Understanding Personally Identifiable Information (PII)

Learn about the importance of Personally Identifiable Information (PII) and how UserTesting can assist in protecting PII.

This article applies to: ut logo tiny.pngUserTesting 

On this page:

 


 

About PII

  • Personally Identifiable Information (PII) is data that could be used to contact and determine the actual identity of a specific living person.
  • Protecting the personal information of contributors is critical when gathering insights through testing and it protects your company from possible non-compliance with the General Data Protection Regulation ("GDPR").
  • If you are a covered entity under HIPAA and your test might involve Protected Health Information (PHI), please review our article on collecting insights under HIPAA.

 

 

Prohibited PII

The rule regarding Prohibited PII is to never ask for it, even if your test asked for consent or you use the Blur Tool

Credit card numbers or credit card purchases Personal financial account numbers
Passport numbers National ID card numbers
Car loan number Drivers license number
Social Security number Account passwords
Specific genetic information Biometric identifiers used for identification purposes (e.g., fingerprints, voice prints, iris and retina scans)

Note: Please review our Data Processing Agreement, Content Policy, and Privacy Policy for more information. 

 

 

Sensitive PII

  • The rule regarding Sensitive PII is that you must obtain contributors' consent to collect this information via a screener question.
  • Categories of PII data vary by jurisdiction.
  • Some examples of Sensitive PII include but are not limited to:
    • Racial or ethnic origin
    • Political opinions, religious or philosophical beliefs, trade union membership
    • Data concerning health or a person's sex life or sexual orientation
    • Data relating to criminal convictions and offenses

Note: Please review our Data Processing Agreement, Content Policy, and Privacy Policy for more information. 

 

 

Special considerations

Screener questions

  • Suppose you determine that it is acceptable to record PII during your test. In that case, you'll need to provide test contributors with a detailed explanation of what PII will be recorded, what it will be used for, and get their written consent before the start of the test.
  • You should provide a question as your first screener. 
    • For example: “During this test, you will be required to enter your full name and home street address as part of a registration process. This information will only be used for the purposes of this test and will not be shared. Do you consent to provide this information?”
    • Yes, I consent to provide my full name and street address to participate in this test. [Accept]
    • No, I do not consent to provide my full name and street address to participate in this test. [Reject]

 

Other PII

  • You're required to get contributor consent before requesting or processing any PII.
  • If you’re running a test that may collect other PII, such as a full name or home street address, it’s a best practice to ask for contributors’ permission using a screener question.

 

Blur tool

Depending on your internal policies and applicable data laws for collecting and handling personal information, you may want to use the Blur Tool for certain tasks that expose PII you want to protect.

 

Health information

  • Medical information is considered Sensitive PII and may only be collected after obtaining consent.
  • If your organization is a Covered Entity under HIPAA, medical information may be Protected Health Information (PHI) and should only be collected if your organization has a signed Business Associate Agreement with UserTesting.

 

Testing purchase transactions

  • UserTesting contributors must never be required to purchase anything while testing or to participate in any financial transactions.
  • If you have questions about how to test processes which include a financial transaction, visit our course.

 

Testing social media

  • Social media feeds may contain the personal data of others who have not provided their consent to share such personal data.
  • The best approach is to only enter engagements where you are processing personal data from the contributor participating in the test.

 

 

Best practices

Follow these best practices when you run a test that may prompt test contributors to provide their PII:

  • When requiring a test contributor to complete a form requesting PII, instruct them to enter false or “dummy” information that will not identify a specific individual.
    For example: “Enter the email address = fake@google.com and password = fake.”
  • Never ask for social security numbers, medical records, or bank and credit card information.
    For example: “Please use fake information like 5555-5555-5555-5555 Exp: 12/20”
  • If your test requires test contributors to go through a complete checkout process, provide contributors with gift cards or gift codes to complete the checkout process without entering their own credit card information. For more guidance on testing purchase transactions, visit our course.
  • If a test contributor’s PII must be visible on the screen during a certain task, and your internal policies require you to protect this information, enable the Blur Tool to make the screen unreadable during that specific task.
  • If you expect test contributors’ PII to pop up during the recording (such as notifications), please create screener questions to set expectations before the test starts.
    For example: Create a screener saying, “This test requires you to disable notifications. Have you disabled all notifications on your smart device?”
    • Yes, I have disabled notifications. [Accept]
    • No, I do not wish to disable notifications. [Reject]
  • If you're concerned that PII might inadvertently be provided by contributors during a test, consider a Live Conversation rather than an unmoderated test. During the test, you can manage the conversation to prevent sharing this information. 
  • Be mindful that personal information might also appear on the dashboard or other pages within logged-in experiences. Review these pages as you plan a test and consider using the Task question and Blur Tool.
  • If you need to communicate with a UserTesting contributor outside the test, follow our guidelines for messaging

If these best practices are insufficient for your research needs, please contact the UserTesting Support team to discuss alternatives. 

 

 

Related content

information icon.png

knowledge icon.png

Want to learn more? Check out these Knowledge Base articles... 

Interested in growing your skills? Check out our University courses...

video icon 2.png

team icon.png

Need hands-on training?

Can't find your answer?

Please provide any feedback you have on this article. Your feedback will be used to improve the article and should take no more than 5 minutes to complete. Article evaluations will remain completely confidential unless you request a follow-up. 

Was this article helpful?
0 out of 0 found this helpful