should we provide the name behind anonymous feedback to a customer?

A reader writes:

My company develops a customizable system that we sell to various companies, and my team is responsible for providing support to the hundreds of companies who buy and utilize our system.

Recently, one of my coworkers was asked by one of our customers to provide the name of the user who wrote an anonymous feedback on their system. We can apparently see this information on our database, but my coworker was obviously uncomfortable providing this information and the topic was then raised for discussion during our weekly team meeting.

Our team leader, manager, and head of department all unanimously agreed that if the customer asks for any information pertinent to their system, all we can really do is make sure they understand the implications of providing said information and confirm that they’re sure they still need/want this, and if they say yes then to simply provide this info. Their point of view is that the customer is responsible for managing the data within their own system, and we’re just the middlemen there to assist them as necessary; whether doing this is ethical or not is up to the customer to decide, not us. Same way we can advise them not to breach general data protection guidelines, but in the end if they want to do something that would ultimately go against these guidelines it’s not really our place to stop them from doing so. We cannot tell them *how* to manage their data, we can only advise, instruct, and provide support for the system they purchased from us as requested.

Both my coworker and I were still uneasy about this. I spoke up and argued that anonymous feedback is anonymous for a reason, and that I’m not sure we should even be storing information about which user wrote which anonymous feedback on our database, as that defeats the entire purpose of feedback being anonymous. Our boss used some examples of when knowing/providing this info would make sense, like when the customer fears for a user’s well-being, but my coworker and I were still concerned about being potentially responsible, even if indirectly, for people being punished or exposed over more heated and sincere feedback that they otherwise wouldn’t write if it didn’t have the promise of anonymity behind it. “Outing” the user felt to us like breaking their trust and defeating the purpose of the tool. Our bosses reminded us that it should and will never be on us if the information we provide to the customer as requested is used unethically, and whatever happens after we help the customer is out of our hands, as it is their responsibility to manage their own data as they see fit.

Although we understand all of this and will not go against company rules, it still didn’t sit 100% right with either of us. What says you?

P.S. As far as I know, this is the first time a customer has requested this sort of information, so this isn’t something we’re just distributing willy-nilly to everyone all the time. It was just this one customer who, for some reason, wanted/needed to see who was behind an anonymous feedback submitted to their system. I also do not know what the feedback said and I didn’t ask. Finally, the users who use our system are usually employees of the company who buy our software, so the sort of retaliation my coworker and I fear is specifically getting someone fired for airing their grievances under the promise of protection our system has made to them.

Different companies handle this differently. The way your company is choosing to handle it isn’t uncommon … but they’re acting like this is the only option they have, and that’s not true.

If they wanted to, they could:

* Make it clear to customers from the get-go that anonymous info is really anonymous and won’t be released (except in cases where required by law, like with a subpoena).

* Or, clearly warn users that nothing they do on your system is fully anonymous and that while “anonymous” feedback doesn’t initially include names, those names can be provided upon the customer’s request.

When your managers say that “all they can do” is to make sure the customer understands the implications of providing the information but then provide it if they still want it, what they really mean is that they’ve decided that’s all they will do.

And that’s certainly their prerogative. It’s an approach lots of companies use. But they (a) shouldn’t throw up their hands and act as if it’s not a deliberate decision and (b) should clearly warn users of the policy.

I don’t know how much capital you want to spend on this, but if it’s something you want to pursue, you could point out that if users learn that “anonymous” isn’t really anonymous, over time your system will become less useful because people will use it differently. (And if it really gets out, there’s a risk of public backlash, like the sort Microsoft experienced earlier this year about its “productivity scores.”)

{ 220 comments… read them below }

  1. Tink*

    This is exactly why I have NEVER believed management when I am asked to participate in an “anonymous “ survey.

    1. Ray Gillette*

      I remember one time when I was invited to participate in a survey where the data truly was anonymous… but as I pointed out on my survey form, our company is small enough (not a family operation, but fewer than 50 people) that it would be easy to figure out who wrote what simply from context clues.

      1. Lacey*

        We did an anonymous survey at my under 50 employee employer. But I don’t think any of us realized before hand that our answers would be printed out and shared with everyone – just without names!

        For the most part we could easily guess who said what and I know most of us would have responded differently if we’d known we were addressing everyone and not just management.

        1. I Wrote This in the Bathroom*

          Yep, same happened at my workplace a few years ago. It did not shock as as much as it normally would, because things had been especially toxic in the few years before that, and that year, everyone finally snapped and gave the leadership a piece of their mind in the comments (plus the survey answers of “Very dissatisfied” and “dissatisfied”). Cue 6-8 months of regular meetings, where our team would be herded into a meeting room, shown an excel sheet with all our answers pasted in, and asked to provide suggestions on how to improve. We had a pretty great relationship inside the team, and had shared at least the gist of our answers with each other, and so seeing each other’s comments was no big deal. But would’ve been weird otherwise! We tried suggesting things, but since the real answer to how the company could do things better was “fire the toxic VP and terminate the relationship with the toxic contracting company”, anything we could suggest was really more of a bandaid nature.

          1. Chilipepper*

            Always assume everything is not anonymous. I know ppl who have had friends in other states fill in surveys so the wording would be more anonymous and even the IP address would not tie back to the real OP.

            Also, we had a survey like “I wrote this in the bathroom” described where we all gave dissatisfied and very dissatified answers. One coworker (she was one of the reasons we had the survey) piped up to say that a score of 2 oit of 5 was not far below average and that was pretty good. Management bought that horse puck comment.

            1. JM60*

              When I answer supposedly anonymous company surveys, I:
              1 Ensure I’m not given a unique URL to the survey.
              2 Access the survey only from my personal device, not company equipment (which could have keyloggers for all I know).
              3 Access the survey only in incognito or private browsing mode (so there won’t be any cookies from my normal browsing session, and online “fingerprinting” will be more difficult). Note that incognito/private browsing on most (all?) browsers does temporarily save cookies from that same session, sharing them among all incognito/private tabs, until all your incognito/private tabs are closed.
              4 Use a VPN to change my IP.
              5 Make sure the information itself is very unlikely to be identified as being from me.

              I might be a little paranoid, but most of the above are a small cost to pay for anonymity.

        2. Archaeopteryx*

          This reminds me of a freshman year class in college where we were supposed to sit in a circle and write down something that you’d been dealing/ struggling with since coming to school. Then the teacher had us all pass our papers to THE PERSON ON OUR RIGHT and read them out! Not crumple them up and throw them in the circle so people fished one out anonymously- directly to their right.

          Most people had just written like “workload” or “miss my parents”, but assuming that it was a let-it-go kind of exercise, I wrote a more stream of consciousness description of a conflict with a friend from back home. People tittered when the dude on my right read it out. (This was a mandatory coping/getting used to college class all freshman took… what a mess!)

          Sorry for the tangent but… tell people beforehand what happens to their answers on things!!

        3. Frankie*

          I work for a major corporation, in a location with 160 employees. A couple years ago we all had to give “anonymous feedback” about the managers of our teams, supposedly for their yearly reviews, but a few weeks later there was a large binder sitting in the break room with EVERY. SINGLE. COMMENT. printed out word for word. Even without names it was obvious who had written a lot of them. Some were straight up cruel and nasty, while others spoke of highly personal matters that clearly shouldn’t have been shared with everyone else. I’ve never given honest feedback in a supposedly anonymous survey again.

        4. Super Admin*

          My husband’s company runs a quarterly survey, supposedly anonymous, for all of their 5000+ employees to give feedback on the company, CEO, leadership, and their managers. However, when one’s manager only manages 5 people it becomes very obvious, very quickly, who responded with what. And when your manager is a vindictive dick it does not pay to be honest, or really to even complete the survey at all, as they’ll grill your every response.

          Some companies just don’t get it.

      2. Lil Fidget*

        I was once forwarded an email from my HR person (who was a flake) trying to triangulate who must have said a certain comment in an anonymous survey. She was asking people who they thought said it, like five people were cc-d on the email that was forwarded to me. Little did she know, I was the person who said it. Stopped providing any feedback after that.

      3. ComplianceGal*

        I would tread very carefully sharing personal information. The rules in Europe, Canada, California, and elsewhere are very different about what and with whom you can share, even if you are just a processor and they technically “own” the data. If the user didn’t agree that the data could be used in a very specific way, both you and the customer could get in serious trouble.

    2. PolarVortex*

      Plus people’s communication styles are so different I assume my boss would be able to tell me from the other underlings.

      1. Sola Lingua Bona Lingua Mortua Est*

        Plus people’s communication styles are so different I assume my boss would be able to tell me from the other underlings.

        Perhaps not in every case, but I certainly cast a unique shadow… Anonymity is a comfortable illusion.

        1. Ask a Manager* Post author

          Yes. As a teenager, I once had an article published anonymously in our area newspaper (which didn’t usually publish anonymous pieces but it was a personal account of something sensitive — and being a teen probably made them more willing) and the next day at school, my English teacher (who knew my writing well) complimented me on it.

          1. Mouse*

            I wish “anonymous” wasn’t seen as a signal of a fun puzzle to figure out, but rather interpreted as “even if I know who this person is, they clearly would like me to pretend I don’t”.

            My company frequently debates who posted which Glassdoor reviews. In my opinion, if someone posts their job title, that’s fair game. If they post as an anonymous employee, well, clearly they don’t want us to know.

          2. Sola Lingua Bona Lingua Mortua Est*

            There were several occasions, with multiple different teachers, where I handed in printouts of code, forgot to put my name on it, and received my printout back with its grade. I can sympathize.

            Even to this day, I sign my code because it’s a requirement, not because you need my name to identify its author.

          3. Tired of Covid-and People*

            Are anonymous postings from regular posters identifiable from their writing style? Asking for a friend.

      2. General von Klinkerhoffen*

        Plus people’s communication styles are so different I assume my boss would be able to tell me from the other underlings.

        You’d think.

        However, I was in the position of taking finals in a very small university department (only 14 of us majors, involving one-to-one teaching). All finals were handwritten essays, with anonymised identifiers, marked internally, then externally moderated.

        Around six of us went to the pub after the last exam, and one of the professors came with us. A couple of drinks in, he started jokingly berating us for the particular answers we had submitted. Because obviously he knew what our particular interests were in each topic, and with such a small cohort everyone could recognise handwriting let alone odd turns of phrase. Then he picked on one person for using an unusual colour ink…

        … only they hadn’t. The look on the student’s face, and then the professor’s face. It’s a good thing we were already pretty drunk. And an even better thing that he didn’t play favourites anyway.

        Anyway, that anecdote is to say that unless feedback is truly anonymised and truly unattributable, a bad manager may associate a negative comment with the wrong employee and retaliate accordingly, which would be even worse than retaliating on an accurate guess.

