From:ÊEleanor LaceyÊ Date: 9 August 2014 11:43 Subject: SurveyMonkey Privacy Practices To: Juanita.Fernando@monash.edu Dear Ms. Fernando, I have read the letter that you wrote on behalf of the Australian Privacy Foundation to the Australian Privacy Commissioner, Mr. Timothy Pilgrim regarding concerns that you have about SurveyMonkeyÕs privacy practices. I am writing you to correct incorrect information that I believe you read in an article regarding SurveyMonkey published in The Australian. http://www.theaustralian.com.au/technology/surveymonkey-mines-details-for-database/story-e6frgakx-1227013229007?nk=8bf2b4abc14e2b4e947e3164413dfca7. We have contacted the journalist who wrote the article to ask that she correct the incorrect facts contained in the article. We have also proactively contacted the Australian Privacy Commissioner to respond both your complaint and the article that I suspect spurred your concerns. Today, The Australian published another article that more accurately describes our business and our commitment to privacy. http://www.theaustralian.com.au/technology/concerns-over-pcehr-survey-privacy-quelled/story-e6frgakx-1227017938803 Let me clearly state that SurveyMonkey does not data mine and we do not sell our customerÕs survey data to third parties. We are clear with our users that they own their own data and our privacy policy is very protective. I am aware that there has been a lot of discussion internationally about the safety of data stored in the US. ÊÊThe Patriotic Act has been cited in particular. The Patriot Act was enacted primarily in response to incidents of terrorism. In the absence of illegal activity, there is little reason for the US government to make a Patriot Act data request from our data facilities. In fact, over the past ten years they have never done so. There are laws that protect data held in the US such as HIPAA that specifically focus on health data. ÊThose laws are very prescriptive and SurveyMonkey has a HIPAA compliant product. But regardless the type of account our customers use, we protect their data and are committed to strong privacy principles. What appears to have happened is that the article that referred to data mining conflated two products that we offer. But even then, neither is a product from which we data mine. 1. Self-Service Surveys Ð end-users have private accounts where they can design, deploy, and analyze surveys and the survey data they collect. The end-user owns the data in the account. We do not mine that data nor do we sell it to third parties.ÊÊhttps://www.surveymonkey.com/mp/policy/privacy-policy/ÊÊ This is the type of survey tool that ÊDepartment of Health is using and they have stated publicly that they do not collect identifying information about the respondents. Our tool is specifically designed so that people can collect anonymous data if that is part of their research goal. Here is one of our help center articles that describes ways to make a survey anonymous http://help.surveymonkey.com/articles/en_US/kb/How-do-I-make-surveys-anonymous 2. Audience Ð Audience is the product that the journalist referred to in article that I believe you read. Audience is a market research product and is completely separate from our self-service survey product. ÊÊWe do not data mine from that product either. However, that product is used to support market research. ÊThe Audience product is one where people voluntarily agree to take surveys for market research.ÊThese people form a panel that we call Contribute. In the process of signing up to voluntarily take surveys, the respondent voluntarily supplies profile information about him or herself to SurveyMonkey. We do not data mine or sell that information. Instead, we use that information to ensure that we route relevant market research surveys to that person (and then the person can decide to take the survey or not). For instance, if the market research survey is about baby food, the survey should be routed to people who have babies. If it is about cars, it should be routed to people who own or are in the market for cars. For each survey the person takes, SurveyMonkey contributes 50 cents to a charity that has been pre-selected by the respondent. We do not data mine or sell a respondentÕs profile data in that product either and again, we are very clear in our privacy policy. https://contribute.surveymonkey.com/privacy We are a respectable and diligent company that cares deeply about privacy issues and would like to ensure that the record is corrected as soon as possible with you and with anyone else who has concerns about our privacy practices. ÊPlease let me know if I can answer any questions you may have. Regards, Eleanor Eleanor Lacey, VP, General Counsel & Secretary 101 Lytton Avenue, Palo Alto, CA 94301 O: 650-223-8373 ÊM: 650-207-2710 www.surveymonkey.com