Qualtrics Not Approved for P3/P4 Data



Institutional Review Board

Human Research Protections (HRP)


Qualtrics Not Approved for P3/P4 Data


Version August 15, 2023


Shield Tick with solid fillUpdate!! HRP wants our research community to be aware of the following. The enterprise license for the Qualtrics survey tool was extended for one last year on the UCI campus.  With the last contractual negotiation for the enterprise license, the vendor did not agree to the terms in UC’s Appendix DS[1]This means that Qualtrics is not approved for the collection of P3/P4 data. See below.


What Is P3 or P4 Data?

Definitions and additional information about protection levels is located on the security team’s data classification websiteSome examples (not comprehensive) are included below.


Protection Level 3 (P3)


  • Student records (FERPA)
  • UCI personnel records
  • IT security information
  • Security camera recordings
  • Export-controlled research
  • Animal research protocols
  • Attorney-client privileged information
  • Industrial Control Systems affecting operations
  • Federal data that falls under FISMA
  • GDPR personal data (Article 4) when contained in large sets
  • Any data with contractual requirements for P3-level protection



Protection Level 4 (P4)


  • Personally Identifiable Information (PII) when statutory, where exists an individual’s first name or initial, and last name, in combination with other identifying information (see Protection Levels UCI IT site for details).
  • GDPR special categories of personal data (Article 9)

·         Financial aid information (also GLBA)

·         Protected health information (PHI), patient records

·         Personal medical information

·         Health insurance information

·         Protected health information (PHI), patient records (often also HIPAA, CMIA, CA IPA)

·         Financial, accounting, and payroll records when authoritative source for the university

·         Human subject research data with individual identifiers or other research classified as P4 by an Institutional Review Board (IRB)

·         Any data with contractual requirements for P4-level protection



I do have this data. What do I do now?

If you no longer need to collect P3/P4 data, please be sure to close out your survey, extract the necessary data that you need, store it in a secure location, delete the project and the data from Qualtrics, then notify your IT support team where you have stored the data. This is to keep our sensitive data inventory up to date. 


If you need to continue to collect P3/P4 data, you will need to work with your IT support team to fill out a security exception request form at https://www.security.uci.edu/program/exception/ and submit to securityrisk@uci.edu“>securityrisk@uci.edu


If you have any questions, as noted above, please work directly with your IT support team.




Here is a quick overview of what vendors agree to when signing Appendix DS: 

  1. Agree to protect our data and not sell it or use it for other purposes without our permission 
  2. Have a documented security plan that we can evaluate 
  3. Have some evidence that they are following their own security plan 
  4. Tell us if they make major changes to their security plan, security posture, or have any significant security vulnerabilities in their environment 
  5. Agree to return and/or delete our data when the contract ends 
  6. Tell us (if they are legally allowed to do so) if there are any legal requests for our data
  7. Tell us if our data is breached, work with us to investigate, and bear notification and other costs as appropriate. A breach can also be grounds for termination. 
  8. Agree not to install backdoors or other illicit code in software or systems 
  9. Agree to perform appropriate background checks on employees that have access to our systems or data


Scroll to Top