        1. Inca*

          It’s probably not perfect. But I’ve had some fun spotting accounts from banned persons sneaking back on the boards and I picked out quite a lot of them, mostly by writing style or insufficiently hidden details.

          With the anonymous survey-data it was even easier as a lot of people mentioned something they’d also said in public some time or other, so it was easy to match. (On the other hand, that was as far as it went because I couldn’t get the managers involved in actually reading the feedback-comments, and I barely got them to read my summary.)

          I would never ever count on anything being untraceable unless one is very careful, and for feedback this also means that if you do that, that feedback may also lack enough specificity to be useful.

      3. Environmental Compliance*

        It depends.

        When I was a TA, I’d get back the handwritten copies of teaching evals from my students. Could I pick out a couple of them? 100%, either through a really distinct handwriting or very specific details. Generally though there’s no way I could figure it out.

        If you are very distinct in how you phrase things, or speak to very specific details, it’s much more likely that your boss could tell them apart, but if it’s more generically phrased, it will be more indistinguishable.

    3. Ups and downs*

      I participated in one such survey only when I knew I was heading out the door. I was still “anonymous” but if they retaliated it wouldnt affect me.

      1. raktajino*

        I once submitted feedback anonymously when I was out the door, and heard later that the director spent a full month trying to track down the source.

        Yeah, you’re why I left.

    4. Damn it, Hardison!*

      The last company survey I received was “confidential,” not anonymous. I’m not sure everyone would catch that distinction, but I certainly didn’t complete it.

      1. AnonyWorker*

        I much prefer surveys that are “confidential” over “anonymous”. Helps to have HR that actually achieves things stand behind that though.

        1. DerJungerLudendorff*

          Me too. At least I could believe in confidential, while I’d never truly trust anonymous.

      2. PolarVortex*

        You just have to be much more choosy in your word choice. If you’re creative, you can give suggestions that will actually improve things while selling it under the company lingo and bs. Sometimes I don’t have a tolerance to do this though.

      3. HR Exec Popping In*

        Most internal surveys for big companies are confidential not anonymous. This is so that the results can be analyzed. We want to see if there are differences in responses by various segments to better understand where we have opportunities.

    5. old curmudgeon*

      Precisely! I don’t care how “anonymous” they claim it is, there is always, ALWAYS a way for management to figure out the source of the comment.

      Case in point – every year, the state agency where I work conducts an “anonymous” employee engagement survey. Every year, there are repeated assurances that no manager is ever told who responded, nobody can ever figure it out, nobody can ever tell who said what, and that we should all feel completely comfortable in responding, secure in our anonymity.

      And every single year, my bureau director sits at her desk 15 feet away from mine, reading aloud the comments that she was sent by the survey organizers that were made by employees in her bureau, and speculating audibly about who said what and why they said it.

      Nope, I have never participated in one of those “anonymous” surveys, and I never will. It’s just asking for trouble.

      1. Database Developer Dude*

        I’m in the Army Reserve, and my commander is mad at me because I refused to participate in the Command Climate Survey, which is supposed to be anonymous. In the same breath they tell me that, they tell me the results are aggregated by race, sex, and rank. Guess how many black male warrant officers in my unit? Can you guess? I bet you can……

        1. Peter Piper Picked a Peck of Pickled Peppers*

          Yeah, I have also completed anonymous / confidential surveys with that type of segmentation. I’m
          a white female at a very large company but I’m in a smallish team of people, mostly Black and/or male. Even looking at the overall team responses without further segmentation, you’d be able to make a reasonable guess at who said what.

      2. Juniper*

        It’s unfortunate to read how apparently common it is for companies to not respect the promise of anonymity, but I will push back against the claim that management can always figure it out. I participated directly in the creation and distribution of our most recent survey, and there was no way for any of us to figure out who wrote what. Granted, we weren’t trying to expose anyone, but we did test it for weaknesses when we set it up and none of us could connect answers with any identifiable information or data. And that’s the point! We wanted people to give truly honest feedback, and in order for that to happen we had to ensure their anonymity.

        1. BHB*

          A previous company I worked for did well with anonymising surveys. They outsourced the entire operation to a specialist company, who then collated and published the results to share. The results were distilled into various departments/groupings, but only if that grouping had more than 10 respondents. If there we fewer respondents, the grouping would default into the next bracket up. (E.g. my department only had 6 people, so we did not get any results specifically for my department, but they were rolled into the results for the larger umbrella division my department sat in). Free text comments were anonymised and any obviously identifying information (managers names etc) was stripped out. There were also warnings on the survey itself that free text would be read by both the survey company and published in the results, so if you did not want your comments identified to be mindful of what you wrote. They were also not mandatory, so you didn’t have to type anything out if you didn’t want to.

          I’m sure there would be ways to dig into the data and discover who said what on the survey, so it probably wasn’t truly anonymous. But the survey company and the company I worked for both seemed very serious about making sure it was anonymous as possible, and the senior leadership team specified that managers must not try to work out who said what and if they were found to be doing so they would face repercussions.

          1. Zweisatz*

            Yep, for sensitive surveys my company does this as well and it’s the only way to (approximate) an anonymous survey.

          2. Salsa Verde*

            I feel like the Letter Writer is saying they work for a specialist company that does surveys like this and is now being asked to identify a commenter, no? So even though the survey company is serious about making it anonymous, they can certainly identify commenters to the company if that is requested.

    6. Fed anon*

      There’s only one employer survey I’ve ever believed is anonymous, and that’s because I worked on something related to its old survey data and saw how it was stored. (Badly, in html tables, it was a mess)

    7. Pippa K*

      I was once contacted by someone from my employer asking me to explain and justify my answer to an ‘anonymous’ survey. I’m a social scientist with a decent grasp of survey ethics and I’m still outraged about this, years later. I now only provide survey answers that I would be willing to stand up and say out loud in a meeting.

    8. Artemesia*

      I am horrified with the situation. It is deeply unethical to provide a customer with identifiable data when it has been gathered as anonymous. I have a friend who when his consulting business was very new fired a client who insisted on getting this information; he refused and dropped the client at great cost to himself because he was an honest person.

      Any data gathered with assurances of anonymity or the assumption of anonymity should be kept that way. There is no non corrupt reason to violate that.

      I am horrified that a company would do this.

    9. Jam Today*

      My company sent out an “anonymous” survey last year and in the same email told us that we had to respond using the link in our own email, and couldn’t forward it since the same link wouldn’t work for other people.

      Sooooo….the survey link in the email is mapped to my work email address is what you’re telling me? Roger that.

      1. Just delurking to say...*

        Ter the s it your company sending the email, or an external survey provider using your company’s branding? I work for a survey company whose email surveys work using individual, do-not-forward-this links but we’re the only ones who have the ability to link responses to names (and that ability expires quickly after the survey closes). Short of a subpoena or a reason to fear a respondent might harm themselves or others that information never leaves our databases.

        1. allathian*

          Yeah, that’s the way it works for us, too. HR provides the email addresses and sends the the links, but they’re basically used to count noses. The percentage of respondents per department is one of the parameters in our organizational performance matrix. Nobody in our organization sees the unaggregated results of the survey. Granted that they’re aggregated by department and manager, but because we are an expert organization where employees are expected to be pretty self-directed, it’s not unusual for a manager to have between 10 and 30 reports. A manager who has 5 reports or less doesn’t get to see any comments their reports wrote, and nothing beyond an average score for every question.

          1. Mongrel*

            And as the worker who, hypothetically, receives the unique e-mail I have no way of knowing any of this. Sorry.

      2. Self Employed*

        My apartment management company does that too, and is really pushy about expecting people to fill them out. I realize they probably have a low response rate, but with questions like “Pick your favorite activity: Bingo, cable TV sales presentations, sports trivia?” and I don’t want any of those but they always reject suggestions the more community-minded tenants make, why would we respond?

    10. Keymaster of Gozer*

      I don’t trust any anonymous records unless I’ve got admin rights to the backend database.

      There would have to be, for me, a very good and legally defensible (under GDPR) reasoning behind storing user details of anonymous comments. I can understand filtering for IP address ranges (to make sure that it’s not open to the public) or in extreme cases MAC addresses being recorded, but not a user logon name or anything personally identifying them.

      (Details of the computer itself? More acceptable. Details of the user? No)

      I’ve worked for software companies where it’s our servers holding clients data and we did get requests for really sensitive data (like credit card transaction details) with the client taking the view that we’d not be in trouble if we provided it as requested. You could actually see the blood pressure rise of the IT security admin from across the room.

      1. Juniper*

        That’s the power of GDPR. I’m hard-pressed to think of a situation where a company could argue a legitime interest for holding on to identifiable personal data that presumably serves its purpose just fine anonymously.

    11. Free Meerkats*

      My methods for making my answers more anonymous are as follows:

      I respond from a shared computer – either the library, or if it has to be done inside our system, from a shared day-room computer.

      As I compose each answer, I cut and paste it into Google Translate and send it to another language, cut and paste that into a reverse translate window, then cut and paste that double translation (garbled as it may be) into the answer window.

      I haven’t had anything traced back to me. Though when my organization says anonymous, I haven’t seen anything to make me doubt that in my 30 years here.

      1. Free Meerkats*

        Here’s what you get sending my comment to Hmong and back:

        “The options for my anonymous answers are as follows:

        I answer by computer sharing – whether the library, or if it should be done in our system, by a computer using mixed dates.

        As I write down every answer, I cut and paste it into Google Translate and send it to another language, cut and paste the text back into the dictionary, back to then cut and paste the double translation (insert as it will) into the response window.

        I have not had anything follow me. Even when my organization was anonymous, I did not see anything that made me doubt it in my last 30 years.”

          1. RebelwithMouseyHair*

            amazing double Dutch, yes!!!
            It’s a beautiful example of why google is still not better than decent human translators. I particularly like “I have not had anything follow me” which conjures up all sorts of possible “inanimate” stalkers.

      2. Junior Assistant Peon*

        Now your immigrant coworker is going to get blamed when you criticize management in broken English!

    12. MRV*

      As someone who used to be in survey research, let me share this far and wide: if you received a personalized link to a survey (it is sent directly to your email account and you are told not to forward it), then all of your responses in that survey are tied to your name and email address regardless of any promises of anonymity.

    13. TardyTardis*

      Yes, since the corporate survey was directed to me through a named email, there is no way I would expect to stay anonymous.

  2. PolarVortex*

    Maybe I’m paranoid and assume everything that claims it’s anonymous is not and I treat everything as such. But still, I would agree that unless there’s safety at risk, they should honor those who choose to remain anonymous. If your company believes it should provide the backend information gathered if requested by a company, they should not provide an option to give feedback anonymously.

