Discussion

Any plans for web surveys done in conjunction with research are required to be reviewed by an IRB before the survey can be run since, by definition, a web survey involves a human. (See Section 1.2 [1]: Human Subject Information.) This requirement does not extend to web surveys that will be used by Harvard administrators to obtain the opinions of Harvard faculty, staff or students for the purpose of evaluating Harvard or its programs.

Such surveys should include a clear statement about the purpose of the survey and the access to the survey results that meets the requirements of Section 5.2 [2]: Recording Information About the Activities of Others.

No such survey should ask for or display high-risk confidential information including using any such information as part of the login process. (For example, a web survey should not ask for a social security number or part of one to identify the person taking the survey.)

Web surveys that ask for confidential information (including information that might simply be embarrassing) should be conducted using encrypted transport such as SSL or TLS (https meets this requirement).

Researchers should not have access to the web server logs for any web survey in which the person taking the survey is promised anonymity. This is to prevent the researcher from being able to correlate the source IP address of the person taking the survey with the answers provided.

There are no specific requirements for web surveys that do not ask for any confidential information and do not ask for a user's name or other identifying information.