated health care sites or programs and employees who work with UC health plans. HIPAA regulations also apply to anyone who provides financial, legal, business, or administrative support to UC health care providers or health plans.

If yes, ensure HIPAA compliance.  Information about adherence to HIPAA can be found on the University of California Office of the President webpage: http://www.ucop.edu/ethics-compliance-audit-services/compliance/hipaa/hipaa-security-compliance.html & http://www.ucop.edu/ethics-compliance-audit-services/compliance/hipaa/index.html