    Quite frankly, even with my own personal paranoias, I’d straight up not bother to give feedback when it comes to a company who’s disingenuous about anonymity. It’s a betrayal of trust, so why should I trust you to not change my feedback or give my data to shady companies. There’s an implicit promise you won’t change my feedback, and usually an explicit promise not to sell data to third party companies. If you break the implicit promise to share my feedback anonymously, I assume you’ll break all other promises, implicit or explicit.

    1. AnonOP*

      “If you break the implicit promise to share my feedback anonymously, I assume you’ll break all other promises, implicit or explicit.” EXACTLY. that’s one of the things I pointed out to my bosses when we were discussing this. are we really okay, ethically, to break this implicit trust the users are putting into our system? I do understand that if the customer themselves decide to break the anonymosity, they’re the ones to blame first and foremost, but it’s not too farfetched for a user to also get a bad view of the company who built the site that allowed this breach of trust in the first place, aka us.

      1. Product Person*

        “I do understand that if the customer themselves decide to break the anonymosity, they’re the ones to blame first and foremost, but it’s not too farfetched for a user to also get a bad view of the company who built the site that allowed this breach of trust in the first place, aka us.”

        I’m wondering why the solution provider even needs to get involved. Either the system was designed to allow anonymity to be removed by the client (something users submitting information anonymously should be warned of), or the provider IS accepting a level of responsibility, since they, not the client, are the ones disclosing what was supposed to be private/restricted/confidential information…

        1. Emily K*

          Yes, I’m assuming this is not EU because GDPR is very clear that the responsibility for compliance applies to every entity that processes and stores personal data. You can’t even store PII data on cloud servers if the cloud company isn’t GDPR-compliant.

          I’m in the US but use a couple pieces of SaaS that covers European and North American customers, and we were required to sign a legally binding document agreeing to ensure we were GDPR client with all data stored in their product, even if you were a small business in Nebraska that wasn’t covered by GDPR. So I’m definitely calling BS on not only this anonymity issue, but also the comparison given of not being able to force your clients to use proper data security either. Yes, you absolutely can. You’re choosing not.

      2. PolarVortex*

        FWIW, depending on what your company takes/gives feedback about, there’s a few things that could actively scare them away from sharing data. Privacy and data security are big key words in today’s age. There’s a reason why you have to click so many boxes that state you’re okay with cookies, you’re okay with sharing the data with 3rd parties, etc. Even Google Forms alerts you that your backend email and name are gathered in certain situations. If you’re not alerting people that you’re gathering this data and have the right to distribute it (which then could therefore be shared with the company) you’re working yourself into even a more grey area. At least then you’re giving them notice there’s an illusion of anonymity with your company.

        This is the reason the T&C of everything you sign up for are exhausting to read through but essentially boils down to we have the right to all your data and can do what we will with it because we can change these T&C as long as we alert you, and you can’t sue us.

        1. Kuddel Daddeldu*

          Look at the privacy statement on the website (the one visible to the person leaving the feedback at the time they entered); you must adhere to it or be open to a lot of legal hassle. Doubly so if the GDPR applies (if the feedback-giver is or even just mentions a EU data subject, I.e. an EU Citizen or resident).
          If in doubt, check with your legal counsel and your company data Protection officer – in fact, your DPO should be your first stop.

    2. juliebulie*

      Yeah, I feel like if the customer wants to have access to this info then they should be the ones to collect it. Or, it should be in their contract with OP’s company.

      If the customer’s user had wanted to identify themselves, they would have done so.

    3. Jennifer Thneed*

      I just don’t think that words that leave my pen/keyboard are ever private. Once I give something to someone else, I have lost control of it, and I try to always bear that in mind. Maybe this company will never release the names, but they are storing them! Information security specialists know exactly how secure this data is (which is to say, probably not very secure).

      1. Product Person*

        While I agree that it’ a good idea to trat any electronic communication as NOT anonymous, that doesn’tmean the provider ismorall or legally in the right here.

        I work with private data, and if my boss asked me to disclosure the identity of someone who submitted information under the assumption of anonymity, I’d tell him, “You do it if you want, I’m not going to.” Whoever thinks this is right and moral and legal should take the action.

  3. Roscoe*

    I mean, I guess the way I see it (and maybe its because I’ve worked for software companies) is that its kind of assumed that nothing is every TRULY anonymous, especially if you are logged into a system. I think its naive of people to assume that. Without knowing the type of software this is, its kind of hard to decide whether this would be some massive breach. But, for the most part, I think you probably should go with what the customer wants.

    1. AnonOP*

      yeah, a coworker who’s on the fence about this whole situation explained that, the thing here is, the customers themselves have full control over the data that’s input into their site, even if some of the data isn’t easily accessible to them because they have to go through us to get it. if someone for any reason wants us to provide them with their entire database we’d just go ahead and send it over to them, and that would include all anonymous feedback information; we’re here to manage their data and assist them with managing the system we sold them. if they ask for any data that’s pertinent to their site, we can’t really say no.

      I guess the part that bothers me is that I don’t think our system should even be saving that data in the first place. if the feedback is anonymous, then we should be saving the feedback and nothing else; attaching it to a username just feels weird and disingenuous to me. however, this other coworker I was talking to did point out that having this information is important when you *really* need to know who exactly wrote something that’s potentially dangerous to themselves or others, like, what if someone submits a death threat? it would make sense to share this information with the customer then.

      and to answer your question, the anonymous feedback is not a major part of our system at all. our system allows users to take online courses and seminars, and then sometimes users have the option to submit a feedback at the end of it (the user can also choose whether the feedback is anonymous or not). I don’t think most of our customers even have this functionality on their site.

      1. DEJ*

        “this other coworker I was talking to did point out that having this information is important when you *really* need to know who exactly wrote something that’s potentially dangerous to themselves or others, like, what if someone submits a death threat?”

        You said you didn’t know what the feedback said, but this was exactly my thought as well. What if someone reported sexual harassment? We’ve talked many times on here that companies should be investigating that, so maybe they are trying to do their due diligence.

        1. Forrest*

          But equally, someone might only report sexual harassment in the belief that what they are reporting is anonymous and will not be acted on, but they want it recorded. If someone’s being victimised, that’s even *more* reason why the anonymity (or lack of it) should be clearly visible to them and not deceptive so they can make fully informed decisions about how they want to handle it.

          1. Kuddel Daddeldu*

            Absolutely correct.
            As AnonOP wrote that the user can select if the feedback shall be anonymous or not while giving it. A well-designed system should store the feedback in the database with user name “Anonymous” or just the course ID, and the timestamp reduced to the day (setting the hour and minute to 00). In this way, it might still be possible to deduce the actual user by correlating courses and login times but this is the minimum of anonymization that can be considered state of the art.

      2. Roscoe*

        So, based on that, it really seems that its not a matter of YOU breaking confidentiality, since that is already there, its just a matter of you helping them figure out how to access the data they already have. Maybe reframing it that way will help you feel better. Because YOU aren’t really giving them anything new, they just don’t know how to get to it.

        And as someone said, depending on what the feedback was, it could very well be important.

        If they said “Professor X treats the POC students worse than the white students”, well I think that is important info to be able to follow up on.

        1. GammaGirl1908*

          I agree with your major point, but with the example of “Professor X treats the POC students worse than the white students,” you HAVE the information you need to follow up. Not knowing who said it doesn’t change the investigation you need to do.

          I view this as more like a mandated reporter situation. It is 100% critical to get specific immediately if the person is a danger to self, other, or a child. But with the example above, it’s inconvenient and more effort to have to start from scratch to do the necessary investigating into Professor X, but it’s not totally impossible to do without the student’s name.

          I don’t understand why companies pretend feedback will be anonymous if what they really mean is “we won’t look you up if we don’t care what you said, but all bets are off if we do care what you said.” As noted above, “confidential” is a better word for that. In the example given by the LW, it all sounds like it would be a little more work for the company to address the feedback without knowing who said it, but they could still address it.

        2. Kara S*

          But even with that, if a student was complaining about discrimination they are extremely unlikely to do so in the future if they thought a complaint was anonymous and it turns out it wasn’t. If I complained about something on that level, I’d expect those collecting the information would take the steps to solve the problem without needing to know my identity.

          The only situation I can really see needing to reveal who said something is if it was a direct threat towards someone else.

          1. Roscoe*

            I’m not saying I “agree” with the company, I mean it was a made up story. But my overall point is that they have this information anyway. OP isn’t giving them something they don’t have, just showing them how to access it. The company may be very shady by doing this. That said, if they choose to collect data, its not on the company to tell them what they can and can’t do with it.

            Years ago I worked with non profits, and I helped them move their data from one system to another. You’d be surprised (or maybe not) how many of them kept the social security numbers of people in excel files or something similar. We could advise them on best practices and say “keeping this information, even if its more secure, is bad, you don’t need this”. But at the end of the day, it was up to them how they wanted to use it.

      3. snoopythedog*

        If you *must* provide this info to the customer because your company has decided they aren’t going to enforce the ethical principles here, then perhaps you can suggest that the customer change the wording related to the survey. If data can be traced back to a user, it’s not anonymous. For most of your clients, it sounds like data is anonymized (as is collected in a way that’s identifiable, but with identifiers removed before someone sees it). If a client plans on requesting to know who said what, data is gathered in a confidential manner. This confidentiality concept then places the onus on the customer to act in an ethical manner in respect to the data.

        Part of my job is related to gathering information through surveys and I take due care to use the correct term when explaining our data collection protocols to clients and in the wording used with participants. Further to that, we spell out exactly what ‘anonymous’, ‘anonymized’, and ‘confidential’ mean. This might be one way to further the discussion within your own company to create clearer lines of responsibility around the confidentiality of the survey responses you collect and to have clear ethical boundaries and guidelines.

        1. Tinker*

          The name of the survey could be updated from “anonymous survey” to “you’d be naive to think this is actually anonymous survey”. If that’s already what is commonly understood, there shouldn’t be any problem in making the statement explicit.

    2. redflagday701*

      I know what you mean, but I really hate that — this idea that it’s incumbent upon the user to recognize that a promise of anonymity is ultimately bullshit. I mean, yes, we should all approach our relationships with businesses with healthy skepticism, especially in a realm like online privacy. But it’s depressing that we let companies off the hook so readily for not operating with more integrity, and offload the responsibility to consumers. A society where “You should just assume the things we say might be untrue” is acceptable is not a healthy society!

      1. PeterM*

        I agree with this. Any defense that boils down to “People should be smart enough to realize we’re completely untrustworthy!” holds no weight with me.

