I would like to know how the deviceid values are created, especially if they are fully anonymized. I need to comply with GDPR for my project and I need to be sure I cannot trace back personal information of the users by receiving that info in the data form.
To clarify: I don’t have access to the operators’ devices and I don’t want to know their real identity. Still, for data management and processing it is helpful if I know which submissions belong to the same operator.
I’m the project manager of a citizen scientist campaign. I will share the form through the QR code (btw, that is a GREAT option) on web/social media. Every participant will use the settings of a basic account I created. I will have no direct contact with the participants but I will receive the forms with their deviceid metadata.
Main question: without accessing the participants’ devices, is there any way I can find out their real life identity? I prefer to not be able.
If I cannot find out their real life identity, that means I do not need to comply with GDPR and less paperwork burden,
No! This should not be possible unless you activate the metadata or use variables in your survey form that should capture the same. As shown above, metadata can only be captured properly if they are set (before starting data collection) in the Collect android app but if you still use Enketo, you may even miss those data.
Thanks a lot for your usually quick and efficient replies! The support forum here is run very well, much appreciated!
Sorry if I insist, but I need to be very careful about this for legal issues. Without accessing the participants’ devices, is there any way I can find out their real life identity if I receive the deviceid as metadata?
In this case i would say it’s not possible unless you activate the metadata for the project and the respondents also fill up the metadata details in their app (which is usually rare). If you however request them to fill up the same, maybe you could collect the metadata from the enumerators though.
I really need to follow up to be sure I am ok with GDPR. You know privacy issues are complicated and my employer is very careful:
How is the deviceid value created? Is there an internal algorithm in the app? It is assigned when you first connect to the Kobo online/cloud system? Is it still connected to the IMEI as it was before? How can it be unique for different devices?
Any technical answers on this will be helpful to satisfy my employer’s concerns, thanks!
I am sorry to follow up on this issue. GDPR and all the rest…
Can KoBoToolbox organization (potentially) retrieve personal data of the users (specifically unique phone details like IMEI or phone number) by using their Device ID? In other words, can KoboToolbox reverse the anonymizer algorithm and retrieve unique personal data from the device ID values (such as IMEI or phone number)?
I tried to read the source code but I have no clue.