How Viva Glint helps you protect your privacy
Data privacy and trust are key priorities for Microsoft Viva Glint. Not only is individual privacy a core Viva Glint value, when survey respondents feel confident that their privacy will be protected, they're more likely to participate in surveys and provide honest and constructive feedback, allowing our customers to get the most out of Viva Glint.
Choose the survey type that meets your needs
Viva Glint uses several methods to inform you about what level of privacy users can expect when responding, starting with the survey types. Viva Glint offers two types of surveys: confidential and identifiable.
For confidential surveys, Viva Glint aggregates (group averages) responses before reporting results. Because it's easier to guess a survey taker's identity when there are few responses, confidential survey responses are only reported when a survey item (question) receives a minimum number of responses. This number is set by your organization and might differ for rating/multiple choice questions versus comments. For a survey to be confidential, this minimum number of responses can't be set below three (3).
Viva Glint surveys might contain three types of items/questions:
- Ratings: Survey takers choose a score on a numerical scale.
- Multiple choice: Survey takers choose from pre-populated options
- Comments: Survey takers write in freeform comments.
In Identifiable surveys, survey takers' identities might be directly or indirectly available within reporting. The minimum response threshold for these surveys is below three. An example of an identifiable survey could be a company's exit survey, where viewing responses for each departing employee is desired.
Use your organization's statement about privacy
At the beginning of each Viva Glint survey, survey takers are presented with a statement configured by your organization.
How does a statement about privacy help?
A statement about privacy advises access and data handling of survey responses
Even for confidential surveys, your organization's customer admin might be able to access identifiable survey responses. This access might be necessary for an organization to meet its legal obligations, such as Data Subject Rights under GDPR. However, your organization can choose to opt out of this on a survey-by-survey basis using Viva Glint admin controls.
A statement is automatically selected based on your progam setup configurations.
Confidential surveys which do not support raw survey responses export
If your organization chooses to restrict the export of raw survey responses for confidential surveys, the following statement will be applied to surveys.
Confidential surveys which do support raw survey responses export
If your organization has approved making raw survey responses available for a particular survey, survey takers will be informed in this statement:
- Survey takers are sent to this Microsoft Learn page to understand how Viva Glint helps protect their privacy.
If your organization opts to create an identifiable survey, this statement will be applied.
The Confidentiality and Comments Threshold set for the survey program will automatically become the default statement for your programs.
How is privacy protected within survey results reporting?
Survey takers' privacy is protected by setting and communicating a minimum number of responses used in reporting, as well as management of roles and permissions. Your organization configures who has access to survey data and establishes the minimum response thresholds for each survey program.
A minimum response threshold is the minimum number of responses a survey item must receive for its results to be reported. The higher the level of aggregation, the less likely it is that users reviewing a survey report will be able to infer the identity of an individual survey taker.
By default, the minimum response threshold for rating or multiple-choice items is set at five, while for open-ended comments, it's set at 10. Your organization can adjust the thresholds, either higher or lower, for each survey program, and these thresholds are noted to survey takers.
To be classified as a confidential survey, the minimum number of responses must be three (3) or higher. If the threshold is below three (3), the survey is identifiable.
At the beginning of each survey, the privacy statement will inform survey takers whether the survey is confidential or identifiable and specify its minimum response thresholds, if any. Once a survey program has been launched, its minimum response thresholds can't be changed. Changing or altering a minimum response threshold requires a new survey program. The previous program with the original confidentiality could, however, be drawn into reports for comparison against new results with the new threshold.
Privacy is protected by managing reporting roles and permissions
Your organization can configure who might view and configure survey reports at various levels. For instance, your organization might use the following reporting hierarchy for its marketing organization and assign permissions accordingly:
- Marketing program managers (PMs) can only view survey results from the team they manage.
- Marketing directors (to whom marketing PMs report) can view survey results for all the teams reporting up through them.
- The Chief Marketing Officer (to whom the marketing director reports) can view survey data for the entire marketing organization.
Each of these reporting groups feeds into the hierarchy level above, or roll up, giving users in your organization visibility commensurate with their scope and authority.
If the minimum response threshold isn't met at for a user's team, their responses won't be reported at that level; instead, they'll be aggregated with extra responses and rolled up to the next level.
For example, consider a survey of the marketing organization described above with the minimum reporting threshold set to five (5). A marketing PM would be able to see aggregated survey responses for any question to which at least five (5) of their team members responded. But if only four (4) responded to a specific question, the responses for that question wouldn't be shown to the marketing PM. Instead, the responses would be combined with those of other employees reporting up through the marketing director and rolled up the next reporting level - the marketing director's report. The PM wouldn't be able to see survey data for that question because the minimum response threshold wasn't met. However, because the threshold was met at the reporting level above, the survey data would be included in the director's report.
Why does the comments threshold differ from the survey items threshold?
As stated above, the default minimum response thresholds for ratings and multiple-choice questions are five (5) but for the comments the default threshold is 10. The reason for the higher threshold is due to comments being easier for the user to infer which survey respondent provided the feedback. As comments are reported as written (verbatim), the report user might notice a writing or grammatical style that is unique to a specific person. The smaller the group, the larger the potential to deduce the survey respondent.
Example: If a manager receives seven (7) responses from their team, they'll see an aggregated score but not the comments. On the other hand, if a manager receives 20 responses, they'll see both the calculated score and the comments provided, regardless of the number of comments received.
Suppression thresholds add further protection
In some cases, even when the minimum response threshold is met, the ability to filter reporting by survey responder attributes (like title or location) and then compares those filtered results to nonfiltered results might allow a survey responder's identify to be inferred. In these cases, responses are "suppressed"—meaning, not reported even if the minimum response threshold was met. The suppression threshold requires more than two responses that separate the smallest attribute group from the smallest group that meets the minimum response threshold.
Consider a marketing PM from the example above, given the following:
- Five (5) of the six (6) team members are in North America; one (1) is in Europe.
- The organization has configured Viva Glint to allow filtering of responses by survey taker region.
- The survey's minimum response threshold is set to five (5).
- All six (6) team members respond to a question that asks them to rate their manager's communication skills from 'Very Good' to 'Very Poor.'
- The North America team members all provided a rating of 'Very Good;' the European team member provided a rating of 'Very Poor.'
In this case, the marketing PM can't see the European score because, with only one (1) response from European employees, the minimum response threshold isn't met. But the PM can view the teamwide score (based on six responses) and North American-only score (based on five responses)—right? No! Those results are suppressed.
Why? Because, by comparing the teamwide score to the North American score, the marketing PM might be mathematically able to determine the score received from just the single European team member. When the PM sees that the North American score is 'Very Good' but the teamwide score isn't, the user might correctly infer that the European team member brought the average down. With a little math, the marketing PM might be able to calculate the exact score the European team member provided. For the North American score to be displayed, there needs to be more than two responses within the overall team score that aren't within the North American group. So, if the overall team earned eight responses where five were from North America and three were from Europe, the marketing PM sees both the overall team score and the North American score, having exceeded the suppression threshold.