    3. EBStarr*

      Hmm… I feel like working for software companies is what makes me feel this is so egregious? Like, you either write user data to your database with the “anonymous” feedback or you… don’t. They do in fact have control over this situation.

      Of course it’s naive for an employee to assume their employer will actually respect confidentiality. But that doesn’t mean that they deserve to have their supposedly anonymous data shared completely non-anonymously with their company for the asking.

      1. Roscoe*

        Well, here is how I”ll put it. I work in ed tech, but granted the students are in middle or high school. In my opinion. OF COURSE teachers will be able to access anything students are doing while logged in. Like, it would be borderline irresponsible for our company to NOT make that possible. Now, I get that in OPs case this is college not high school, so its a bit different. But it just seems like one of those things where, the purchaser (School in this case) likely wanted to be able to access that information if needed. I don’t know that it is on the employees of the company to make the call about when it is or isn’t needed.

        1. EBStarr*

          Well, but you don’t tell the middle-school and high-school students their activity is anonymous, I’m assuming? (If you did tell them that, then I don’t think it’s really any different–it may seem obvious that teachers should be able to have complete surveillance over their kids’ activities, but that doesn’t make it ok to deceive users just because they’re kids. But it doesn’t sound like that’s what you’re doing anyway.)

          And I actually do think that employees of software companies bear some responsibility in how their products are used, FWIW. In general if an employee is asked to do something unethical, I believe they should push back as much as they can (taking into account their own situation, obviously) even if someone paid the company for it. For tech workers arguably even more so, because the scale of the violation can be so large — we also have a responsibility to at least try to build products that don’t encourage ethical breaches like this.

          1. Roscoe*

            But, as OP commented above, this information is always available to the customer. Its really just at this point about the company helping the customer access it. But its data that is collected anyhow. I feel like it is on the customer how they choose to use that data, not the company that stores and makes it available. Again, being in sales, I’m quite sure that this information was known to the customer (or at least it is stated in a license agreement), and possibly its part of the reason why they purchased, because they could access it.

          2. Roscoe*

            Also, at least in my company (not sure about OPs) the wording of such things is up to the customer (IE the people requesting this information). So if the customer wants to call it “anonymous feedback” or however they name it, when in reality its not, that isn’t on OP to decide.

            I think, no matter if some people find it sketchy (and it seems I’m in the minority that doesn’t), the customer in this situation is collecting the data to use, and all OPs company is doing is providing the software to collect it.

            Like, if I put out a google form, say its anonymous, but I can get the info anyway, that’s not on google to manage.

          3. PT*

            I was just reading an article about an ed-tech company that has a keylogger for all of the students’ activities, and if they hit enough “at risk” keywords in their documents, chats, or emails, a mental health strike team reaches out to them.

            I’m all for monitoring kids that age on computers because they behave like gremlins but that creeped me out.

          4. Zweisatz*

            I’m with you. If not the workers of software companies, then who? Sure if GDPR does apply, it should be easier to outsource the responsibility, but if protections like that don’t apply I sure hope programmers and software architects aren’t just like “It’s out of my hands.”

    4. Tinker*

      I mean, it’d be naive of me to think it technically infeasible for my ISP to gain access to my Amazon account and use it to order me a series of fifty-gallon drums of personal lubricant, but that doesn’t mean that if they did I’d go “oh hey, look at that, exactly the sort of result I expected and one that I have absolutely no problems with”.

  4. DarthVelma*

    The customer asking you for this info in unethical and your company is unethical for agreeing to provide it.

    1. Generic Name*

      I agree. And honestly, your company’s stance of “there’s nothing we can do” is more than a bit cowardly.

  5. EBStarr*

    Are you (and the customer and their employee) in the US? There are stronger data protections in many other countries so I hope your company is aware of that. I don’t know the details though.

    I personally think this is slimy and I think if you have any capital to spend on this issue, it’s worth spending it to push back. You’ll look back when norms have changed around worker protections/privacy (as I hope they will someday) and be glad you did.

    1. Brett*

      California says “Hi”. The data protections stemming from California’s laws are pretty stringent, and those become the de facto laws for US customers/companies just because so many companies have a presence in California. No exemption from those laws should be assumed without plenty of legal consultation.

      1. EBStarr*

        Good point, I forgot about California!

        And I mean, even if it’s legal, it’s really not OK. The company should not be in any way claiming things are anonymous, then storing them in databases without anonymizing it, then giving the deanonymized data out when asked, and then claiming to be “only a middleman.” They collect, store, AND distribute the data. It’s absurd to claim that the client company is somehow the one “doing” this when in fact the OP’s company is doing it. They (leadership at OP’s company) seem to think they have some kind of moral free pass on breaching users’ trust because, what, someone is paying them to breach that trust? Terrible argument.

    2. yasmara*

      GDPR applies to any company or organization who does business with a resident of the EU.

      I think there could be serious repercussions for providing personal and private data when a user has an expectation of anonymity. (Not A Lawyer)

      1. AnonOP*

        my company is based in Europe and we’re VERY on top of and concerned about any potential GDPR breaches – if a customer even breathes the words GDPR everyone comes running at full speed to investigate what might have caused this concern and how to fix it asap. I’m not an expert on private data laws in any way whatsoever, but I’m pretty certain that if this qualified as a GDPR breach my bosses would have had a much different take on the situation, which makes me think it isn’t.

        1. Brett*

          Most people think of GDPR breaches as someone hacking your system and obtaining personal data. But it is also a GDPR breach to have policies which enable a customer or client to access personal data to which they are not otherwise entitled without the permission of the affected individual.
          This is an area where better safe than sorry definitely applies. I deal with privacy issues in my line of work (CCPA, CCPR, and GDPR) and I would definitely reach out to company lawyers for approval before continuing with this kind of release that is not already explicitly covered by a policy.

        2. fhqwhgads*

          I’m not a lawyer, and definitely not an EU lawyer, but I also work in software. You mentioned in another comment the user has the ability to submit the feedback either anonymously or not, right? So based on my limited understanding and implementation of software-related GDPR compliance, that moment the user ticked the anonymous box? They said “you can’t have my identifying info”. So I would expect that not only saving that identifying info, but then giving it to your customer – whose system they were interacting with and explicitly denying permission to have their info – would probably be a violation.

          This might be just the argument you could use to get your boss to stop being so nonchalant about it.

        3. allathian*

          The customer company is probably in breach of GDPR. They shouldn’t claim a survey is anonymous when in fact it isn’t. Just the fact that the user isn’t informed about what personal data is stored about them in this anonymous survey probably constitutes a breach. Mind you, I’m not a lawyer but I sometimes process personal data in my job and when GDPR was implemented, every employee had to complete a course about it and it took at least a day to do (online, several modules).

          Your company may or may not be in breach of GDPR, but I think it needs to be investigated to ensure that you aren’t. The sanctions for violating GDPR can be pretty stiff. In severe cases it can be up to 10 million euros or 2 percent of the global turnover of a company, whichever is greater.

        4. Natalien*

          I’m pretty certain that if this qualified as a GDPR breach my bosses would have had a much different take on the situation

          Well, first off, I don’t think that’s a safe assumption at all. But secondly, if you’re right and it’s not a violation, then there shouldn’t be any problem with your compliance/legal department reviewing the request and approving whatever action your managers want to take.

          Someone elsewhere mentioned an ethics hotline, generally those are confidential if you don’t feel comfortable directly sending this to legal.

          1. Coder von Frankenstein*

            “…generally those are confidential if you don’t feel comfortable directly sending this to legal.”

            This may not be the best company to rely on that.

        5. Allonge*

          It’s almost certainly a GDPR breach – the survey repondents were supposed to get information on how their data will be processed and by whom. Unless you put ‘we can transfer your name connected to your specific reponse to Customer’, I would say you are on very shaky ground at the very least.

      2. MoneyBear*

        This was my immediate thought as well. I work for an international company, so we adhere strictly to GDPR. I would never given out anyone’s contact information without their explicit permission.

        LW, this may be above your paygrade but I think your company should review what data privacy regulations it must adhere to. There’s too much risk in not doing so, and I would communicate that to your higher ups.

        1. JustMePatrick*

          I was thinking the same thing. OP’s company must absolutely seek legal advice regarding this. The company risks of being involved in a lawsuit could cost them some serious $$$$$$$$$$.

    3. Purely Allegorical*

      Was coming here to say this. Depending on where your company is located, where your customer is located, and where/what type of data is stored this could well be illegal. Worth checking.

    4. HelloHello*

      Yeah, my first thought here was that the attitude of “whatever the client does with their data on our system isn’t our problem” could get you into a LOT of legal trouble if you’re holding the data of anyone in California or the EU.

    5. tamarack and fireweed*

      The thing that jumped out to me immediately is that in countries with stronger privacy protection than the US, it would be illegal to say that feedback is anonymous but the feedback not actually being anonymous. And if you hold personally identifying information (pretty much obviously the case if you have comments or feedback on your website) the owners of this information (ie, the people who are being identified) have the right to request (and obtain) deletion and alteration.

      I do hope that with the US being a smaller market than Europe, GDPR-like protections will start spreading to the US as well.

  6. Please make it stop*

    I recently completed an ‘anonymous’ survey for our company. However, the first question was what area code I work from. I assume this was to differentiate responses from our two main offices, but out of the 200ish employees, a handful including me work very remotely. Giving my actual area code 100% guarantees that my response is not anonymous. My department is also very small, so I assume on any survey I’m given that asks where I work, someone will be able to figure out it’s me. Fortunately, I don’t have anything bad to say, I really like my employer/boss/coworkers/etc, but wow would it be difficult to be honest if I didn’t.

  7. AndersonDarling*

    If the system states that feedback is anonymous, then providing that is a breach of trust with the users of the system. I hope this isn’t a system tied to healthcare, law, or other instances where confidentiality is at the core of business. The exposed user will tell their co-workers, and one of them may put something on social media about the breach of trust.
    You also run the risk of users interpreting the trust breach as an actual data breach and that is dangerous territory.
    Unless this is a “break the glass” situation where someone was reporting a crime/abuse or something where immediate intervention is required, then this is a terrible move. Not worth the risk. Not at all.

    1. Tidewater 4-1009*

      Not just social media – I would post reviews on TrustPilot, BBB, Yelp… the sites that come up when a person searches for company reviews.

    2. Abogado Avocado*

      Exactly what AndersonDarling says. OP: what you don’t say is what the interface states about anonymity re: feedback. Is there a statement that your company will keep all feedback anonymous? How does that square with the contract the customer signed to purchase the system? My sense is that your boss should run the customer request past Legal to determine whether releasing the commenter’s name to the customer doesn’t breach a legal duty to the commenter or whether refusing to release that name breaches the purchase contract.

