Data Security Protection

Frequently Asked Questions
What information is collected from organizations?

Organizations undertaking the IIP survey send us employee names and email addresses so that we can create unique submission links and email their survey links out directly

What information is collected from participants on the IIP survey?

Participants may be asked to submit general information about themselves when completing the survey. This information may include, for example: their views about their employer, age, managerial level, gender, or length of service. Most such data is collected in the form of responses to the Likert scale (strongly agree, agree, neither agree nor disagree, disagree, strongly disagree), though other data is collected via multiple choice ‘tick boxes’ and free-text fields. Multiple choice questions include a ‘prefer not to say’ response.

Can my organization see my answers to the IIP survey?

No, all data is aggregated and anonymized removing any Personal Identifiable Information (PII) before being shared with your organization and any third parties such as Practitioners, delivery partners and other administrators. For the protection of small groups where data trends could be interpreted and linked back to individual submissions, aggregated group data is not shown until there are at least seven responses in the group in question.

Where is survey data, including personal data, stored and how is it kept secure?

Survey data, including personal data, is stored securely within Amazon Web Services. The entire data application (instances, databases, snapshots, backups) is stored within the EU-West-1 (Dublin) data centres, and so adheres to EU controls limiting storage within the EEA. Direct access to the data (databases, snapshots) is limited to senior database architects using asymmetric key-based authentication, and further secured with strict ACLs requiring access through secure Cisco VPNs. Our architects are all security cleared with an Enhanced DBS and have all been involved in the IIP projects for more than three years.

Access to servers is restricted with ACLs, Security Groups, and iptables for instance-specific controls. Backups are run nightly and replicated to a S3 bucket in an AWS region (eu-west-1 – Dublin).

For further information on AWS security, including physical access control, auto-replication (redundancy), hypervisor security, and power/infrastructure redundancy, please see:

Application passwords are managed using Drupal – passwords are salted and re-hashed multiple times. Plain-text passwords are never stored in the database. Brute-force attacks are mitigated by auto-blocking login attempts after five failed attempts. Once logged-in, the system supports full RBAC, with minimum-granted permissions (user permissions are granted only when needed for a user account, rather than granting system-wide access).

All communications with the site are via HTTPS, using HSTS and modern cipher suites (TLS1.0+). Ciphers are reviewed regularly to ensure security compliance. The system scores the top mark (A+) with independent access check from SSL Labs(

How long is data stored for and when is it deleted? What happens when data is deleted/archived?

Shortly after an online survey closes it must be archived in order to reveal full results data. Once a survey has been archived, personal names and email addresses are anonymized using asterisks and the email body is wiped. This process occurs weekly and is irreversible.

How/when is personal data moved and what measures are in place to ensure its security during transfer?

Data is transferred between IIP web systems, including CRM, website and survey platform, using custom built APIs (e.g. between Roden & Gene); these APIs are not publicly documented which provides a layer of security through associated obscurity.
Data is encrypted during transit (both between servers and between web server and client) using industry-leading HTTPS configurations.
All API transactions are completed at server level; not through Javascript or other frontend code, so cannot be “sniffed” by code inspection from publicly visible code.

Can an organization undertake the IIP survey without providing any of their staff personal data?

Yes. Surveys operating using only ‘open access’ links do not require name/email address data.

Who has access to Survey personal data?

In terms of account management, the following users have access to an organization’s data:

  • Development Partner Organization
  • HIP Head Office admins (assigned and given access by the development partner or other IIP Head Office admins)
  • Administrators from the specific Delivery Partner that works with the client (assigned and given access by the Development Partner or other IIP Head Office admins
  • The client’s Practitioner (assigned, given access, and /or removed by the Delivery Partner admin) *
    * Please note: Practitioner access to ‘Manage Emails’ page may be removed.
How are permissions set to ensure only those who truly require it have access to data sets?

Permissions are managed in house – as part of the new starter process, staff are added to the platform and permission levels set in line with their role.

Do we share personal data with other organizations?

All data is for the sole purpose of providing the services to the organization that is undertaking the survey or other associated project. However, for the purposes of providing the Survey product only, it is sometimes necessary for us to share/make accessible personal data and/or email data with third party organizations.

Which third parties do we share data with? What data do they have access to and how do they keep it secure?

We use an external Development Partner Organization to build and maintain our online platforms and sometimes to resolve issues with the site. As such, they require access to a minimum amount of personal data. As part of their contract with us, they are subject to an NDA agreement, which binds them by confidentiality and data privacy rules.