Front image
direct edit


EMU Research

Guidelines for Online Survey Research for use with Human Subjects

University Human Subjects Review Committee, Eastern Michigan University
200 Boone Hall, Ypsilanti, MI 48197, (734) 487-3090,
[email protected]

The ability to use computers or applications to collect, store, analyze, and transmit data involving human subjects is evolving quickly. The new methods for research present opportunities for enhancing the dissemination of surveys to larger numbers of subjects but they also present new challenges for researchers to protect their participants. Eastern Michigan University has always sought to provide the same level of protection to human subjects as were provided in the more traditional non-electronic methods.

All studies, including those using computer and internet-based applications, must:

  • Ensure that procedures fulfill the principles of voluntary participation and informed consent
  • Maintain the confidentiality of information obtained from or about human participants; and
  • Adequately address possible risks to participants including psychosocial stress and related risks

The purpose of this guidance is to help researchers plan, develop, and implement computer- and internet-based research protocols that provide the same level of protection of human participants as more traditional research methodologies. The guidelines are comprised of requirements and recommendations that are consistent with the basic ethical principles applied to all research involving human participants.



The UHSRC must review and approve Internet-based procedures used by investigators for advertising and recruitment of study participants. These procedures include the text of the recruitment script and the context in which the recruitment takes place (e.g. posting a message on a web site or through a mass emailing).


Similarly, outside groups seeking to use our faculty, staff, or students as research participants should have their email solicitations approved.


Researchers should take steps to authenticate respondents to assure that they are the target population sought for the study. If the study is taking place with computers in a controlled environment, there is no real need to seek such authentication; however, if the researcher is soliciting a group with a widespread web site, researchers should offer ways of authenticating subjects, perhaps by providing them a PIN so they may take subsequent surveys.





The transmission of any identifiable data collected from human subjects over computer networks should be in encrypted format. This encryption ensures that data intercepted during transmission cannot be decoded and individual responses traced to an individual respondent. The UHSRC recommends using the highest level of data encryption available.



The server used for individually identifiable data storage must meet the following criteria:

  • The server is administered by a professionally trained person with expertise in computer and internet security
  • Access to the server is limited to key project personnel; and
  • The server is subject to the periodic vulnerability assessments to determine that the server is patched according to industry best practices.


If researchers use a server for data storage, they should keep personal identifying information separate from the data and data should be stored in encrypted format. The UHSRC requires that all electronic data be stored in password-protected files (note: a password-protected computer is not sufficient).


Data backups should be stored in a safe location, such as an environmentally controlled secure data room with limited access. In addition, the researchers should use competent data destruction services to ensure that they cannot recover data from obsolete electronic media.



Minimal Risk Surveys

When the UHSRC designates an online survey as minimal risk, researchers should have the option of using various types of survey software as long as they meet the requirements set forth in our checklist (Appendix A.). On the UHSRC application form, the researcher should designate whether the survey is in paper or electronic form.


The researcher must further designate which survey software will be used. The UHSRC will permit the use of that survey software if it designates the survey as minimal risk, determines the survey software satisfies the checklist criteria, and approves the protocol. For data that are identifiable or if the survey poses greater than minimal risk, HIPAA-compliant survey software (e.g., Qualtrics) is required. After obtaining final UHSRC approval, a researcher who has a list of e-mail addresses can then send out the survey.



Internet consent documents should include all the elements of the regular signed consent, including the confidentiality disclaimer given below. The consent line should say, "By completing the survey you are agreeing to participate in the research." Some Internet-based surveys include "I agree" or "I do not agree" buttons on the website for participants to click their choice of whether or not they consent to participate.

Researchers might consider using the following statement on the consent form: “Confidentiality will be maintained to the degree permitted by the technology used. Your participation in this online survey involves risks similar to a person’s everyday use of the Internet.” Consult the Developing a Consent Form page for assistance with creating an online consent form.



Researchers will remind participants to log out of the survey software to ensure that the next person to use that computer will not read their data.



The Graduate School recommends the following when creating online surveys:

  1. Use a preview survey function to test the survey (especially if you use question branching/logic)
  2. Use page breaks to reduce the scrolling with perhaps up to six questions per page to make the survey easier to take
  3. Test the survey with at least 256 characters of sample text in comment boxes
  4. Send a test invitation to yourself and some volunteers to ensure that the link to the survey works.

Appendix A. Security Checklist

Informed consent

  • Does the software provide a record to the researcher that captures that a respondent has consented to be surveyed before proceeding?
  • Is that record logged with a timestamp (ex. Respondent #12 consented at 21:27:13 (GMT-0500) on June 5, 2006.)?

Note: In common practice, many researchers employ a note on the informed consent page of the survey indicating that continuing to the survey indicates that the participant is giving consent.


Secure transmission

  • Does the survey use https encryption?

Note:  Information sent to and from websites can either be transmitted in clear text that could be read if the information was intercepted by a third party or encrypted so that a third party could not read the intercepted information (https protocol).


Many known online survey services such as SurveyMonkey use advanced data encryption. Please check the site’s security information page.


Database security

  • Do researchers have access to their data in the database via a username and password?

Server security

  • Are the servers, that contain the research data, located in a data center, with physical security controls and environmental controls?

Note: Online survey applications should be PCI SSC Data Security Standards compliant



  • Does the company back up data nightly or more frequently?

IP (Internet Protocol) addresses

  • Is the IP address of the respondent masked from the researcher?


Elevating Communities, Inspiring Generations

EMU Research, 200 Boone Phone: 734.487.3090 mail [email protected]