  8. Pikachu*

    Shouldn’t this kind of scenario already be explicitly addressed in your software’s T&C/privacy policy?

    1. AnonOP*

      I think the problem here is that the users of the system aren’t *really* our customers. we’re a B2B company, so technically our customers are the companies themselves, and the users are
      their employees, who use the site we sell to their company. we give support to the people who manage the site after the company purchase it from us, and they’re the ones who basically manage the site and its users, so I’m not sure in this case if we’re the ones who should be giving users a heads-up on whether or not their anonymous feedback will truly remain anonymous or not.

      1. WellRed*

        ‘I’m not sure in this case if we’re the ones who should be giving users a heads-up on whether or not their anonymous feedback will truly remain anonymous or not.’

        No you shouldn’t be. You don’t have a relationship with your customers’ users. The customer does. I’m a little perplexed the system allows for users to provide feedback, but you receive the feedback not the customer. (I realize this way outside the scope of the question and anything that can be easily remedied).

        1. AnonOP*

          the customer does receive the feedback on their end though; they don’t have to come through us to see this information on their site. pretty much everything the user sees in the system on their side is what we see on our databases, with a few exceptions like this one. they don’t often reach out to us to get info off of our database because pretty much anything we can see they can see too, as the customers we provide support to are site managers for the system we sold them.

          1. AskJeeves*

            But if “anonymous” feedback is not truly anonymous because *your side of the system* is capturing the submitter’s data AND your company will share that data with the submitter’s employer at the employer’s request, then imo your company has an ethical obligation to disclose that to all users.

      2. Mental Lentil*

        That’s even more troublesome. It looks like they want to go after one of their own employees.

        Ugh. Just ugh. Both for your company and your customer.

      3. Des*

        This is even worse then if they’re going after their own employees.
        Are you by law required to keep track of the deanonymized data? Could you remove it completely?
        Does your ToS state that you are in fact keeping personal information on end-user in your database and nothing is anonymous?

        FWIW, this seems like it would go against the GDPR at least (with you as the data processor, whereas your customer is the data controller). I’m not a lawyer but I think you should check what you’re keeping track of and whether it is legal.

        1. TPS reporter*

          GDPR only applies to the EU. Let’s assume this is not the EU.

          The context is a business receiving information about their own employees who are posting on the business’ website in their employment capacity. It sounds like the OP’s company does not own the product once they sell it to the customer and, per the terms of the sale, that the customer is using the OP’s company as essentially a database administrator. The data held by OP’s company is not theirs- it is owned by the customer and they are there to hold it. I’m also going to assume for the sake of argument that the product is relatively benign. As in, it’s not the software that manages someone’s HR record or health information.

          If all of these things are true I am not saying it’s necessarily ethical but OP must respect the decision the company has made to allow this. OP can suggest a clear disclaimer to the commenter to ensure they know their comment may not be anonymous. At the end of the day, though, OP has to understand that they are a hired gun who really does have to do the bidding of the customer. If you don’t like it, which I agree with not liking, you can try to rise the ranks and change the organization. Or this will give you some valuable information about whether or not to stay with the company.

            1. allathian*

              Yes, and again, GDPR applies to every company or entity that does business with customers in the EU.

  9. RunShaker*

    I’m wondering is there a contract or data regulations in your industry? I thinking there would be a contract since you’re providing a product/service. If so, does the contract address anonymous feedback and what can and can’t be provided? Also, based on your letter, it didn’t sound like the issue was addressed from the standpoint of legal liability to your company based on what contract states. But I may have missed that……

  10. Kara S*

    “Our bosses reminded us that it should and will never be on us if the information we provide to the customer as requested is used unethically”

    Honestly I don’t really agree with your bosses’ opinion here. Your company offers this service under the assumption that anonymity is included; if a customer is requesting to use this information in a way that goes against what your company stands for, the company is responsible for how that information ends up being used. The way your bosses are speaking is as if your company has no choice in the matter and that the company’s actions are independent from how that information may be used which is not the case. It feels very unethical to pretend that the service is anonymous when in reality, it is only anonymous unless a customer asks for it not to be which means it is not really anonymous at all. Your company knows the risks and ethics involved with this and are choosing to go ahead anyways and I can understand why you do not agree with this.

    1. DarthVelma*

      Yup, the bosses here are full of crap. If you’re angry at someone and I hand you a gun, I don’t get to absolve myself of all responsibility if you shoot that person with it. After all, it’s not on me if you use it unethically. *rolls eyes*

      I work with data, including some with very strict confidentiality laws. This letter has me livid.

      1. Stormtomcat*

        I agree with your point of view.

        I don’t have your experience with data, I have sent & will send out such surveys. I’ve used professional capital and personal credibility to convince my audience to participate. If I were to find out that behind my back, my manager/IT department/anyone requested and actually obtained participants’ personal information, I’d be furious and super disappointed.

        Frankly, I feel that post Jan 6th, the argument “we just provide the tool” just doesn’t hold up as a credible position.
        It’s certainly naive and probably futile, but I’ve actually begun to raise the question at work if we can (and want to) still work with vendors who enable such practises.

        1. AnonOP*

          “I’ve actually begun to raise the question at work if we can (and want to) still work with vendors who enable such practises.”

          Bingo. That right there is where I’m concerned. I can see why we would require to save user info for anonymous feedback, but I still think we should, somehow, review if there is actually a need to share that information with our customers whenever they ask for it, because if we’re the cause of someone being unwillfully punished for a feedback, how much of a great company eve are we? the problem here is I’m not so sure that we have any ground to simply tell the customer how to manage their own data instead of instructing them to the best of our abilities.

          it’s all very complicated and I don’t blame my bosses for taking the stance they did, but it doesn’t change the fact that it left a bad taste in my mouth. the more I read the replies on this thread the more I think there’s no easy answer here – because there isn’t, really.

          1. pancakes*

            It’s not strictly the customer’s “own data” if they have to go through your company to access certain parts of it. This doesn’t seem that complicated to me: 1) Your company gathers and retains data that can be used to identify people who provide what is billed as “anonymous feedback,” and 2) it doesn’t appear to have any policies in place, nor clear agreements with customers, regarding when it will and won’t de-anonymize the data. There are some easy answers – for example, bring in ethicists to help craft policies around de-anonymizing feedback, and lawyers to craft clearer agreements with customers about this. It’s just that no one has bothered to pursue them.

            1. Darren*

              But do they “have” to go through the company to access it?

              Or is it part of the service that they don’t have to have a DB Administrator on staff that would have access to look into that for them as they can just request support from the vendor DB Administrator to access this data (and/or tell them how to do it)?

            2. English, not American*

              Access doesn’t equal ownership.
              If someone tries to send you a package but it can’t be delivered so you have to go get it from the distribution centre, someone has to go and get it for you but it was always your package.

              It’s the client’s survey in th, they’re the ones setting the questions and requesting responses.

    2. Nia*

      Yep the team lead, the manager, and the department head all suck. They can dress it up however they like but they’ve all decided the bottom line is far more important than behaving ethically.

      1. Roquefort*

        It’s not even the “bottom line.” If it becomes public that they happily provide identifying information to customers while promising employees their feedback is anonymous, that’s probably not gonna be good for the company’s profits.

    3. AndersonDarling*

      Yeah, unless the OP’s company received a subpoena for the data, then they are culpable.
      A company that is asking for something sketchy is going to do sketchy stuff. They need to have a contingency plan for all the possible outcomes.

    4. hbc*

      Even from a mercenary standpoint, I think it’s a garbage position. If I heard that our “anonymous” system provided identifying information, I would never use it as intended and if I was ever in a position to pick a new system, I would veto this one instantly. What’s next, an accounting system that lets you fudge numbers?

      I would take it as a benefit if my vendor took the stance of “We have info in case we need to identify threatening feedback and the like, but part of our service is that we will not release identifying information to you outside those extreme cases. It is in your interest that whatever curiosity you have about who hates their boss is not allowed to be indulged, because you will never get good feedback again.”

      Never mind the door you open if you sold this as anonymous and the *company* wants it anonymous but you let some random manager get the data. I’d say you lied about what you sold me, and a lawsuit might be involved.

      1. pancakes*

        Yes, agreed. These questions are fundamental to the vendor’s business and the privacy expectations of the users of the product. Addressing them only on an ad hoc basis is a terrible idea. At best, this will attract customers who are too inattentive, cheap, or inexperienced to grasp how problematic this approach is.

  11. Roquefort*

    There’s another scenario I think should be considered here: if the customer raises this issue with the employee in question in such a way that it’s blatantly obvious they know which “anonymous” feedback came from which person, and they decide to warn other coworkers/friends/social media followers/whoever about this, your company is going to become known as “that company that claims to provide anonymity but immediately gives up information when asked.” It’s not good press, even if it’s 100% legal in this case.

    1. AnonOP*

      honestly I didn’t think of this, but that’s a great point. I might raise this issue again with my team leader next week and see what he thinks.

    2. Allypopx*

      I think that’s what Alison was getting at with the Microsoft reference – things like this don’t stay secret long and public backlash is not pretty.

  12. ElleKay*

    I agree with Alison and I might add that this is something your company could/should write into a contract. Depending on the type of program you’re managing this may or may not be feasible but I’d want the contracting company (your clients) to have said, when they hired you “yes, we want this truly anonymous” or “no, we want access to user data if we request it”. This will CYA even more and will mean the companies have thought this out before someone leaves potentially problematic/concerning/etc feedback.

  13. Surveyer*

    Hey, I build survey programs and
    Typically if there is a way in the system to tie to the feedback to an individual identifier (name, email, account #), it should be called ‘confidential’ not anonymous.
    Anonymous implies there is no way to connect the feedback to a person.
    How your company advertises these feedback programs really matters, because some groups take this designation incredibly seriously.

    1. Human Subjects Researcher*

      I came here to say exactly this, as I also work in research with human subjects. (I know corporations play fast and loose with these words, but they do matter to people who care about ethically collecting information and feedback.) As someone whos is responsible for protecting people’s voluntarily given data, “anonymous” means there was never a link between the feedback and any personally identifying information. “Anonymized” means there was a link at collection, but you destroy the link so that no one could later reconnect person with feedback. “Confidential” means your name/id is linked, but the people responsible will protect your privacy and who can access it (i.e., not sharing what you said specifically with your employer).

      I would say, you could attempt to call what you collect “confidential,” but if your company is willing to hand it over upon request, even that word is inaccurate. I think you really need a disclaimer that includes when and to whom you will disclose identities is essential.

    1. RebelwithMouseyHair*

      What’s unethical about letting employees give feedback?
      The unethical part is pretending that feedback is given anonymously when in fact the firm is quite willing to give names.

  14. MiaMia*

    I am an educator, and we ask the students for anonymous class feedback near the end of January. And I tell them even though it’s “anonymous” and we don’t ask for your name, it’s done through google forms and could probably be un-anonymoused if needs be (like if their feedback sounds like an emergent cry for help). I try to remind them many times throughout the year that technology is pretty good at guaranteeing nothing is truly anonymous.

    1. Sleepy*

      A colleague insisted that we collect extremely detailed demographic data on student surveys in the name of equity, but then she pretty much just used it to identify which student wrote each response (there were about 10 demographic questions, not just the more typical race and gender). I do think her intention was honestly good, but the next time we gave the survey I removed most of the demographic questions before sharing it.

  15. Tidewater 4-1009*

    At my previous job they did “anonymous” surveys. Then they tracked down and punished some people who had vented. Of course, everyone heard about this.
    After that no one trusted the anonymity and over the next few years fewer people took the survey. I could tell by the increasingly desperate pleas to take the survey and assurances it really was anonymous… but all electronics can be tracked and we knew it.
    By the time they eliminated my position I’m not sure they were even doing them anymore.
    I stopped taking the surveys – don’t remember if they were the anonymous ones – because they were leading me to say the company was wonderful. I wasn’t feeling it and didn’t feel comfortable lying. I talked to my boss and he said he couldn’t guarantee I’d be protected if I answered honestly, so I stopped taking them.
    This wasn’t the only thing that made morale drop, but it helped. Other things were cutting costs and staff to the bone, centralizing everything without consideration for the effect on the work and staff, and the CEO making headlines for his egregiously large bonus in a non-profit helping field. By the time they let me go their GlassDoor rating was a full point lower than other companies in the field.

  16. cosmicgorilla*

    How was the request for feedback worded? If it stated that it would be anonymous, then hell no, it shouldn’t be passed on.

    My team sends surveys that fall into the “confidential not anonymous” bucket. This means that my team can see the names and responses, but we’re in effect a 3rd party that collects the data. We don’t have a stake in the game. The people and managers that interact with the customers, the ones the feedback is about, will NEVER see the individual data. Only summaries. The only cases where we will share any names is if the customer has checked a box saying “it is ok to share, and I am ok being contacted about it”, but we only share the portion that was ok’d.

    My WTF NO NO NO NO meter is screaming here.

  17. Brett*

    Oh, no, no no. Don’t do this without getting a lawyer involved who clearly understands the data privacy law implications of this.

    If that user name is in your database, on systems owned by your company and not the client company, you might very well be doing something that is illegal and opens you up to civil liability.

  18. dpc*

    “And if it really gets out, there’s a risk of public backlash…”
    The managers are very short-sighted and foolish for not understanding that they are risking the integrity of their product and their reputation. It seems like they don’t want to upset one client. Do they not think they should consider all their other current and potential clients? They are making a short-term decision that sacrifices their integrity.

  19. In my shell*

    OOph. This is tough, but if I’m your client you have no right to not provide the requested information, no matter how distasteful or legitimate your concerns are.

    1. In my shell*

      OP wrote, “I spoke up and argued that anonymous feedback is anonymous for a reason”

      OP, the problem is that you’re thinking like an employee rather than a vendor representative.

      1. Antilles*

        OP didn’t raise the issues with the client, she mentioned it internally to her bosses in a group meeting. And for internal discussion, yes, it’s absolutely fair for OP to think like an employee – raising potential privacy law concerns, reputational impacts, etc. Every job has plenty of times when the short-term “what is best for this individual client today” needs to be balanced with the long term view of “what’s best for our business long term”.
        As a concrete example here: Let’s say this company is specifically known and trusted throughout the industry as an exemplar of privacy and anonymity, so much so that people hire them specifically because of their discretion. In that case, the right call might be to hold firm on no, we cannot provide that information – because you’d rather irritate *one* client (this one) than have every other client suddenly start questioning your security and confidentiality practices.

    2. Allypopx*

      That’s not entirely true – they can have any number of internal policies that sources of anonymous data aren’t stored or are only accessible under subpoena as best practice of data security. They have plenty of rights, that line is not written in stone anywhere.

      1. pancakes*

        Yes – Trustpilot is in the news right now for refusing to provide this information to a client. See Feb. 10, 2021 BBC News article, “Trustpilot condemns legal action against reviewer.”

  20. PrivacyAnon*

    If this is any sort of whistleblower hotline/survey/information/etc, there are huge privacy implications that must be considered before even thinking about handing this information over. To be clear, you should never hand over this information! OP, your company’s first step is to consult a lawyer if they are even thinking about doing this. Like now. Source: I work for a company that handles whistleblower hotlines for other companies.

  21. mlem*

    “Our bosses reminded us that it should and will never be on us if the information we provide to the customer as requested is used unethically,”

    My company’s software is (I presume) in a different field, one with regulatory implications. If our customers use our software in improper ways *with our help*, we can absolutely be included in ramifications. That includes improper access to private data about *their* customers. In fact, for specific mis-uses of our product, we not only can’t help, we’re required to document our refusal to help, because our help could be interpreted as a form of marketing our product for those mis-uses.

    “We just provided the information our customer asked for!” is not always the iron-clad defense these bosses seem to assume, when it comes to software and privacy.

  22. Salad Daisy*

    Nothing is truly anonymous. I recently left a company then regularly sent around “anonymous” surveys. I always filled mine out stating that everything was rainbows and unicorns. One if my coworkers did not fill theirs out and got an email from HR reminding them to complete their survey. So much for anonymous!

    1. General von Klinkerhoffen*

      Yep, if I get a reminder about an “anonymous” survey, I won’t be candid when I complete it!

      1. anone*

        Many online survey platforms, like SurveyMonkey, can keep track of who has or has not responded to a survey without anyone being able to link that to specific responses precisely so that reminders can be sent in a targeted way. It’s automated within the digital platform so the person administering the survey through that platform can’t link responses to an individual or know who has or hasn’t done it. That might not apply to the situations you’re thinking about, but just as an fyi. Also, if that isn’t happening, you might also be getting a reminder because a reminder is being sent out to everyone, whether they’ve completed it or not, because there’s no way to tell.

        1. allathian*

          Yeah, this. It’s done precisely because reminders annoy people who have filled out the survey already. It depends entirely on who sent it, if it’s from an external survey company, the employer won’t know who has or hasn’t done the survey, unless they routinely check every employee’s inbox… And while it’s technically possible, it’s hardly a productive use of working hours, and in many places it’s actually illegal. I’m in Finland and even corporate email privacy is taken seriously here, basically it can only be breached with a subpoena or equivalent internal request for information when they suspect serious wrongdoing, such as somebody sending the company’s customer list to their private email to set up a competing business. For this reason, role emails and ticketing systems that by definition aren’t private are necessary to ensure that if somebody gets run over by a bus, their projects and tasks can be given to someone else.

  23. Elizabeth*

    A third option they have, as the OP noted, is to simply not store this information.

    Librarians don’t store patrons’ history of books checked out precisely so that it can’t be subpoenad.

    1. Roquefort*

      Seriously, I don’t see the point of storing this information if the survey is supposedly anonymous. Others have pointed out situations where there may be concern for an employee’s safety, but IMHO an anonymous survey conducted by a third party is not the appropriate venue to raise those issues (and if an employee feels they can’t share such serious problems anywhere except an anonymous survey, there’s a serious problem with internal trust, which is only going to tank further when employees find out that their feedback isn’t really that anonymous).

      1. Tidewater 4-1009*

        I was recently at a temporary data entry job where we entered surveys that had been filled out on paper and mailed in. They were not work-related and were sent to a very large and diverse population.
        One of the things we did was check notes written in the margins or edges, and alert a supervisor if there were any about violence or self-harm. I came across 4 notes in my time there.
        It’s not the appropriate way to ask for help, but people still did it. They might feel it’s their only opportunity to share these feelings.
        The survey was coded so the recipient could be identified if necessary, and my understanding was someone would contact the ones who wrote these notes.

        1. Tidewater 4-1009*

          So I think the point I’m trying to make is it’s good to have a way to identify the respondent, but that info should only be accessed to prevent violence or if there’s a subpoena.

    2. Seven hobbits are highly effective, people*

      This is the best design principle if you want to do anything with anonymous information. With modern digital systems it’s difficult to be truly anonymous, but deliberately not storing a name or identifier with the “anonymous” feedback provided is an easy first step.

      (Also not storing an exact timestamp to make it harder to cross-reference with access logs and various other things like that may be important best practices depending on what you’re trying to guard against, and I assume nothing I do online is every truly anonymous anyway, but not having an easy way to look up the name yourself seems like the very least you could do.)

      One of the reasons companies contract with 3rd parties for anonymous surveys is so that someone outside the company can clean it of all of those little identifying fingerprints before passing the results back to the company. If you’re administering an anonymous survey on behalf of a company that specifically asked you to administer the survey anonymously, it is in fact part of your company’s job not to de-anonymize the data for them. At the least, that should be something specifically addressed in your contract with them with some kind of process, also disclosed to the people taking the survey, about what circumstances may cause it to be de-anonymized.

      It’s best just not to keep the name links for anonymous data, though. You can’t turn over what you don’t have.

  24. Allypopx*

    I wouldn’t spend a whole lot of capital on this, personally. I agree it feels icky, and it would probably be a sore spot for me moving forward, but if you’ve raised the potential risks and your company has decided how they’re going to handle it…like Alison said it’s common enough that I’m not sure you’ll have much success. But it feels gross, I’m sorry.

    1. Roquefort*

      This is a good point. OP should absolutely raise legitimate concerns, but if the company’s determined that this is how they’re going to handle it, it’s not OP’s responsibility to save them from shooting themselves in the foot.

      1. Sola Lingua Bona Lingua Mortua Est*

        Exactly. You’re obligated to raise the first red flag. After that… can you whistle Suicide is Painless?

        1. pancakes*

          So long as we’re talking about obligations, careerism is quite common but it isn’t strictly mandatory.

  25. anone*

    You aren’t collecting anonymous data and you shouldn’t tell people providing their data that you are. If it were actually anonymous, it wouldn’t be possible for you to ever disclose their identity because you wouldn’t know who they are. You may anonymize the data when sharing it with clients, but you don’t collect it in an anonymous way. There are informed consent implications for this and honestly you may want to speak with a lawyer about whether there’s legal liability issues present.

    I gather data for clients as a consultant and part of the contracting process is determining what level of information will be shared. If I can’t collect data anonymously (e.g., I’m doing interviews and so I will of course know who people are), then I stipulate in the contract that I won’t disclose any identifying information. The people I collect information form are also told what will be done with it and who will see it. This is part of the ethical code for my profession.

    1. Human Subjects Researcher*

      I agree that these practices should be across-the-board and we should use terminology carefully. But in the US, there are not informed consent requirements for a lot of data that gets collected by corporations. Informed Consent/IRB rules apply only to data collected for research, which generally is not what corporations are doing. And even then, Informed Consent/IRB rules DON’T apply to corporate-funded research. From HHS: “There are many research activities that do not come under the Common Rule [which regulates protection of human subjects]. An example is research funded by private money such as research paid for by private companies, charitable foundations, or wealthy individuals. ….” In other words, governments and academics doing research have to follow established ethical guidelines to tell you what they are doing and get your OK first; corporations and rich people can do what they want.

      One of the most famous examples was the Facebook emotional-manipulation experimentation, which was research using deception and done without informed consent and was legal:

      A responsible company would establish a policy and communicate clearly with their clients what they will or will not share (as anone’s has). But it’s a decision to be made and there’s not a lot of legal liability (in the US) if you don’t.

  26. Fed anon*

    Please make sure a lawyer (hopefully one well-versed in privacy and/or employment law) is involved in this decision, this could open up a can of legal snakes. IANAL, but what if the information leads to the employee’s firing and they file a wrongful termination lawsuit and involve your company? And that’s not the only thing that could go wrong…

  27. Natalie*

    Maybe I missed this, but if your corporate counsel and possibly outside counsel with data privacy expertise haven’t signed off on this, they should before you do anything.

  28. Daisy*

    Our regulatory body requires a survey to assess various diversity criteria. Among other categories they ask the level of the person answering within the practice. As compliance officer I received all the anonymised data and having realised that we were showing as having one more partner than in reality was immediately able to work out who had ticked the wrong box by mistake and had a quiet word so she could correct it. Even if she had ticked the correct box I would have been able to spot her if I’d been hunting. There was nothing that there that was unknown to any of her colleagues, but in other circumstances she might have wanted to keep that information private from me as one of her employers.

  29. Cthulhu's Librarian*

    Talk to your bosses, and see if maybe you can insist on documentation from the CEO/CIO/ED of the client, before releasing this information.

    Because this strikes me as the sort of thing that an underling collating the responses to the survey might say they need, if something is personal to them, but probably, when running it up the flagpole, would get shot down over asking for (“No James, that’s not relevant for any purposes except retaliation, and we obviously don’t do that here”).

    Also, you should be able to sell it to your superiors as a CYA move for your company – so that if anyone ever says information was released that shouldn’t have been, you can say hold up that document saying “This release was approved by [Person In Authority].”

    Friends from the military say that doing this is pretty common, for the more morally ambiguous orders they sometimes get (think “of course sir, I’ll do that just as soon as you document the order.”).

  30. Name Required*

    It sounds like you disagree with a decision that isn’t yours to make, and that you don’t have total transparency on. It doesn’t sound like you are a legal representative for the company, the product manager for the software, head of engineering, or anyone else whose job description includes making these types of decisions. That doesn’t mean your feedback or comfort is unimportant, but ultimately, your company may also decide that your discomfort and your coworker’s discomfort isn’t a higher priority than whatever inputs they used to make their decision. Is this the hill you want to die on? It sounds like you’ve asked, gotten an answer, pushed back, gotten an answer, and want to go to bat a third time to argue for re-engineering what data is collected by the system in order to prevent an issue that has only happened once. Discomfort around something you’re not personally legally responsible for (assuming it’s not healthcare data or something like that) doesn’t explain, to me, this much attachment to the issue. Is there anything else going on?

    1. EBStarr*

      I mean… shouldn’t more of us be attached to resisting unethical actions being taken by any group that we’re a member of, even if we don’t have unilateral power to stop it? The world would certainly be a better place if we were. I think the word “discomfort” is kind of trivializing (and maybe that was intentional) — but OP thinks this may be unethical. They’re not going to bat for a nicer desk chair for themselves.

      1. Name Required*

        I used the word discomfort because the OP used the words “uncomfortable”, “uneasy”, and “doesn’t sit right” — I wasn’t intending to trivialize the OP’s feelings, but I don’t know that they should be a primary driver of the company’s business decision.

        This isn’t a unilaterally unethical issue that the company has decided to ignore to earn better profits, they seem to genuinely disagree with the OP that the data is theirs to make a decision with. Depending on the context of the feedback, it could really go either way on whether the most ethical position is to disclose the user ID (such as in a case of harm, which OP’s manager pointed out) or to not collect the user data (such in the scenario OP suggested, where feedback is used for retaliation) but that puts the company in the position of deciding whether they want to A) Never collect the data and risk being unethical in that they do not have the information to prevent harm, B) Always collect the data and risk being unethical in that the data is used by the entity that owns it to inflict harm, or C) evaluate accessibility to data they do not own on a case-by-case basis. The third one seems like the worst scenario, and the company seems to prefer the risk of retaliation over the risk of imminent harm. That doesn’t seem inherently unethical.

        1. EBStarr*

          Ah you’re right, the OP used these words too. My bad. I still think the issue is important enough that if the OP believes it’s wrong, they can’t really rest on “well it’s not my decision” — but I see where you got the word “discomfort”!

          For the record, though, there are easy ways to accomplish B) without any ethical dilemma at all — simply collect the data and tell the users that they’re doing so, right?

    2. Esmeralda*

      is it legal is not the same as, is it ethical

      The OP may care more about doing what is right, than what is strictly legal.

      Happened only once: well, to me that is not necessarily a strong reason. Happened once may = holy cow, we didn’t thing THAT would happen, we better fix it up so it never happens again. It could be, happened once = that’s so very unusual, I can’t imagine it every happening again. For this particular situation (client was identifying info from a survey that was presented as anonymous), I’d say — just knowing about human nature, as well as decades of working — for sure this situation is going to arise again.

      1. Name Required*

        This time, it sounds like it’s feedback from an employee to an employer that would put them at risk of discrimination or retaliation. Next time, it’s an employee to an employer saying they plan to blow up the office today and the employer is asking for identifying information to investigate an act of terrorism. It could go either way, and the company has to predict and make a decision they are most comfortable with ethically and legally.

        What might be helpful to collect the data and only provide it in context of a police investigation or something like that, update their system and reissue a T&C to their clients? I don’t agree that collecting the data in the first place is a Big Red Flag Ethical Breach. The software might also be used by clients that have to adhere to certain regulations or laws that require the data to be collected, and thus effect the availability of functionality for the entire system. Again, I just don’t think we know enough, and it doesn’t seem like OP does either, by nature of their position … I might be wrong there, just going off the data we have from the letter.

    3. Qwerty*

      This about more than the OP’s personal comfort – it’s an issue that the tech industry as a whole has been struggling with. The company thinks they have no liability when it turns they do (if from a PR standpoint even if they don’t get nailed legally) and Alison gave a good solution of just changing the wording in the app to no longer call it anonymous. Engineering requires responsible and ethical behaviors from all levels, not just the top.

      There is no re-engineering needed here. In most systems, this change would take minutes to implement, since all they have to do is drop a column from a DB and update the models. At most an hour total in dev time if the system is extra complicated, tightly coupled, or takes a long time to compile. I could give this task to junior dev. If there is a bigger re-engineering needed, then its because the system is already over-tracking users which is a bigger issue.

  31. Greige*

    If you’re keeping it associated with personally identifiable data, it never was anonymous. You should stop claiming it is, or stop storing the data that way.

  32. WonderWoman*

    From a user experience perspective, this is pretty terrible. It’s a very basic principle to help users understand what to expect from your system, and calling something anonymous that’s not truly anonymous is. . . effectively lying to users. In fact, some might classify this as “Dark UX.” Perhaps framing this as poor user experience or looping in your design/content team might help make your case.

  33. The Gollux, Not a Mere Device*

    Our bosses reminded us that it should and will never be on us if the information we provide to the customer as requested is used unethically

    You’ve already addressed the “should” here, but the “will never be” is an unsupported assertion, not a reminder. I am not a lawyer, and hope they have talked to a lawyer who specializes in this area–but “will never be” doesn’t just cover “we can’t be arrested for it.” They almost certainly can be faced with bad publicity of the form $Company violated my privacy” and “$Company lies about confidentiality, I wonder what else they lie about.”

    “Reminded” is interesting, because it sounds like they weren’t reminding you of a fact, but presenting an assertion for the first time. “Remember, we talked about this” is fine if “this” is “bills must be paid the week they come in” and a problem if it’s “Fergus, we talked about this, remember, you know the earth is flat” or “You know the Patriots are going to win the 2022 Superbowl.”

    If this comes out, and their best defense is “we didn’t violate the GDPR, we just gave the information to someone who misused it” or “yes we identified who made which comment, but we had no choice, they pay our bills, and besides, we’re not the ones who fired someone for complaining” it’s not going to look good.

  34. CJM*

    I’m retired now, but my employer (a huge, multinational company) used to email out surveys that were supposedly anonymous. But my email (and everyone else’s too, I’m sure) included a link and a warning not to share my link with anyone else because it was just for me. What?! They expected me to believe any feedback would be *anonymous* when the link left bread crumbs? I didn’t respond unless my honest opinion was anodyne.

    One of my favorite work memories is of my exit interview when I retired. The HR rep asked me what feedback I’d give upper management, and for once I didn’t hold back. I told her they kept announcing bold new plans without any follow-up, as if they wanted praise without doing any work. And they changed their minds a lot and gave us all whiplash. Saying all that felt pretty darn good.

  35. Khatul Madame*

    This is priceless. Even better if the system were used for 360° reviews.
    This letter tells you all you need to know about anonymous feedback.

    1. Tidewater 4-1009*

      Haha, I had a 360 review once and there was an especially pompous and egotistical man whom I identified right away by his writing style.

  36. TX Librarian*

    If I found out the company/service that did this, I would NEVER, EVER, EVER use them again and I would aggressively lobby to never acquire or discontinue the use of the service at my employer.

  37. Person from the Resume*

    Ugh! I have no more advice than Alison for the LW, but UGH!

    I assume the LW and their company created this software that the companies use. So it is on the LW’s company and designers that they call something anonymous feedback on the screen and then record the name of the person submitting feedback. That is NOT anonymous. That is what I could call a design flaw or a design lie. Clearly they know it is meant to be anonymous because the feedback was provided without a submitter’s name to the customer initially.

    Ideally it shouldn’t be stored at all. Ideally the LW’s company would inform their customer that the name of the user who summitted the feedback is not available because its anonymous.

  38. Kara S*

    I left another comment above, but OP I’m a bit confused by what your bosses mean when they say the client has access to this information already and your company just assists them with it. Can the client un-encrypt the information without your company? Or is this information intentionally anonymous and your client is requesting that you do something that is possible but is against the way your tool is intended to work? It seems like it’s the second situation which doesn’t mean that the client has access to this by default nor that the information is legally or ethically theirs. Just because they use your service to collect it doesn’t mean they automatically are entitled for it to be un-encrypted (unless the contract says this is the case, or your software is designed and advertised in a way I’m not seeing here). From an outsider perspective, it seems like your company provides something that is different than advertised to users which is where I feel this is unethical.

    1. Darren*

      I suspect the answer is that the client has access to the database backend and can run any queries they want on it (which can see the information on who did what response). However most clients when they outsource these kinds of functions do it so they can save the cost of the IT people that would normally run the system. As a result while they have access they don’t know how to use that access to answer the question but part of the contract includes the ability to get a certain amount of time per month of DB administrator assistance with the software (including generating new reports and querying data for the client).

    2. English, not American*

      It sounds like a “Software as a Service” model. At my workplace, we use two systems. One is SaaS, we have access to the pretty user interface and can use this interface to look at the data in preset ways. We can’t access any of the system database fields.
      The other is “on premise”, and we have access to the pretty user interface, but also the ugly back-end database. The user interface has e.g. our staff members by name and email address, the back-end database also has their Windows login ID and a system-specific user ID.
      I imagine OP’s company software does something like store a system-specific user ID with the survey data, which the pretty user interface can’t display but OP could see in the database and match it with the user.

      1. DarthVelma*

        Not just the lawyers. In my job I work with data that is covered by FERPA, HIPAA, and other state and federal privacy laws. My worst nightmare is having to stand up next to my state’s governor and explain how my agency let 10s of 1000s of people’s PII/PHI got breached or stolen or sent to the wrong people.

        Those concerns have only gotten worse as we’ve moved to more electronic communication due to COVID.

        Plus I do surveys (some anonymous, others only confidential). If someone higher up at my agency tried to force me to tell them who answered what on a survey, I would legit quit over it. (The ethical breach on it’s own would be enough. But it would also ruin a professional reputation for honesty that I’ve worked really hard to build.) So this letter kinda made my head explode.

  39. Can Can Cannot*

    If you do disclose the name, you should do two things first. 1) Let the person know that their “anonymous” feedback was no longer anonymous, and 2) Change any wording in your software to reflect that the feedback is NOT anonymous, and that their personal information can be disclosed.

    Even though your company is breaking their commitment to previous feedback providers, they should at least be honest going forward.

  40. Tex*

    OP, has your company’s legal team been involved with your meetings with managers? Are you sure this isn’t the department head going rogue in order to keep a customer?

    If you are in a large company, there should be an ethics hotline. If a smaller company with outside counsel, can you ask for a one on one meeting with legal to have your concerns addressed? Maybe, even if they are determined to go in the customer’s direction, the company can provide you with a written letter that releases you from liability.

  41. Lily*

    I know for a fact that in my country there are some legal situations where if you give out a certain kind of information you can be sued for all of the financial consequences. This doesn’t sound like that kind of data but I’d have a lawyer team specilized in data law check it. It smells illegal for Europe (which is where the letter writer is from)

  42. Pellegrino*

    Data privacy attorney checking in :) Echoing all the comments that your legal team should be involved to weigh in on this. Your contract with the customer will govern who controls this data and most importantly who is responsible for getting user consent and making all the required disclosures to users about what information is collected from them and how it can be used.

    Even IF your customer is in charge of this, this still sounds like a sketchy practice to somehow indicate that a user’s feedback is anonymous but still logging their identity. In that case, I would hope your company has a very strict agreement with the customer that specifies that the customer is responsible for any issues relating to them failing to make the right disclosures (or using data contrary to those disclosures.)

  43. Tired of Covid-and People*

    Anonymity can suck sometimes. My boss once got accused of submitting an anonymous grievance when I had done no such thing. I was pretty vocal about some things, but like I told them, I stand on what I say and anonymity is not my style. I don’t know if they ever believed me. Anonymous complaints usually generate a downright obsession with wondering who said it, and can generate an atmosphere of hostility and distrust. With workplace surveys, I just don’t do them. As this case shows, anonymity is bunk.

  44. Mr Jingles*

    The more I read about stuff like this the more I appreciate Europes (no longer so new) data protection laws.
    Yes it is annoying that I have to get wwritten permission from a staff member to use their email adress to send them forms they have verbally requested from me. But on the other hand: if a company tells me a survey is anpnymous they’re not allowed to store any personal data. They can link my surveys and comments to my IP adress and are allowed to hand that over for investigation in cases of fraud or other actions which are against the law but they can’t decide willy-nilly to save my data and give it to people just because they ask. My data can not be used without my permission for anything I’ve not explicitly opted in.
    Yes that made my company forego sending holiday greetings last year because the law was so new they couldn’t get permission to use our postal adresses that way but it wasn’t as big a hassle to write a mail to everyone asking them to check the newly added box on their internal profiles and this year everyone who wanted greetings got them again.

    1. Mizzle*

      I probably care more about data protection than most, so I won’t pretend to be representative, but: I think I would enjoy seeing my company do the right thing (first by *not* sending the card, and then by adding that box) at least as much as getting the card! :D

    2. PleaseDon'tStealMyID*

      Unfortunately it’s not handled uniformly well across Europe. Moving to Spain from Germany has been an eye-opener. I registered self-employment recently- the government office clerk wanted to send me the confirmation documents- with all my personal data and social security numbers etc. They didn’t check to see that their email system had auto-filled the recipient slot with the first best email address that started with the same letter as my name- consequently my data is is now fully known by a random opticians shop. When I wrote them they just said something like “Oups! Sorry, here you go, your documents.” Many more such instances have occurred in job application settings, opening a bank account- they simply include selling your data like it’s still the 1990s in their T&Cs that you tick in order to keep moving forward with the application or whatever procedure- CAn#T win and people here don’t care enough by far for it to change.

  45. DiscoCat*

    Whoa, dodgy! My feedback is my data, not the company I’m giving the feedback about! That is exactly why I don’t trust any requests for “anonymous” feedback.

  46. Urt*

    At the bottom of the whole thing is, does your customer have the users’ permission to store their personal data with you? In other words may you even store the users’ data in your system or are you in breach of data protection and should inform the users about the violation of their rights. Just because your customer has you use a form that collects the data doesn’t absolve you from being the culprit.

  47. learnedthehardway*

    I think that whether your client has a right to the information depends on what the nature of the service offering is (and likely what your contract with them states).

    ie. if the service is provided as an outsourced service that they would otherwise do themselves and that is seamless with their company, they should be provided all of the data generated, and they would have every reason to expect to receive all that data. In fact, there would be a good argument that if they were doing their own customer service, they would have access to all the data, including where anonymous comments come from.

    If, on the other hand, your service is something like Yelp or Google reviews, that is clearly separate from the company itself (ie. isn’t on their own website, doesn’t present itself as being connected with the specific company, and in fact has reviews of multiple companies), then I would say you probably should not be providing data about individual commenters.

  48. Quickbeam*

    I know this is at the end of the line but had to share:

    I started a new job where the orientation was horribly handled. It was January in a northern state and the room was 40 degrees per my jacket thermometer. The pregnant woman sitting next to me was blue. I trid to find someone to turn the heat on and failing that, did it myself. We were askd to fill out an anonymous survey as to how we felt the orientnation went. I raised my concerns. It was paper…. in the early 90’s

    A week later I was called in and fired. The HR person had my survey on her desk with a hand written notation “the woman who raised the heat in the room” on it. I was told they felt I would not be a team player.

    I’ve never filled out a company survey since.

  49. Essess*

    This is a question with big legal ramifications so your company should be contacting a lawyer to determine the legality of providing this information, rather than relying on the opinion of the department head.

  50. Akcipitrokulo*

    Your language “we can advise them not to breach general data protection guidelines” makes me suspect in area covered by gdpr? If not, this doesn’t apply – if you are, then you MUST NOT DO THIS.

    Not only the fines… which are huge… and the compensation you may have to pay if any of the employees sue you… and the loss of reputation… they can also ban you from processing any data. Apart from storing. They can shut down your company’s business working.

  51. User Researcher & Future Product Manager*

    TL/dr: Awful idea, but also they should already have had an answer to this question.

    What upsets me most about the team behind this scenario is that this isn’t an eventuality they had previously considered. When you’re building a system that handles sensitive information, you have a moral and practical imperative to understand what you’re going to do when someone attempts to circumvent the guards you have built to keep people safe.

    In my view, you should obviously say ‘no’–and I think, unfortunately, that people who have been in the industry for longer and therefore have more decision-making power may fail to understand just how egregious providing this information will seem to most people. But regardless of the call you make, that this hasn’t been planned for in advance is reflective of a much larger problem when it comes to handling sensitive user data…we don’t like to talk about these issues, and therefore we build systems that allow for morally dubious requests like this one.

  52. Ben Marcus Consulting*

    If your company offers itself as a solution to produce custom software, even if targeted at a specific niche, then I agree with the stance your superiors have taken. You’re role is to provide a product that allows for data collection and management.

    If your company offers itself as a complete platform for this niche, then their stance is at best incomplete. At that point, a complete platform solution should be providing higher level advisory on situations like this and with emphasis that this information should only be shared if there’s a legal, safety, or security based concern.

    Think of free tax software vs paid software that touts ‘protections’ against audit. There’s a reasonable expectation that the users of free software know what they’re doing and that the providers of the paid software are honest in their ability to help you file your taxes accurately.

  53. cassandra*

    I’m horrified when I hear someone make an argument that well, it doesn’t matter if it’s ethical or not, because WE aren’t going to be blamed for it, no matter. It’s not OUR responsibility, if we’re just doing what the customer asks. So much terrible has been done in the world because of people who let it happened because they didn’t think would get blamed for it. If something’s unethical, it’s unethical, and you shouldn’t enable it, regardless of whether you’re going to face consequences for it.

    I’m frankly a little shocked at how many people in the comments are defending the “customer is always fine,” even if they lie, cheat, and surveil, attitude. I understand that OP’s situation may be much lower stakes, but it’s this attitude that has led to so much of the Big Tech horrorscape.

  54. commonsensesometimesmakessense*

    I am not so sure your manager is correct on the point where she says that if the information is distributed and used unethically, it cannot fall on your company. If your database advertises that the feedback is anonymous, and it is not kept anonymous, I would assume your company could get in trouble for false advertising, at least if there was a way to confirm the information came from you guys. I do not know that for sure, but I think both companies are potentially playing with fire in this situation.

Comments are closed.